Feature/CCM-10193 Use GitHub app token to trigger deployment pipeline (#734)

Signed-off-by: Tim Ireland <[email protected]>
Co-authored-by: Mark Ramsden <[email protected]>

Author: timireland

.github/scripts/dispatch_internal_repo_workflow.sh

@@ -86,6 +86,60 @@ while [[ $# -gt 0 ]]; do
       ;;
   esac
 done
+# Validate required parameters
+if [[ -z "$APP_PEM_FILE" ]]; then
+  echo "[ERROR] PEM_FILE environment variable is not set or is empty."
+  exit 1
+fi
+
+if [[ -z "$APP_CLIENT_ID" ]]; then
+  echo "[ERROR] CLIENT_ID environment variable is not set or is empty."
+  exit 1
+fi
+
+now=$(date +%s)
+iat=$((${now} - 60)) # Issues 60 seconds in the past
+exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+header_json='{
+    "typ":"JWT",
+    "alg":"RS256"
+}'
+# Header encode
+header=$( echo -n "${header_json}" | b64enc )
+
+payload_json="{
+    \"iat\":${iat},
+    \"exp\":${exp},
+    \"iss\":\"${APP_CLIENT_ID}\"
+}"
+# Payload encode
+payload=$( echo -n "${payload_json}" | b64enc )
+
+# Signature
+header_payload="${header}"."${payload}"
+signature=$(
+    openssl dgst -sha256 -sign <(echo -n "${APP_PEM_FILE}") \
+    <(echo -n "${header_payload}") | b64enc
+)
+
+# Create JWT
+JWT="${header_payload}"."${signature}"
+
+INSTALLATION_ID=$(curl -X GET \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer ${JWT}" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    --url "https://api.github.com/app/installations" | jq -r '.[0].id')
+
+PR_TRIGGER_PAT=$(curl --request POST \
+  --url "https://api.github.com/app/installations/${INSTALLATION_ID}/access_tokens" \
+  -H "Accept: application/vnd.github+json" \
+  -H "Authorization: Bearer ${JWT}" \
+  -H "X-GitHub-Api-Version: 2022-11-28" | jq -r '.token')
+
 
 # Set default values if not provided
 if [[ -z "$PR_TRIGGER_PAT" ]]; then

.github/workflows/pr_closed.yaml

@@ -52,7 +52,8 @@ jobs:
 
       - name: Updating Main Environment
         env:
-          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+          APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+          APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
         run: |
           bash .github/scripts/dispatch_internal_repo_workflow.sh \
             --releaseVersion "main" \

.github/workflows/pr_create_dynamic_env.yaml

@@ -20,7 +20,8 @@ jobs:
       - uses: actions/[email protected]
       - name: Trigger dynamic environment creation
         env:
-          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+            APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+            APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
         shell: bash
         run: |
           .github/scripts/dispatch_internal_repo_workflow.sh \

.github/workflows/pr_destroy_dynamic_env.yaml

@@ -21,7 +21,8 @@ jobs:
 
       - name: Trigger dynamic environment destruction
         env:
-          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+          APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+          APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
         shell: bash
         run: |
           .github/scripts/dispatch_internal_repo_workflow.sh \
@@ -42,7 +43,8 @@ jobs:
       - name: Trigger sandbox environment destruction
         shell: bash
         env:
-          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+          APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+          APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
         run: |
           .github/scripts/dispatch_internal_repo_workflow.sh \
             --infraRepoName "nhs-notify-web-template-management" \

.github/workflows/release_created.yaml

@@ -28,7 +28,8 @@ jobs:
 
       - name: Deploy Nonprod Environment
         env:
-          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+            APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+            APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
         run: |
           bash .github/scripts/dispatch_internal_repo_workflow.sh \
             --releaseVersion "${{ github.event.release.tag_name }}" \

.github/workflows/stage-4-acceptance.yaml

@@ -22,7 +22,8 @@ jobs:
       - name: Trigger Sandbox Environment Build
         shell: bash
         env:
-          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+          APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+          APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
         run: |
           .github/scripts/dispatch_internal_repo_workflow.sh \
             --infraRepoName "nhs-notify-web-template-management" \
@@ -36,7 +37,8 @@ jobs:
       - name: Trigger Acceptance Tests
         shell: bash
         env:
-          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+          APP_PEM_FILE: ${{ secrets.APP_PEM_FILE }}
+          APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }}
         run: |
           .github/scripts/dispatch_internal_repo_workflow.sh \
             --infraRepoName "nhs-notify-web-template-management" \

tests/test-team/template-mgmt-routing-component-tests/message-plans.routing-component.spec.ts

@@ -26,7 +26,7 @@ async function createRoutingConfigs(): Promise<MessagePlansPageData> {
     draftNew: RoutingConfigFactory.create(user).dbEntry,
     draftOld: {
       ...RoutingConfigFactory.create(user).dbEntry,
-      createdAt: new Date('2020-10-09T00:00:00.000Z').toISOString(),
+      updatedAt: new Date('2020-10-09T00:00:00.000Z').toISOString(),
     },
     production: RoutingConfigFactory.create(user, { status: 'COMPLETED' })
       .dbEntry,