Forestry Client Services' greenfield starter template and pull request based pipeline. For new and migrating products. Currently supports OpenShift with plans for Amazon Web Services.
Tantalis Integrated Common Document Generator Interface (TICDI) is a node.js application built with nestJS, and the main purpose is to act as an integration point between TANTALIS (TTLS) and the Common Document Generation Service (CDOGS). For CDOGS documentation, please refer to https://digital.gov.bc.ca/common-components/common-document-generation-service.
TICDI has an exposed endpoint at {hostname}/DTID/{DTID_NUMBER}/{FILE_NAME} (for example https://nr-ticdi-10.apps.silver.devops.gov.bc.ca/DTID/928437/test) that is initiated from the Tantalis application. This endpoint will trigger TICDI to consume a REST endpoint on Tantalis-API using a WebADE generated OAUTH token. TICDI users can then click the "Generate Document" button to generate a document via CDOGS.
The following OpenShift secrets are used:
*GTOK: https://getok.nrs.gov.bc.ca/app/apps/TICDI
The Greenfield template (https://github.com/bcgov/greenfield-template/) was used to bootstrap the application.
GitHub Actions template to automate the process for testing, security scanning, code quality checking, image building and deploying for an application.
This project is in active development. Please visit our issues page to view or request features.
Currently, our most exciting offering is the GitHub Actions pipeline, which includes:
...and more on the way!
Create a .env file in /frontend with the following environment parameters:
Included:
Not included:
The following are required:
Squash merging is recommended for simplified histories ad ease of rollback.
Cleaning up merged branches is recommended for your DevOps Specialist's fragile sanity.
From GitHub:
[check] Allow squash merging
[check] Automatically delete head branches
repo-mountie is a BCGov bot that likes to spam us. Here are a few issues to expect.
Lets use common phrasing
main
Add missing topics
Action Secrets are consumed by workflows, including 3rd party Actions. Please use Environment secrets for highly sensitive content.
Manage Action Secrets from your Repo > Settings > Secrets > Actions.
GHTOKEN
{{ secrets.GHTOKEN }}
GHPROJECT_TOKEN (TODO: check that this is still in use)
{{ secrets.GHPROJECT_TOKEN }}
OC_SERVER
{{ secrets.OC_SERVER }}
https://api.gold.devops.gov.bc.ca:6443
https://api.silver.devops.gov.bc.ca:6443
Provide these tokens or comment their jobs out:
SNYK_TOKEN
{{ secrets.SNYK_TOKEN }}
SONAR_TOKEN
{{ secrets.SNYK_TOKEN }}
Secrets can be grouped into and protected by Environments. Features include:
Manage Environments and their Secrets from your Repo > Settings > Environments.
Environment: dev
Create a new Environment to hold the keys to our development deployment.
Environment name: dev
No protection rules are required yet:
unchecked
] Required reviewersunchecked
] Wait timerAll branches
NAMESPACE
{{ secrets.NAMESPACE }}
OC_TOKEN
{{ secrets.OC_TOKEN }}
Please assume that your OpenShift platform team has provisioned a pipeline account.
pipeline-token-...
or a similarly privileged tokentoken
OC_TOKEN
(see above)TODO: verify still required
Generate a Personal Access Token in a GitHub account of your choosing. Personal or shared Service accounts can be used.
From GitHub:
workflow
write:packages
GHCR_TOKEN
(see above)pr_open.yml
as follows:
- name: Log in to the Container registry
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.GHCR_USERNAME }}
password: ${{ secrets.GHCR_TOKEN }}
By now all relevant tokens should be provided. We are going to assume that Synk and SonarCloud aren't on hand yet, so let's comment themout. Please revise as appropriate.
Steps in this section use a terminal. Several GUIs alternatives are avilable, but out of scope.
Required:
git checkout -b <new-branch-name>
.github/workflows/pr-open.yml
.github/workflows/main.yml
snyk
(PR only)sonarcloud
(both)git add .github/workflows/
git commit -m "Pipeline: comment out snyk and sonarcloud"
Push the commits
# First time only
git push -u origin <new-branch-name>
# Subsequent times
git push origin
This is where things start to get exciting!
From your GitHub repository:
Pipeline: comment out snyk and sonarcloud
Pipeline: comment out snyk and sonarcloud
<new-branch-name>
main
Packages are available from your repository (link on right) or your organization's package lists.
E.g. https://github.com/orgs/bcgov/packages?repo_name=greenfield-template
This is required to prevent direct pushes and merges to the default branch. One full pipeline run must be completed before Make sure that main
is the default branch.
From GitHub:
Add Rule
or edit an existing ruleProtect matching branches
specify the following:
main
[check] Require a pull request before merging
[check] Require approvals
(default = 1)[check] Dismiss stale pull request approvals when new commits are pushed
[check] Require review from Code Owners
[check] Require status checks to pass before merging
[check] Require branches to be up to date before merging
Status checks that are required
requires to the search box to select:
Build
Check
CodeQL
Deploy
Tests
Zap
Snyk
(optional)SonarCloud
(optional)[check] Require conversation resolution before merging
[check] Include administrators
(optional)Don't forget to add your team members!
From GitHub:
Add people
or Add teams
Read
Triage
Write
Maintain
Admin
If failed to get authentication at the build docker image stage, check if updated to use the secrets GHCR token and username, the default GitHub token might not work
If failed to authenticate to openshfit at the deploy stage, check if the service account “pipeline” has the right ability to get project and do deploy
This repo provides a basic template to start up a new project using nodejs. It needs to be customized based on the project, for example, run tests for a different language and revised whatever secrets required.