The is a fully functional set of GitHub Actions workflows and a starter application stack intended to help Agile teams hit the ground running.
Features:
Initial setup is intended to take an hour or less. This depends greatly on intended complexity, features selected/excluded and outside cooperation.
The following are required:
Create a new repository using this repository as a template.
Variables and secrets are consumed by workflows. Environments provide their own values, overriding default sets.
Secrets are hidden from logs and outputs, while variables are visible. Using secrets exclusively can make troubeshooting more difficult.
Note: Dependabot, which we don't recommend as highly as Renovate, requires its own set of variables.
Click Settings > Secrets and Variables > Actions > Secrets > New repository secret
GITHUB_TOKEN
Default token. Replaced every workflow run, available to all workflows.
{{ secrets.GITHUB_TOKEN }}
OC_TOKEN
OpenShift token, different for every project/namespace. This guide assumes your OpenShift platform team has provisioned a pipeline account.
{{ secrets.OC_TOKEN }}
Locate an OpenShift pipeline token:
pipeline-token-...
or a similarly privileged tokentoken
OC_TOKEN
OC_NAMESPACE
OpenShift project/namespace. Provided by your OpenShift platform team.
{{ secrets.OC_NAMESPACE }}
abc123-dev | test | prod
SONAR_TOKEN(s)
If SonarCloud is being used each application will have its own token. Single-application repositories typically use ${{ secrets.SONAR_TOKEN }}
, while monorepos use similar names.
E.g.:
${{ secrets.SONAR_TOKEN_BACKEND }}
${{ secrets.SONAR_TOKEN_FRONTEND }}
BC Government employees can request SonarCloud projects by creating an issue with BCDevOps. Please make sure to request a monorepo with component names (e.g. backend, frontend), which may not be explained in their directions.
Click Settings > Secrets and Variables > Actions > Variables > New repository variable
OC_SERVER
OpenShift server address.
{{ vars.OC_SERVER }}
https://api.gold.devops.gov.bc.ca:6443
or https://api.silver.devops.gov.bc.ca:6443
Environments are groups of secrets and variables that can be gatekept. This includes limting access to certain users or requiring manual approval before a requesting workflow can run. Environment values override any default values.
For pull requests and development surrounding lower-level, sandboxed environments it is best not to use an environment at all. Higher level environments, like TEST and PROD, will override those values as necessary.
Click Settings > Environments > New environment
Environments provide a number of features, including:
Dependabot and Mend Renovate can both provide dependency updates using pull requests. Dependabot is simpler to configure, while Renovate is much more configurable and lighter on resources.
A config file (renovate.json
) is included with this template. It can source config from our renovate repository. Renovate can be self-hosted or run using the GitHub App managed at the organization level. For BC Government the OCIO controls this application, so please opt in with them using a GitHub issue.
To opt-in:
Configure
and set up your repositoryRequest to add X repo to Renovate App
Dependabot is no longer recommended as an alternative to Renovate for generating security, vulnerability and dependency pull requests. It can still be used to generate warnings under the GitHub Security tab, which is only viewable by repository administrators.
Squash merging is recommended for simplified history and ease of rollback. Cleaning up merged branches is recommended for your DevOps Specialist's fragile sanity.
Click Settings > General (selected automatically)
Pull Requests:
[uncheck] Allow merge commits
[check] Allow squash merging
Default to pull request title
[uncheck] Allow rebase merging
[check] Always suggest updating pull request branches
[uncheck] Allow auto-merge
[check] Automatically delete head branches
Packages are available from your repository (link on right). All should have visibility set to public for the workflows to run successfully.
E.g. https://github.com/bcgov/quickstart-openshift/packages
This is required to prevent direct pushes and merges to the default branch. These steps must be run after one full pull request pipeline has been run.
Add Rule
or edit an existing ruleProtect matching branches
specify the following:
main
[check] Require a pull request before merging
[check] Require approvals
(default = 1)[check] Dismiss stale pull request approvals when new commits are pushed
[check] Require review from Code Owners
[check] Require status checks to pass before merging
[check] Require branches to be up to date before merging
Status checks that are required
:
[check] Require conversation resolution before merging
[check] Include administrators
(optional)Don't forget to add your team members!
Access
)Add people
or Add teams
Runs on pull request submission.
Runs on pull request submission or merge to the default branch.
Runs on pull request close or merge.
Runs on merge to main branch.
* excludes database changes
The starter stack includes a (React, MUI, Vite, Caddy) frontend, Pluggable backend(Nest/Node, Quarkus/Java On Native, FastAPI/Python, Fiber/Golang) and postgres database. See subfolder for source, including Dockerfiles and OpenShift templates.
Features:
Postgres is default. Switch to PostGIS by copying the appropriate Dockerfile to ./database
:
cp ./database/postgis/Dockerfile ./database
This quickstart works with more than just JavaScript. Please check out our pluggable backends repository. Flyway-based database migrations for each are included.
Supported languages:
The database documentation is created and deployed to GitHub pages. See here.
After a full workflow run and merge can been run, please do the following:
Code and automation
)Branch
or Add teams
gh-pages
Save
This repository is provided by NRIDS Architecture and Forestry Digital Services, courtesy of the Government of British Columbia.
Please contribute your ideas! Issues and Pull Requests are appreciated.