Skip to content

[PRM-743] Add action to allow safe list to be updated #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
oliverbeumkes-nhs wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

[PRM-743] Add action to allow safe list to be updated #211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
5dbb986
[PRM-691] Introduction of strict tagging when releasing
oliverbeumkes-nhs Feb 24, 2026
a6ad6fc
[PRM-691] Introduction of strict tagging when releasing
oliverbeumkes-nhs Feb 24, 2026
b5e424b
Added the is_deployment missing on deploy - full
oliverbeumkes-nhs Feb 24, 2026
be98883
Renamed Deploy Full to Deploy - Tagged Version
oliverbeumkes-nhs Feb 24, 2026
6293d10
Renamed Deploy Full to Deploy - Tagged Version
oliverbeumkes-nhs Feb 24, 2026
fad9a8f
Creating override branch for PRM-691 override
oliverbeumkes-nhs Feb 24, 2026
50fe661
Refactored to check if image exists prior to promotion and deploy tas…
oliverbeumkes-nhs Feb 24, 2026
9772b44
Merge branch 'PRM-691' into PRM-691-Override
oliverbeumkes-nhs Feb 25, 2026
b80549f
add override to dispatch
oliverbeumkes-nhs Mar 5, 2026
f1155ea
[PRM-743] Add the deploy safelist file
oliverbeumkes-nhs Mar 9, 2026
1e2c490
move deploy-stack to temp deploy stack changes
oliverbeumkes-nhs Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .github/workflows/deploy-safelist.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Deploy - Safelist Update
run-name: "${{ inputs.environment }} | Terraform Apply? = ${{ inputs.is_deployment }} | Tag version: ${{ github.ref }}"

on:
workflow_dispatch:
inputs:
environment:
default: "dev"
description: "Environment"
required: true
type: choice
options:
- dev
- pre-prod
- prod
is_deployment:
default: false
type: boolean
description: "Terraform Apply?"
updated_safelist:
default: ""
type: string
required: true
description: "Comma-separated list of ODS codes to add to the safelist."
version_to_deploy:
type: string
required: true
description: "Version to deploy (e.g. 3.0.0). If not provided, the workflow version will be deployed."

permissions:
pull-requests: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
suspension-service-ci:
name: Deploy Suspension Service Infrastructure
uses: ./.github/workflows/deploy-stack.yml
with:
stack: suspension-service
ecr_alias: repo/suspension-service
environment: ${{ inputs.environment }}
is_deployment: ${{ inputs.is_deployment }}
updated_safelist: ${{ inputs.updated_safelist }}
version_to_deploy: ${{ inputs.version_to_deploy }}
secrets: inherit

gp2gp-messenger-ci:
name: Deploy GP2GP Messenger Infrastructure
uses: ./.github/workflows/deploy-stack.yml
with:
stack: gp2gp-messenger
ecr_alias: deductions/gp2gp-messenger
environment: ${{ inputs.environment }}
is_deployment: ${{ inputs.is_deployment }}
updated_safelist: ${{ inputs.updated_safelist }}
version_to_deploy: ${{ inputs.version_to_deploy }}
secrets: inherit
5 changes: 2 additions & 3 deletions .github/workflows/deploy-full.yml → .github/workflows/deploy-tagged-version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
name: Deploy - Full

run-name: "${{ inputs.environment }} | Terraform Apply? = ${{ inputs.is_deployment }}"
name: Deploy - Tagged version
run-name: "${{ inputs.environment }} | Terraform Apply? = ${{ inputs.is_deployment }} | Tag version: ${{ github.ref }}"

on:
workflow_dispatch:
Expand Down
123 changes: 36 additions & 87 deletions .github/workflows/deploy-stack.yml → ...b/workflows/temp-deploy-stack-changes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,17 @@ on:
- pds-adapter
- mesh-forwarder
- base-infra
version_to_deploy:
default: ""
description: "Version to deploy (e.g. 3.0.0). If not provided, the workflow version will be deployed."
required: false
type: string
updated_safelist:
default: ""
type: string
required: true
description: "Comma-separated list of ODS codes to add to the safelist."

is_deployment:
default: false
type: boolean
Expand Down Expand Up @@ -69,21 +80,34 @@ on:
default: false
description: "Do we need to build any lambdas before deploying?"
type: boolean
updated_safelist:
default: ""
type: string
required: true
description: "Comma-separated list of ODS codes to add to the safelist."
version_to_deploy:
default: ""
description: "Version to deploy (e.g. 3.0.0). If not provided, the workflow version will be deployed."
required: false
type: string


permissions:
pull-requests: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
promote-images-from-source-ecr-account:
update_safelist:
environment: ${{ inputs.environment }}
name: Promote images from source to current environment
name: Update Safelist in SSM Parameter Store
if: ${{ inputs.is_deployment && inputs.environment != 'dev' && inputs.ecr_alias }}
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v6
with:
ref: refs/tags/${{ github.ref_name }}

- name: Configure AWS Credentials
id: creds
Expand All @@ -95,53 +119,20 @@ jobs:
mask-aws-account-id: true

# Needs the AmazonEC2ContainerRegistryPowerUser role
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
with:
registries: "${{ steps.creds.outputs.aws-account-id }},${{ secrets.AWS_SOURCE_ECR_ACCOUNT_ID }}"

- name: Get Most Recent ECR Image SHA Tag From Lower Environment
id: get-image-tag
env:
ECR_ALIAS: ${{ inputs.ecr_alias }}
run: |
LATEST_IMAGE_SHA=$(aws ecr describe-images \
--registry-id ${{ secrets.AWS_SOURCE_ECR_ACCOUNT_ID }} \
--repository-name $ECR_ALIAS \
--output json |
jq -r '
.imageDetails
| map(select(.imageTags != null and (.imageTags|length>0)))
| sort_by(.imagePushedAt)
| last
| .imageTags[]
| select(test("^[0-9a-f]{40}$"))
' | head -n 1)

echo "All image tags for $ECR_ALIAS: $LATEST_IMAGE_SHA"
echo "image_sha=$LATEST_IMAGE_SHA" >> $GITHUB_OUTPUT

- name: ECR Copy
id: ecr-copy
- name: Run command to update Safelist in SSM Parameter Store
env:
IMAGE_SHA: "${{ steps.get-image-tag.outputs.image_sha }}"
AWS_REGION: ${{ vars.AWS_REGION }}
PARAMETER_NAME: /repo/${{ inputs.environment }}/user-input/external/safe-listed-ods-codes
UPDATED_SAFELIST: ${{ inputs.updated_safelist }}
run: |
source_repo=${{ secrets.AWS_SOURCE_ECR_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.ecr_alias }}
destination_repo=${{ steps.creds.outputs.aws-account-id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.ecr_alias }}

docker pull $source_repo:$IMAGE_SHA
docker tag $source_repo:$IMAGE_SHA $destination_repo:$IMAGE_SHA
docker tag $source_repo:$IMAGE_SHA $destination_repo:${{ github.ref_name }}
docker push $destination_repo:$IMAGE_SHA
docker push $destination_repo:${{ github.ref_name }}

aws ssm put-parameter --name "$PARAMETER_NAME" --value "$UPDATED_SAFELIST" --type String --overwrite --region "$AWS_REGION"

deploy_stack:
environment: ${{ !inputs.ci_account && inputs.environment || 'ci_account' }}
environment: ${{ inputs.environment }}
env:
GITHUB_ENV: ${{ !inputs.ci_account && inputs.environment || 'ci_account' }}
GITHUB_ENV: ${{ inputs.environment }}
runs-on: ubuntu-latest
needs: [promote-images-from-source-ecr-account]
if: always() && (needs.promote-images-from-source-ecr-account.result == 'skipped' || needs.promote-images-from-source-ecr-account.result == 'success')
needs: [update_safelist]
defaults:
run:
working-directory: ./stacks/${{ inputs.stack }}/terraform
Expand All @@ -161,48 +152,11 @@ jobs:
aws-region: ${{ vars.AWS_REGION }}
mask-aws-account-id: true
role-skip-session-tagging: true

- name: Setup Terraform variables for Deductions Cross Account
if: inputs.stack == 'deductions-cross-account'
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_ACCESS_TOKEN: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
PROMOTION_IAM_ARN: ${{ secrets.PROMOTION_IAM_ARN }}
run: |
cat > pipeline-deductions-cross-account.auto.tfvars <<EOF
dockerhub_username = "${DOCKERHUB_USERNAME}"
dockerhub_access_token = "${DOCKERHUB_ACCESS_TOKEN}"
promotion_iam_arn = "${PROMOTION_IAM_ARN}"
EOF

- name: Get Most Recent ECR Image Tag
id: get-image-tag
if: inputs.ecr_alias
env:
ECR_ALIAS: ${{ inputs.ecr_alias }}
run: |
LATEST_IMAGE_SHA=$(aws ecr describe-images \
--repository-name $ECR_ALIAS \
--output json |
jq -r '
.imageDetails
| map(select(.imageTags != null and (.imageTags|length>0)))
| sort_by(.imagePushedAt)
| last
| .imageTags[]
| select(test("^[0-9a-f]{40}$"))
' | head -n 1)

echo "Found tag: $LATEST_IMAGE_SHA"

echo "Most recent image tag for $ECR_ALIAS: $LATEST_IMAGE_SHA"
echo "image_tag=$LATEST_IMAGE_SHA" >> $GITHUB_OUTPUT

- name: Setup Terraform variables
id: vars
env:
ECR_ALIAS: ${{ inputs.ecr_alias }}
IMAGE_TAG: ${{ steps.get-image-tag.outputs.image_tag || '' }}
IMAGE_TAG: ${{ inputs.version_to_deploy }}
run: |
COMMON_ACCOUNT_ID=$(aws ssm get-parameter --name /repo/ci/user-input/external/aws-account-id --with-decryption | jq -r .Parameter.Value)
cat > pipeline.auto.tfvars <<EOF
Expand All @@ -226,11 +180,6 @@ jobs:
with:
terraform_version: latest

# - name: Terraform Format
# id: fmt
# run: |
# terraform fmt

- name: Terraform Init
id: init
run: |
Expand Down