Decide on tech services needed for continuous integration

[alexsoble]

As a team, we need to agree upon which technologies we will be using for CI/CD.

Table for reference:

	Carly	Amy	Alex
Technology for CI/CD	CircleCI	CircleCI, What about GitHub Action?	CircleCI

Tasks

• [ ] Determine technology for CI/CD and document with a lightweight decision record
• [ ] Create "procurement" and/or any implementation follow on tasks

[carjug]

This is blocked by needing to hear from the HHS OCIO what version of GitHub they use.

[ninamak]

HHS OCIO does use a version of GH that allows for Actions, but now we're blocked by not having access to HHS GH (they don't have enough licenses).

Options:

• Set up CircleCI in our 18F repo for now
• Alternatively, move to a public HHS repo (until/unless the need for a private repo re-emerges)

Next steps:

• [ ] Look into compliance status of GH Actions vs CircleCI
• [ ] Discuss above options at Eng Co-Work Weds 7/14
• [ ] Rename/name repo RPM (aka Research Portfolio Management)

[alexsoble]

☝️ All 4 of us have already started adding ideas here async, so I'm going to move this from TODO to In Progress!

[alexsoble]

We know that at least 2 other projects in ACF are using the HHS CircleCI org. Adopting CircleCI for this project would let us move this task to "Done" the quickest, because we could use the tracks that those other projects have laid down.

The main benefit I see to using GitHub Actions is that it would reduce the number of third-party tech services we need to manage, since we already plan to use GitHub for source control. It would also shrink our "surface", meaning the number of third-party services whose security & availability we rely on to keep our product secure & available.

However, we may need to have a fair amount of discussion and back-and-forth with HHS GitHub administrators about GitHub Actions. For the enterprise version of GitHub, access to some Actions e.g. those on GitHub Marketplace is not enabled by default:

https://docs.github.com/en/enterprise-server@2.22/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise

[carjug]

Hey @alexsoble when we originally reached out to Domenic at HHS, he confirmed that the version of GH they use at HHS does have access to Actions. Just as an FYI 💟

[alexsoble]

@carjug Yes! But if we want to use specific actions from the GitHub Marketplace, we may need to work with him to enable access.

[carjug]

My questions about compliance and FedRamp concerns are these: if GitHub itself is FedRamped, do individual services within the GitHub suite need to be FedRamped as well? I would be surprised if that were the case, but also not. Does anyone know the answer here?

[carjug]

@alexsoble ahh I see what you mean.

[alexsoble]

@carjug Good question! Here's one breadcrumb: https://github.com/18F/development-guide/pull/273#issue-690111111

Would also be a good question for #dev!

[alexsoble]

From @ryanhofdotgov's answer over in the development guide repo, it sounds like we could reasonably count on all GitHub-provided services being compliant.

Also, it looks like the TTS infrastructure team looked into this question a little while back and landed here: https://github.com/18F/tts-tech-portfolio/issues/107#issuecomment-555176636

As a member of TTS/GSA, I want to know if I can use GitHub Actions

Given that this is a new feature on a system with an existing ATO (GitHub), TTS will operate under the assumption that use of Actions is implicitly part of that larger approval unless we hear otherwise.

[alexsoble]

@carjug That question is also very relevant to #36, where we could potentially use two different security scanning tools that are already built in to GitHub.

[amymok]

Since CircleCI is already being used by other HHS/ACF projects, it looks like it is an option that would already be approved for this project.

Even if GitHub Action would be a good choice and part of GitHub, CircleCI is more mature than GitHub Action. Is there any other risks and issues we may run into if we choose GA, i.e. some of the workflows we want to do may not be available yet compare to CircleCI?

[alexsoble]

@amymok Those are good questions! I have more experience with Circle than GitHub Actions. On my last project, the team did use GitHub actions to set up a nifty automated deploy flow that allowed devs to deploy any branch to cloud.gov by adding a "deploy" label on GitHub. That was cool and a neat developer experience!

[alexsoble]

@amymok And doing some further digging on Slack, I'm seeing: "Note that GitHub Actions are LiSaaS, so may not pass muster with assessors for Moderate impact systems."

More on LiSaaS: https://tailored.fedramp.gov/.

So Circle may be the safer/better choice here compliance-wise.

[amymok]

Have we reached a decision to use CircleCI then?

[alexsoble]

@amymok Yes, that would be my vote!

[carjug]

Works for me!

[alexsoble]

Happy to write the ADR for this one if no one else wants to. I'll assign myself to the issue.

[alexsoble]

As part of writing up the ADR I looked up CircleCI's FedRAMP status, and interestingly enough it's also Li-SaaS: https://marketplace.fedramp.gov/#!/product/circleci-cloud?sort=productName&productNameSearch=circleci

[alexsoble]

This is done! via #97