.drone.yml

---
kind: pipeline
name: default
type: kubernetes

environment:
  APP_NAME: csl
  PROD_ENV: sas-csl-prod
  STG_ENV: sas-csl-stg
  UAT_ENV: sas-csl-uat
  BRANCH_ENV: sas-csl-branch
  PRODUCTION_URL: TBC
  IMAGE_URL: 340268328991.dkr.ecr.eu-west-2.amazonaws.com
  IMAGE_REPO: sas/csl
  GIT_REPO: UKHomeOffice/controlled-substance-licence
  HOF_CONFIG: hof-services-config/Controlled_Substance_License
  NON_PROD_AVAILABILITY: Mon-Fri 08:00-23:00 Europe/London
  READY_FOR_TEST_DELAY: 20s
  NOTIFY_STUB: stub

include_default_branch: &include_default_branch
  include:
    - main

include_default_and_feature_branches: &include_default_and_feature_branches
  include:
    - main
    - feature/*

trigger:
  branch:
    <<: *include_default_and_feature_branches

node_image: &node_image
  pull: if-not-exists
  image: node:20.18.0-alpine3.20@sha256:d504f23acdda979406cf3bdbff0dff7933e5c4ec183dda404ed24286c6125e60

linting: &linting
  <<: *node_image
  commands:
    - yarn run test:lint

unit_tests: &unit_tests
  <<: *node_image
  environment:
    NOTIFY_STUB: true
  commands:
    - yarn run test:unit

sonar_scanner: &sonar_scanner
  pull: if-not-exists
  image: quay.io/ukhomeofficedigital/sonar-scanner-nodejs:latest
  commands:
    - sonar-scanner -Dproject.settings=./sonar-project.properties

ui_integration_tests: &ui_integration_tests
  <<: *node_image
  environment:
    NOTIFY_STUB: true
  commands:
    - yarn run test:ui-integration

accessibility_tests: &accessibility_tests
  pull: if-not-exists
  image: buildkite/puppeteer:8.0.0@sha256:b6cebc17bfa8e7a7abfc3ab14d6f2ddbdf42b9e81b8ad786c6693385665998d5
  environment:
    NOTIFY_STUB: true
    ENVIRONMENT: DRONE
  volumes:
    - name: dockersock
      path: /root/.dockersock
  commands:
    - yarn run test:accessibility

acceptance_tests: &acceptance_tests
  pull: if-not-exists
  image: mcr.microsoft.com/playwright:v1.12.3-focal

steps:
  - name: clone_repos
    pull: if-not-exists
    image: alpine/git
    environment:
      DRONE_GIT_USERNAME:
        from_secret: DRONE_GIT_USERNAME
      DRONE_GIT_TOKEN:
        from_secret: DRONE_GIT_TOKEN
    commands:
      - git clone https://$${DRONE_GIT_USERNAME}:$${DRONE_GIT_TOKEN}@github.com/UKHomeOfficeForms/hof-services-config.git
      - find hof-services-config/* | grep -v $HOF_CONFIG | grep -v 'infrastructure' | xargs rm -rf
    when:
      branch:
        <<: *include_default_and_feature_branches
      event: [push, pull_request]

  # Trivy Security Scannner for scanning OS related vulnerabilities in Base image of Dockerfile
  - name: scan_base_image_os
    pull: always
    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest
    resources:
      limits:
        cpu: 1000
        memory: 1024Mi
    environment:
      IMAGE_NAME: node:20.18.0-alpine3.20@sha256:d504f23acdda979406cf3bdbff0dff7933e5c4ec183dda404ed24286c6125e60
      SERVICE_URL: https://acp-trivy-helm.acp-trivy.svc.cluster.local:443
      SEVERITY: MEDIUM,HIGH,CRITICAL  --dependency-tree
      FAIL_ON_DETECTION: false
      IGNORE_UNFIXED: false
      ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml
    volumes:
      - name: dockersock
        path: /root/.dockersock
    when:
      event: [push, pull_request]
    depends_on:
      - clone_repos

  - name: setup
    <<: *node_image
    environment:
      NOTIFY_STUB: true
    commands:
      - yarn install --frozen-lockfile
      - yarn run postinstall
    when:
      branch:
        <<: *include_default_and_feature_branches
      event: [push, pull_request]

  - name: linting
    <<: *linting
    when:
      branch:
        <<: *include_default_and_feature_branches
      event: [push, pull_request]
    depends_on:
      - setup

  - name: unit_tests
    <<: *unit_tests
    when:
      branch:
        <<: *include_default_and_feature_branches
      event: [push, pull_request]
    depends_on:
      - setup

  - name: sonar_scanner
    <<: *sonar_scanner
    when:
      branch:
        <<: *include_default_and_feature_branches
      event: [push, pull_request]

  - name: build_image
    pull: if-not-exists
    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
    commands:
      # wait for docker service to be up before running docker build
      - /usr/local/bin/wait
      - n=0; while [ "$n" -lt 60 ] && [ ! docker stats --no-stream ]; do n=$(( n + 1 )); sleep 1; done
      - docker build --no-cache -t $${IMAGE_REPO}:$${DRONE_COMMIT_SHA} .
    volumes:
      - name: dockersock
        path: /var/run
    when:
      branch:
        <<: *include_default_and_feature_branches
      event: [push, pull_request]
    depends_on:
      - linting
      - unit_tests

  - name: image_to_ecr
    pull: if-not-exists
    image: plugins/ecr
    settings:
      access_key:
        from_secret: aws_access_key_id
      secret_key:
        from_secret: aws_secret_access_key
      region: eu-west-2
      repo: sas/csl
      registry: 340268328991.dkr.ecr.eu-west-2.amazonaws.com
      tags:
        - ${DRONE_COMMIT_SHA}
    when:
      branch:
        <<: *include_default_and_feature_branches
      event: [push, pull_request]
    depends_on:
      - linting
      - unit_tests

  # Trivy Security Scannner for scanning nodejs packages in Yarn
  - name: scan_node_packages
    pull: always
    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest
    resources:
      limits:
        cpu: 1000
        memory: 1024Mi
    environment:
      IMAGE_NAME: sas/csl:${DRONE_COMMIT_SHA}
      SEVERITY: MEDIUM,HIGH,CRITICAL  --dependency-tree --format table
      FAIL_ON_DETECTION: false
      IGNORE_UNFIXED: false
      ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml
    volumes:
      - name: dockersock
        path: /root/.dockersock
    when:
      event: [push, pull_request]
    depends_on:
      - build_image

  # Deploy to pull request UAT environment
  - name: deploy_to_branch
    pull: if-not-exists
    image: quay.io/ukhomeofficedigital/kd:v1.14.0
    environment:
      # NOTIFY_STUB: stub
      KUBE_SERVER:
        from_secret: KUBE_SERVER_DEV
      KUBE_TOKEN:
        from_secret: KUBE_TOKEN_DEV
    commands:
      - bin/deploy.sh $${BRANCH_ENV}
    when:
      branch:
        <<: *include_default_and_feature_branches
      event: pull_request
    depends_on:
      - clone_repos
      - image_to_ecr

  - name: deploy_to_uat
    pull: if-not-exists
    image: quay.io/ukhomeofficedigital/kd:v1.14.0
    environment:
      KUBE_SERVER:
        from_secret: KUBE_SERVER_DEV
      KUBE_TOKEN:
        from_secret: KUBE_TOKEN_DEV
    commands:
      - sh bin/deploy.sh $${UAT_ENV}
    when:
      branch:
        <<: *include_default_branch
      event: push
    depends_on:
      - clone_repos
      - image_to_ecr

  # Get pull request branch so correct PR UAT environment is torn down in the tear_down_branch step that follows
  - name: get_pr_branch
    pull: if-not-exists
    image: drone/cli:alpine@sha256:14409f7f7247befb9dd2effdb2f61ac40d1f5fbfb1a80566cf6f2f8d21f3be11
    environment:
      DRONE_SERVER:
        from_secret: DRONE_SERVER
      DRONE_TOKEN:
        from_secret: DRONE_TOKEN
    volumes:
      - name: dockersock
        path: /root/.dockersock
    commands:
      - drone build info $GIT_REPO $DRONE_BUILD_NUMBER --format {{.Message}} | grep -o '[^ ]\+$' -m1 | sed 's|UKHomeOffice/||g' | tr '[:upper:]' '[:lower:]' | tr '/' '-' > /root/.dockersock/branch_name.txt
    when:
      branch: main
      event: push

  # Tear down pull request UAT environment
  - name: tear_down_branch
    pull: if-not-exists
    image: quay.io/ukhomeofficedigital/kd:v1.14.0
    environment:
      KUBE_SERVER:
        from_secret: KUBE_SERVER_DEV
      KUBE_TOKEN:
        from_secret: KUBE_TOKEN_DEV
    volumes:
      - name: dockersock
        path: /root/.dockersock
    commands:
      - bin/deploy.sh tear_down
    when:
      branch: main
      event: push
    depends_on:
      - get_pr_branch

   # Deploy to Staging environment
  - name: deploy_to_stg
    pull: if-not-exists
    image: quay.io/ukhomeofficedigital/kd:v1.14.0
    environment:
      KUBE_SERVER:
        from_secret: KUBE_SERVER_PROD
      KUBE_TOKEN:
        from_secret: KUBE_TOKEN_PROD
    commands:
      - bin/deploy.sh $${STG_ENV}
    when:
      branch: main
      event: push
    depends_on:
      - clone_repos
      - image_to_ecr

  ## Checks a build being promoted has passed, is on main which effectively means a healthy build on Staging
  - name: sanity_check_build_prod
    pull: if-not-exists
    image: drone/cli:alpine@sha256:14409f7f7247befb9dd2effdb2f61ac40d1f5fbfb1a80566cf6f2f8d21f3be11
    environment:
      DRONE_SERVER:
        from_secret: DRONE_SERVER
      DRONE_TOKEN:
        from_secret: DRONE_TOKEN
    commands:
      - bin/sanity_check_build.sh
    when:
      target: PROD
      event: promote

  - name: clone_repos_prod
    pull: if-not-exists
    image: alpine/git
    environment:
      DRONE_GIT_USERNAME:
        from_secret: DRONE_GIT_USERNAME
      DRONE_GIT_TOKEN:
        from_secret: DRONE_GIT_TOKEN
    commands:
      - git clone https://$${DRONE_GIT_USERNAME}:$${DRONE_GIT_TOKEN}@github.com/UKHomeOfficeForms/hof-services-config.git
      - find hof-services-config/* | grep -v $HOF_CONFIG | grep -v 'infrastructure' | xargs rm -rf
    when:
      target: PROD
      event: promote
    depends_on:
      - sanity_check_build_prod

  # Deploy to Production environment
  - name: deploy_to_prod
    pull: if-not-exists
    image: quay.io/ukhomeofficedigital/kd:v1.14.0
    environment:
      KUBE_SERVER:
        from_secret: KUBE_SERVER_PROD
      KUBE_TOKEN:
        from_secret: KUBE_TOKEN_PROD
    commands:
      - bin/deploy.sh $${PROD_ENV}
    when:
      target: PROD
      event: promote
    depends_on:
      - clone_repos_prod

  # CRON job step that tears down our pull request UAT environments
  - name: cron_tear_down
    pull: if-not-exists
    image: quay.io/ukhomeofficedigital/kd:v1.14.0
    environment:
      KUBE_SERVER:
        from_secret: KUBE_SERVER_DEV
      KUBE_TOKEN:
        from_secret: KUBE_TOKEN_DEV
    commands:
      - bin/clean_up.sh $${BRANCH_ENV}
    when:
      cron: tear_down_pr_envs
      event: cron

  # CRON job steps that runs security scans using Trivy
  - name: cron_clone_repos
    pull: if-not-exists
    image: alpine/git
    environment:
      DRONE_GIT_USERNAME:
        from_secret: DRONE_GIT_USERNAME
      DRONE_GIT_TOKEN:
        from_secret: DRONE_GIT_TOKEN
    commands:
      - git clone https://$${DRONE_GIT_USERNAME}:$${DRONE_GIT_TOKEN}@github.com/UKHomeOfficeForms/hof-services-config.git
      - find hof-services-config/* | grep -v $HOF_CONFIG | grep -v 'infrastructure' | xargs rm -rf
    when:
      cron: security_scans
      event: cron

  - name: cron_build_image
    pull: if-not-exists
    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind
    commands:
      # wait for docker service to be up before running docker build
      - /usr/local/bin/wait
      - docker build --no-cache -t $${IMAGE_REPO}:$${DRONE_COMMIT_SHA} .
    volumes:
      - name: dockersock
        path: /var/run
    when:
      cron: security_scans
      event: cron
    depends_on:
      - cron_clone_repos

  - name: cron_trivy_scan_node_packages
    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest
    pull: always
    environment:
        IMAGE_NAME: sas/csl:${DRONE_COMMIT_SHA}
        SERVICE_URL: https://acp-trivy-helm.acp-trivy.svc.cluster.local:443
        SEVERITY: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --dependency-tree
        FAIL_ON_DETECTION: true
        IGNORE_UNFIXED: false
        ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml
    when:
      cron: security_scans
      event: cron
      status:
        - success
        - failure
    depends_on:
      - cron_build_image

  - name: cron_trivy_scan_image_os
    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/trivy/client:latest
    pull: always
    environment:
        IMAGE_NAME: node:20.18.0-alpine3.20@sha256:d504f23acdda979406cf3bdbff0dff7933e5c4ec183dda404ed24286c6125e60
        SEVERITY: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --dependency-tree
        FAIL_ON_DETECTION: true
        IGNORE_UNFIXED: false
        ALLOW_CVE_LIST_FILE: hof-services-config/infrastructure/trivy/.trivyignore.yaml
    when:
      cron: security_scans
      event: cron
    depends_on:
      - cron_clone_repos

  # Slack notification upon a CRON job fail
  - name: cron_notify_slack_tear_down_pr_envs
    pull: if-not-exists
    image: plugins/slack:1.4.1
    settings:
      channel: sas-hof-build-notify
      failure: ignore
      icon.url: https://readme.drone.io/logo.svg
      template: >
            *✘ {{ uppercasefirst build.status }}*: CRON Job `tear_down_pr_envs` for *Controlled Substance Licence Suite* has failed.

            Branch <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{build.branch}}> | Commit <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>

            *Build <{{build.link}}|#{{build.number}}>*
      username: Drone_CI
      webhook:
        from_secret: slack_sas_hof_build_notify_webhook
    when:
      cron: tear_down_pr_envs
      event: cron
      status:
        - failure
    depends_on:
      - cron_tear_down

  - name: cron_notify_slack_security_scans
    pull: if-not-exists
    image: plugins/slack:1.4.1
    settings:
      channel: sas-hof-security
      failure: ignore
      icon.url: https://readme.drone.io/logo.svg
      template: >
            *✘ {{ uppercasefirst build.status }}*: CRON Job `security_scans` for *Controlled Substance Licence Suite* has failed.

            Branch <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{build.branch}}> | Commit <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>

            *Build <{{build.link}}|#{{build.number}}>*
      username: Drone_CI
      webhook:
        from_secret: slack_sas_hof_security_webhook
    when:
      cron: security_scans
      event: cron
      status:
        - failure
    depends_on:
      - cron_trivy_scan_image_os
      - cron_trivy_scan_node_packages

services:
  - name: docker
    image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/dind

  # Redis session setup in background so ui integration tests can run
  - name: session
    image: redis
    volumes:
      - name: dockersock
        path: /var/run

volumes:
  - name: dockersock
    temp: {}