From 0623a96a9476747ef65057ca3342df3f66746b8f Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Wed, 25 May 2022 16:54:12 +0100
Subject: [PATCH 1/2] Enable CI using GitHub Actions

---
 .github/workflows/ci.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .github/workflows/ci.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 000000000..bf6cb1534
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,12 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    name: Test
+    uses: alphagov/govuk-infrastructure/.github/workflows/ci.yaml@add-ci-workflow

From 5ea947f6b7a5a398464b61d68896e5332ceefec6 Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Mon, 20 Jun 2022 16:04:15 +0100
Subject: [PATCH 2/2] Update deploy workflow to wait for CI

This prevents the deploy workflow from being run before the application
tests have been completed. This is to ensure that the commit passes
application tests before being deployed.

The 'workflow_run' trigger is being used as these events cannot be
triggered directly by users. This is to prevent non-production team
members from deploying. The 'repository_dispatch' and 'deployment'
trigger were also considered, however those events can be directly
created via API calls hence would give deploy access to non-production
users (as we assign them "write" roles to repos and GitHub currently
doesn't provide more fine grained access controls).
---
 .github/workflows/ci.yaml     |  4 +++-
 .github/workflows/deploy.yaml | 14 ++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index bf6cb1534..16b05e904 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -9,4 +9,6 @@ on:
 jobs:
   test:
     name: Test
-    uses: alphagov/govuk-infrastructure/.github/workflows/ci.yaml@add-ci-workflow
+    uses: alphagov/govuk-infrastructure/.github/workflows/test-rails.yaml@main
+    with:
+      requiresJavaScript: true
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 9ca85fbb1..350d3f9ae 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -17,19 +17,18 @@ on:
         - staging
         - production
         default: 'integration'
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - "Jenkinsfile"
-      - ".git**"
+  workflow_run:
+    workflows: [CI]
+    types: [completed]
+    branches: [main]
 
 jobs:
   build-and-publish-image:
+    if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
     name: Build and publish image
     uses: alphagov/govuk-infrastructure/.github/workflows/ci-ecr.yaml@main
     with:
-      gitRef: ${{ github.event.inputs.gitRef }}
+      gitRef: ${{ github.event.inputs.gitRef || github.ref }}
     secrets:
       AWS_GOVUK_ECR_ACCESS_KEY_ID: ${{ secrets.AWS_GOVUK_ECR_ACCESS_KEY_ID }}
       AWS_GOVUK_ECR_SECRET_ACCESS_KEY: ${{ secrets.AWS_GOVUK_ECR_SECRET_ACCESS_KEY }}
@@ -39,7 +38,6 @@ jobs:
     uses: alphagov/govuk-infrastructure/.github/workflows/deploy.yaml@main
     with:
       imageTag: ${{ needs.build-and-publish-image.outputs.imageTag }}
-      workflowTrigger: ${{ github.event_name }}
       environment: ${{ github.event.inputs.environment }}
     secrets:
       WEBHOOK_TOKEN: ${{ secrets.GOVUK_INTEGRATION_ARGO_EVENTS_WEBHOOK_TOKEN }}