.github/workflows/deploy-to-openshift-frontend-dev.yml

name: 1 DEV - Deploy Frontend

env:
  # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
  # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
  # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
  OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
  OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
  # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
  OPENSHIFT_NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}-dev

  # SPLUNK_TOKEN: ${{ secrets.SPLUNK_TOKEN }}

  # 🖊️ EDIT to change the image registry settings.
  # Registries such as GHCR, Quay.io, and Docker Hub are supported.
  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
  IMAGE_REGISTRY_USER: ${{ github.actor }}
  IMAGE_REGISTRY_PASSWORD: ${{ github.token }}

  DOCKER_ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca/docker-remote
  ARTIFACTORY_REPO: artifacts.developer.gov.bc.ca

  # We have multiple environments in each openshift namespace dev, test in DEV and uat, efx in TEST. This setting will help name the deployment config and routes for each.
  APP_ENVIRONMENT: 'dev'
  APP_NAME: 'ofm'
  REPO_NAME: 'ecc-ofm'
  #grabs the branch name from github dynamically
  BRANCH: ${{ github.ref_name }}
  IMAGE_NAME: 'ecc-ofm-frontend'
  APP_NAME_FRONTEND: 'frontend'
  APP_FOLDER: 'frontend'
  NAMESPACE: ${{ secrets.OFM_NAMESPACE_NO_ENV }}
  TAG: 'latest'

  MIN_REPLICAS: '1'
  MAX_REPLICAS: '2'
  MIN_CPU: '50m'
  MAX_CPU: '100m'
  MIN_MEM: '200Mi'
  MAX_MEM: '250Mi'
  # SITE_URL should have no scheme or port. It will be prepended with https://
  HOST_ROUTE: ${{ secrets.SITE_URL }}
  CA_CERT: ${{ secrets.CA_CERT }}
  CERTIFICATE: ${{ secrets.CERTIFICATE }}
  PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}

  # Frontend configuration
  BANNER_ENVIRONMENT: 'DEV'
  BANNER_COLOR: '#8d28d7'
  TDAD_CONTACT_EMAIL: '10aDayCentres@gov.bc.ca'
  IRREGULAR_EXPENSE_FORM_URL: 'https://www2.gov.bc.ca/assets/download/80DAA65E3FA44EFCA61F4557C6FAEE59'

on:
  workflow_dispatch:

jobs:
  openshift-ci-cd:
    name: Build and deploy Frontend to DEV
    runs-on: ubuntu-24.04
    environment: dev

    outputs:
      ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
      SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}

    steps:
      - name: Check for required secrets
        uses: actions/github-script@v6
        with:
          script: |
            const secrets = {
              OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
              OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
              DOCKER_HUB_USERNAME: `${{ secrets.DOCKER_HUB_USERNAME }}`,
              DOCKER_HUB_ACCESS_TOKEN: `${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}`,
            };

            const GHCR = "ghcr.io";
            if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
              core.info(`Image registry is ${GHCR} - no registry password required`);
            }
            else {
              core.info("A registry password is required");
              secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
            }

            const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
              if (value.length === 0) {
                core.error(`Secret "${name}" is not set`);
                return true;
              }
              core.info(`✔️ Secret "${name}" is set`);
              return false;
            });

            if (missingSecrets.length > 0) {
              core.setFailed(`❌ At least one required secret is not set in the repository. \n` +
                "You can add it using:\n" +
                "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
                "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
                "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
            }
            else {
              core.info(`✅ All the required secrets are set`);
            }

      - name: Check out repository with branch [${{ env.BRANCH }}]
        uses: actions/checkout@v3
        with:
          ref: ${{ env.BRANCH }}

      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          registry: ${{ env.DOCKER_ARTIFACTORY_REPO }}
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

      - name: Build frontend from Dockerfile
        id: build-image-frontend
        uses: redhat-actions/buildah-build@v2
        with:
          image: ${{ env.IMAGE_NAME }}
          tags: 'latest'

          # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
          # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
          # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
          dockerfiles: |
            ./${{ env.APP_FOLDER }}/Dockerfile
          context: ./${{ env.APP_FOLDER }}

        # https://github.com/redhat-actions/push-to-registry#readme
      - name: Push frontend to registry
        id: push-image-frontend
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ${{ steps.build-image-frontend.outputs.image }}
          tags: ${{ steps.build-image-frontend.outputs.tags }}
          registry: ${{ env.IMAGE_REGISTRY }}
          username: ${{ env.IMAGE_REGISTRY_USER }}
          password: ${{ env.IMAGE_REGISTRY_PASSWORD }}

      - name: Install oc
        uses: redhat-actions/openshift-tools-installer@v1
        with:
          oc: 4.16

        # https://github.com/redhat-actions/oc-login#readme
      #    - uses: actions/checkout@v3
      - name: Deploy
        run: |
          set -eux
          # Login to OpenShift and select project
          oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }}
          oc project ${{ env.OPENSHIFT_NAMESPACE }}
          # Cancel any rollouts in progress
          oc rollout cancel dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
            || true && echo "No rollout in progress"

          # Create the image stream if it doesn't exist
          oc create imagestream ${{ env.IMAGE_NAME }} 2> /dev/null || true && echo "Frontend image stream in place"

          oc tag ${{ steps.push-image-frontend.outputs.registry-path }} ${{ env.IMAGE_NAME }}:${{ env.TAG }}

          # Process and apply deployment template
          oc process -f tools/openshift/frontend.dc.yaml \
            -p APP_NAME=${{ env.APP_NAME }} \
            -p REPO_NAME=${{ env.REPO_NAME }} \
            -p BRANCH=${{ env.BRANCH }} \
            -p NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} \
            -p TAG=${{ env.TAG }} \
            -p MIN_REPLICAS=${{ env.MIN_REPLICAS }} \
            -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} \
            -p MIN_CPU=${{ env.MIN_CPU }} \
            -p MAX_CPU=${{ env.MAX_CPU }} \
            -p MIN_MEM=${{ env.MIN_MEM }} \
            -p MAX_MEM=${{ env.MAX_MEM }} \
            -p ENVIRONMENT=${{ env.APP_ENVIRONMENT }} \
            -p BANNER_ENVIRONMENT=${{ env.BANNER_ENVIRONMENT }} \
            -p BANNER_COLOR=${{ env.BANNER_COLOR }} \
            -p TDAD_CONTACT_EMAIL=${{ env.TDAD_CONTACT_EMAIL }} \
            -p IRREGULAR_EXPENSE_FORM_URL=${{ env.IRREGULAR_EXPENSE_FORM_URL }} \
            | oc apply -f -

          # Start rollout (if necessary) and follow it
          oc rollout latest dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.APP_ENVIRONMENT }} 2> /dev/null \
            || true && echo "Rollout in progress"

          # Get status, returns 0 if rollout is successful
          oc rollout status dc/${{ env.APP_NAME }}-${{ env.APP_NAME_FRONTEND }}-${{ env.APP_ENVIRONMENT }}

  cypress-run:
    needs: openshift-ci-cd
    uses: ./.github/workflows/cypress-e2e.yml
    secrets: inherit

  zap-scan:
    name: ZAP Scan
    needs: openshift-ci-cd
    runs-on: ubuntu-24.04
    environment: dev
    steps:
      - name: Run ZAP Scan
        uses: zaproxy/action-full-scan@v0.10.0
        with:
          target: 'https://${{ env.HOST_ROUTE }}'