Skip to content
pr_comment_bot

Core key vault firewall should not be set to "Allow public access from all networks" #7561

Sign in to view logs

Core key vault firewall should not be set to "Allow public access from all networks"

Core key vault firewall should not be set to "Allow public access from all networks" #7561

Workflow file for this run

.github/workflows/pr_comment_bot.yml at 5f27bae
---
name: pr_comment_bot
on: # yamllint disable-line rule:truthy
issue_comment:
types: [created] # only run on new comments
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#issue_comment
# https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment
jobs:
pr_comment:
name: PR comment
# https://docs.github.com/en/graphql/reference/enums#commentauthorassociation
# (and https://docs.github.com/en/rest/reference/issues#comments)
# only allow commands where:
# - the comment is on a PR
# - the commenting user has write permissions (i.e. is OWNER or COLLABORATOR)
if: ${{ github.event.issue.pull_request }}
runs-on: ubuntu-latest
permissions:
pull-requests: write
checks: write
contents: read
outputs:
command: ${{ steps.check_command.outputs.command }}
prRef: ${{ steps.check_command.outputs.prRef }}
prHeadSha: ${{ steps.check_command.outputs.prHeadSha }}
prRefId: ${{ steps.check_command.outputs.prRefId }}
branchRefId: ${{ steps.check_command.outputs.branchRefid }}
ciGitRef: ${{ steps.check_command.outputs.ciGitRef }}
steps:
# Ensure we have the script file for the github-script action to use
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
# Determine whether the comment is a command
- id: check_command
name: Check for a command using GitHub script
uses: actions/github-script@v7
with:
script: |
const script = require('./.github/scripts/build.js')
await script.getCommandFromComment({core, context, github});
- name: Output PR details
run: |
echo "PR Details"
echo "=========="
echo "prRef : ${{ steps.check_command.outputs.prRef }}"
echo "prHeadSha : ${{ steps.check_command.outputs.prHeadSha }}"
echo "prRefId : ${{ steps.check_command.outputs.prRefId }}"
echo "ciGitRef : ${{ steps.check_command.outputs.ciGitRef }}"
echo "branchRefId : ${{ steps.check_command.outputs.prRefId }}"
# If we don't run the actual deploy (see the run_test job below) we won't receive a check-run status,
# and will have to send it "manually"
- name: Bypass E2E check-runs status
if: ${{ steps.check_command.outputs.command == 'test-force-approve' }}
uses: LouisBrunner/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
# the name must be identical to the one received by the real job
sha: ${{ steps.check_command.outputs.prHeadSha }}
name: "Deploy PR / Run E2E Tests (Smoke)"
status: "completed"
conclusion: "success"
destroy_pr_env:
needs: [pr_comment]
if: ${{ needs.pr_comment.outputs.command == 'test-destroy-env' }}
runs-on: ubuntu-latest
permissions:
pull-requests: write
environment: CICD
name: Destroy PR env
steps:
# Ensure we have the script files
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
# Perform az login for destroy env script to be able to run
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }}
- name: Run deployment cleanup
env:
PR_NUMBER: ${{ github.event.issue.number }}
REPO: ${{ github.event.repository.full_name }}
RG_NAME: ${{ format('rg-tre{0}', needs.pr_comment.outputs.prRefId) }}
RUN_ID: ${{ github.run_id }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHOW_KEYVAULT_DEBUG_ON_DESTROY: ${{ secrets.SHOW_KEYVAULT_DEBUG_ON_DESTROY }}
run: |
set -e
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Destroying PR test environment (RG: ${RG_NAME})... (run: https://github.com/${REPO}/actions/runs/${RUN_ID})"
devops/scripts/destroy_env_no_terraform.sh --core-tre-rg "${RG_NAME}"
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "PR test environment destroy complete (RG: ${RG_NAME})"
destroy_branch_env:
needs: [pr_comment]
if: ${{ needs.pr_comment.outputs.command == 'test-destroy-env' && needs.pr_comment.outputs.branchRefId != '' }}
runs-on: ubuntu-latest
permissions:
pull-requests: write
environment: CICD
name: Destroy branch env
steps:
# Ensure we have the script files
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
# Perform az login for destroy env script to be able to run
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }}
- name: Run deployment cleanup
env:
PR_NUMBER: ${{ github.event.issue.number }}
REPO: ${{ github.event.repository.full_name }}
RG_NAME: ${{ format('rg-tre{0}', needs.pr_comment.outputs.branchRefId) }}
RUN_ID: ${{ github.run_id }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHOW_KEYVAULT_DEBUG_ON_DESTROY: ${{ secrets.SHOW_KEYVAULT_DEBUG_ON_DESTROY }}
run: |
set -e
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Destroying branch test environment (RG: ${RG_NAME})... (run: https://github.com/${REPO}/actions/runs/${RUN_ID})"
devops/scripts/destroy_env_no_terraform.sh --core-tre-rg "${RG_NAME}"
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Branch test environment destroy complete (RG: ${RG_NAME})"
run_test:
# Run the tests with the re-usable workflow
needs: [pr_comment]
if: |
needs.pr_comment.outputs.command == 'run-tests' ||
needs.pr_comment.outputs.command == 'run-tests-extended' ||
needs.pr_comment.outputs.command == 'run-tests-extended-aad' ||
needs.pr_comment.outputs.command == 'run-tests-shared-services'
name: Deploy PR
uses: ./.github/workflows/deploy_tre_reusable.yml
permissions:
checks: write
contents: read
pull-requests: write
with:
prRef: ${{ needs.pr_comment.outputs.prRef }}
prHeadSha: ${{ needs.pr_comment.outputs.prHeadSha }}
ciGitRef: ${{ needs.pr_comment.outputs.ciGitRef }}
e2eTestsCustomSelector: >-
${{ (needs.pr_comment.outputs.command == 'run-tests-extended' && 'extended') ||
(needs.pr_comment.outputs.command == 'run-tests-extended-aad' && 'extended_aad') ||
(needs.pr_comment.outputs.command == 'run-tests-shared-services' && 'shared_services') ||
(needs.pr_comment.outputs.command == 'run-tests' && '') }}
environmentName: CICD
E2E_TESTS_NUMBER_PROCESSES: 1
DEVCONTAINER_TAG: ${{ needs.pr_comment.outputs.prRefId }}
secrets:
AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }}
ACR_NAME: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }}
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS}}
API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }}
API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }}
APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}
APPLICATION_ADMIN_CLIENT_SECRET: ${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}
MGMT_RESOURCE_GROUP_NAME: ${{ format('rg-tre{0}-mgmt', needs.pr_comment.outputs.prRefId) }}
MS_TEAMS_WEBHOOK_URI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
MGMT_STORAGE_ACCOUNT_NAME: ${{ format('tre{0}mgmt', needs.pr_comment.outputs.prRefId) }}
SWAGGER_UI_CLIENT_ID: ${{ secrets.SWAGGER_UI_CLIENT_ID }}
TEST_APP_ID: ${{ secrets.TEST_APP_ID }}
TEST_WORKSPACE_APP_ID: ${{ secrets.TEST_WORKSPACE_APP_ID }}
TEST_WORKSPACE_APP_SECRET: "${{ secrets.TEST_WORKSPACE_APP_SECRET }}"
TEST_ACCOUNT_CLIENT_ID: "${{ secrets.TEST_ACCOUNT_CLIENT_ID }}"
TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
TRE_ID: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }}
CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}