Github Actions - department-of-veterans-affairs/abd-vro GitHub Wiki

Build and Publish

#925: @yoomlam added his USERNAME and ACCESS_TOKEN secrets to the repo's Secrets settings

  • When publishing, resulting packages (i.e., images for Docker containers) are tagged using the first 7 characters of the PR's commit hash, which are needed for deployment to LHDI's Kubernetes clusters

CodeQL

The VA GitHub.com team requested that Advanced Security Code Scanning be enabled via codeql.yml. See PR #116 for details.

This is a compliment to any tools and security procedures your team is already performing rather than a replacement. ... this feature will identify potential security issues on any new pull requests. ... For more information, check out the GitHub Handbook.

(If needed, an admin for this repo can bypass any identified issues.)

In commit ea4be65, we limit this action from running to certain PR event types (e.g., ready_for_review, review_requested) and for pushes to special branches since this action is slow. To manually run the action, do any of the following:

  • Request a review from someone.
  • Convert it to a draft PR, then click the "Ready for Review" button.
  • Go to the CodeQL Action and click "Run workflow" on the desired branch.
  • Merge the PR to a special branch (develop).

Mirror

The Lighthouse SecRel (Secure Release) process operates only on non-public repos. To satisfy that requirement, a abd-vro-internal repo was created as a mirror of this repo. The internal repo will only be used by the Lighthouse SecRel team to enable deployments to prod -- no one should be committing to or creating PRs directly in that repo. The mirror.yml GitHub Action updates the internal repo whenever a branch in this repo is created, updated, or deleted.

  • @yoomlam generated a password-less ssh key pairs (using bogus email [email protected]) and added a SSH_PRIVATE_KEY secret to the repo's Secrets settings
  • In order for the GitHub Action to access the abd-vro-internal repo via ssh, the public key was added to Deploy keys using the abd-vro-machine account, which will attribute triggered actions (e.g., SecRel) in the abd-vro-internal repo to the machine-user account.

PR #680 makes the following unnecessary, but keeping it for reference:

PR #250 limits this action from running to certain PR event types (e.g., ready_for_review, review_requested) and for pushes to special branches since this action is causes extraneous checks to run in the internal repo. To manually run the action, do any of the following:

  • Request a review from someone.
  • Convert it to a draft PR, then click the "Ready for Review" button.
  • Go to the Mirror Action and click "Run workflow" on any branch (all branches will be mirrored)
    • or run curl -XPOST -u "$GITHUB_USERNAME:$GITHUB_ACCESS_TOKEN" -H "Accept: application/vnd.github+json" -H "Content-Type: application/json" https://api.github.com/repos/department-of-veterans-affairs/abd-vro/actions/workflows/mirror.yml/dispatches --data "{\"ref\": \"develop\"}"
    • or run gh workflow run mirror.yml --ref develop
  • Merge the PR to a special branch (develop).

SecRel

PR Enable SecRel workflow #235 adds new actions (secrel.yml and aqua-checker.yml) for VRO's code to go through Lighthouse's SecRel pipeline to be deployable to production -- see Secure Release GitHub Actions for details.

The "SecRel workflow" action will be automatically triggered in the internal repo by pushes to develop and main.

To manually trigger the SecRel workflow on a PR, see To test PRs in the SecRel pipeline.