chore: revert commit

aws-solutions · Jul 11, 2023 · 914beb7 · 914beb7
1 parent 710da63
commit 914beb7
Show file tree

Hide file tree

Showing 25 changed files with 1,548 additions and 242 deletions.
diff --git a/.crux_dry_run_build b/.crux_dry_run_build
diff --git a/.github/actions/baseAction/action.yml b/.github/actions/baseAction/action.yml
@@ -0,0 +1,53 @@
+#
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+name: Base Action
+description: Generic base action used by workflows - Cache rush and pnpm; rush install, check and build
+
+runs:
+  using: "composite"
+  steps:
+    - name: Use Node.js 18.x
+      uses: actions/setup-node@v3
+      with:
+        node-version: '18.x'
+
+    - name: Cache Rush
+      uses: actions/cache@v3
+      with:
+        path: |
+          common/temp/install-run
+          ~/.rush
+        key: ${{ runner.os }}-rush-${{ hashFiles('rush.json') }}
+        restore-keys: |
+          ${{ runner.os }}-rush-
+          ${{ runner.os }}-
+
+    - name: Cache pnpm
+      uses: actions/cache@v3
+      with:
+        path: |
+          common/temp/pnpm-store
+        key: ${{ runner.os }}-pnpm-${{ hashFiles('common/config/rush/pnpm-lock.yaml') }}
+        restore-keys: |
+          ${{ runner.os }}-pnpm-
+          ${{ runner.os }}-
+
+    - name: install pnpm
+      uses: pnpm/action-setup@v2.2.2
+      with:
+        version: 6.32
+
+    - name: Install dependecies
+      shell: bash
+      run: node common/scripts/install-run-rush.js install
+
+    - name: Rush check
+      shell: bash
+      run: node common/scripts/install-run-rush.js check
+
+    - name: Rush build
+      shell: bash
+      run: node common/scripts/install-run-rush.js build --verbose
diff --git a/.github/workflows/branch-protection.yml b/.github/workflows/branch-protection.yml
@@ -0,0 +1,30 @@
+#
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+name: Branch protection
+on:
+  pull_request:
+    types: [opened, synchronize, edited, reopened]
+# The purpose of this workflow is to create a failing Status check on pull request against develop. This will prevent
+# PR from being merged into main/stage.
+jobs:
+  main-protection:
+    name: Only create PR against develop branch, not main or stage branch
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Use Node.js 18.x
+        uses: actions/setup-node@v3
+        with:
+          node-version: '18.x'
+      - name: Get branch name
+        id: branch-name
+        uses: tj-actions/branch-names@v5.1
+      - name: main protection
+        if: |
+          (steps.branch-name.outputs.base_ref_branch == 'main' && startsWith(steps.branch-name.outputs.head_ref_branch, 'release/') == false) || 
+          (steps.branch-name.outputs.base_ref_branch == 'stage')
+        run: |
+          echo "PR has target branch ${{ steps.branch-name.outputs.base_ref_branch }}. Failing workflow..."
+          exit 1
diff --git a/.github/workflows/build-test-coverage.yml b/.github/workflows/build-test-coverage.yml
@@ -0,0 +1,23 @@
+#
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+name: Build, test, and test-coverage
+on: ['pull_request']
+
+jobs:
+  build-test-coverage:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Base Action
+        uses: ./.github/actions/baseAction
+
+      - name: Rush test
+        run: node common/scripts/install-run-rush.js test --verbose
diff --git a/.github/workflows/cfn-analysis.yml b/.github/workflows/cfn-analysis.yml
@@ -0,0 +1,73 @@
+#
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+name: CloudFormation Scanning
+
+on:
+  pull_request:
+    branches:
+      - develop
+
+jobs:
+  cfn-analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Base Action
+        uses: ./.github/actions/baseAction
+
+      - name: Build Hapi validator
+        run: |
+          cd ./fwoa-utilities/javaHapiValidatorLambda
+          mvn --batch-mode --update-snapshots --no-transfer-progress clean install
+
+      # for compile igs we would need to use node v16 due to ERR_PACKAGE_PATH_NOT_EXPORTED in elasticsearch package
+      - name: Use Node.js 16.x
+        uses: actions/setup-node@v3
+        with:
+          node-version: '16.x'
+
+      - name: Download US Core IG
+        # NOTE if updating the IG version. Please see update implementationGuides.test.ts test too.
+        run: |
+          cd ./solutions/deployment
+          mkdir -p implementationGuides
+          curl http://hl7.org/fhir/us/core/STU3.1.1/package.tgz | tar xz -C implementationGuides
+          cd ../smart-deployment
+          mkdir -p implementationGuides
+          curl http://hl7.org/fhir/us/core/STU3.1.1/package.tgz | tar xz -C implementationGuides
+      
+      - name: Compile IGs
+        run: |
+          npm install -g ts-node
+          cd ./solutions/deployment
+          node ../../common/scripts/install-run-rushx.js compile-igs
+          cd ../smart-deployment
+          node ../../common/scripts/install-run-rushx.js compile-igs
+
+      - name: synthesize deployment and smart cdk template for cfn for analysis
+        run: |
+          cd ./solutions/deployment
+          node ../../common/scripts/install-run-rushx.js cdk synth -c enableSubscriptions=true -c useHapiValidator=true --all
+      
+          cd ../smart-deployment
+          node ../../common/scripts/install-run-rushx.js cdk synth -c issuerEndpoint='test' -c oAuth2ApiEndpoint='test' -c patientPickerEndpoint='test' -c enableSubscriptions=true -c useHapiValidator=true --all
+
+      - name: cfn_nag on smart cdk template
+        uses: stelligent/cfn_nag@master
+        with:
+          input_path: ./solutions/smart-deployment/cdk.out/smart-fhir-service-dev.template.json
+          extra_args:  --blacklist-path ./solutions/smart-deployment/cdk-nag-deny-list.yaml --fail-on-warnings
+
+      - name: cfn_nag on fwoa cdk template
+        uses: stelligent/cfn_nag@master
+        with:
+          input_path: ./solutions/deployment/cdk.out/fhir-service-dev.template.json
+          extra_args:  --blacklist-path ./solutions/deployment/cdk-nag-deny-list.yaml --fail-on-warnings
+
+
+
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,31 @@
+#
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+name: Security Code Scanning
+
+on:
+  pull_request:
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  CodeQL-Analyze:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: javascript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -0,0 +1,124 @@
+name: create-release
+on: workflow_dispatch
+env:  
+  BOT_USER_EMAIL: ${{ vars.BOT_USER_EMAIL }}
+  BOT_USER_NAME: ${{ vars.BOT_USER_NAME }}
+jobs:
+  create-release-branch:
+    if: ${{github.ref_name == 'stage'}}
+    runs-on: ubuntu-20.04
+    outputs:
+      source_branch: ${{ steps.create_branch.outputs.source_branch }}
+    steps:
+      - uses: actions-cool/check-user-permission@v2
+        with:
+          require: 'admin'
+          username: ${{ github.triggering_actor }}
+      - name: Use Node.js 18.x
+        uses: actions/setup-node@v3
+        with:
+          node-version: '18.x'
+      - uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+      - name: Set git config
+        run: |
+          git config user.email $BOT_USER_EMAIL
+          git config user.name $BOT_USER_NAME
+      - name: create release branch
+        id: create_branch
+        run: |
+          echo "Create UUID"
+          uuid=`uuidgen`
+          echo 'Creating release branch'
+          git checkout -b release/$uuid
+          git push -u origin release/$uuid
+
+          echo 'Rush version to bump updates'
+          node common/scripts/install-run-rush.js version --bump -b release/$uuid --ignore-git-hooks
+          echo "source_branch=release/$uuid" >> $GITHUB_OUTPUT
+  
+  create-release-branch-pr-to-main:
+    runs-on: ubuntu-20.04
+    needs: create-release-branch
+    outputs:
+      pr_number: ${{ steps.open-pr.outputs.pr_number }}
+    steps:
+    - name: Get current date
+      id: date
+      run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+    - uses: actions/checkout@v3
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        fetch-depth: 0
+
+    - name: create-pull-request
+      id: open-pr
+      uses: repo-sync/pull-request@v2
+      with:
+        source_branch: ${{ needs.create-release-branch.outputs.source_branch }}
+        destination_branch: main
+        pr_title: release-${{ steps.date.outputs.date }}
+        pr_template: ".github/PULL_REQUEST_TEMPLATE.md"
+        pr_label: "auto-release-pr"
+        pr_allow_empty: false
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  merge-release-pr-to-main:
+    runs-on: ubuntu-20.04
+    needs: create-release-branch-pr-to-main
+    steps:
+      - name: enable merge commits
+        uses: octokit/request-action@v2.x
+        with:
+          route: PATCH /repos/{owner}/{repo}
+          owner: aws-solutions
+          repo: fhir-works-on-aws
+          allow_merge_commit: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+
+      - name: Temporarily disable branch protection on main
+        uses: octokit/request-action@v2.x
+        with:
+          route: DELETE /repos/{owner}/{repo}/branches/{branch}/protection/enforce_admins
+          owner: aws-solutions
+          repo: fhir-works-on-aws
+          branch: main
+        env:
+          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+
+      - name: merge release branch pr to main
+        uses: octokit/request-action@v2.x
+        with:
+          route: PUT /repos/{owner}/{repo}/pulls/{pull_number}/merge
+          owner: aws-solutions
+          repo: fhir-works-on-aws
+          pull_number: ${{ needs.create-release-branch-pr-to-main.outputs.pr_number }}
+          merge_method: 'merge'
+        env:
+          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+
+      - name: disable merge commits
+        uses: octokit/request-action@v2.x
+        if: always() # Make sure to enable branch protection even if other steps fail
+        with:
+          route: PATCH /repos/{owner}/{repo}
+          owner: aws-solutions
+          repo: fhir-works-on-aws
+          allow_merge_commit: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+
+      - name: Enable branch protection on main
+        uses: octokit/request-action@v2.x
+        if: always() # Make sure to enable branch protection even if other steps fail
+        with:
+          route: POST /repos/{owner}/{repo}/branches/{branch}/protection/enforce_admins
+          owner: aws-solutions
+          repo: fhir-works-on-aws
+          branch: main
+        env:
+          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}