Refactor workflows (#382)

- Separate reusable workflows for build/test og deploy, som benyttes i
alle deploy-workflows (og til PR-tester)
- Skriver om deploy til intern versjonert app litt: Vi vil nå deploye
_forrige_ versjon ved prodsetting. Lagrer versionId og image tag ved
deploy til config-variabler (per miljø), som benyttes for deploy av
forrige versjon.

.github/workflows/build-and-deploy.yml → .github/workflows/build-and-test.yml

@@ -1,22 +1,33 @@
-name: Build and deploy to nais
+name: Build, test and prepare for deploy
 on:
   workflow_call:
     inputs:
-      DEPLOY_INSTANCE:
-        required: true
+      IMAGE_SUFFIX:
+        required: false
         type: string
-      CLUSTER:
+      TEST_ONLY:
+        required: false
+        type: boolean
+    outputs:
+      IMAGE:
+        description: "Docker image"
+        value: ${{ jobs.build.outputs.image }}
+    secrets:
+      READER_TOKEN:
+        required: true
+      NAIS_WORKLOAD_IDENTITY_PROVIDER:
         required: true
-        type: string
 
 jobs:
-  build_and_deploy:
-    name: Build and deploy
+  build:
+    name: Build and test
     runs-on: ubuntu-latest
     environment: ${{ inputs.DEPLOY_INSTANCE }}
     permissions:
       contents: read
       id-token: write
+    outputs:
+      IMAGE: ${{ steps.docker-push.outputs.image }}
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -30,35 +41,29 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.READER_TOKEN }}
       - name: Build app
         run: bun run build
-      - name: Run tests
+      - name: Run unit tests
         run: bun run test
+      - name: Setup playwright # TODO: can this be cached? It is slow :D
+        run: |
+          bunx playwright install --with-deps
+          cp packages/server/.env.sample packages/server/.env
+      - name: Run playwright tests
+        run: bunx playwright test
       - name: Upload static files to NAV CDN
         uses: nais/deploy/actions/cdn-upload/v2@master
+        if: inputs.TEST_ONLY != true
         with:
           team: personbruker
           source: './packages/server/public'
           destination: '/decorator-next'
-          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} # Provided as Organization Secret
-          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} # Provided as Organization Variable
+          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
+          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
       - name: Build and push docker image
         uses: nais/docker-build-push@v0
+        if: inputs.TEST_ONLY != true
         id: docker-push
         with:
           team: personbruker
           project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
           identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
-          image_suffix: ${{ inputs.DEPLOY_INSTANCE }}
-      - name: Deploy external app
-        uses: nais/deploy/actions/deploy@v2
-        env:
-          CLUSTER: ${{ inputs.CLUSTER }}
-          RESOURCE: .nais/config.yml
-          VAR: image=${{ steps.docker-push.outputs.image }},versionId=${{ github.sha }}
-          VARS: .nais/vars/${{ inputs.DEPLOY_INSTANCE }}.yml
-      - name: Deploy internal versioned app
-        uses: nais/deploy/actions/deploy@v2
-        env:
-          CLUSTER: ${{ inputs.CLUSTER }}
-          RESOURCE: .nais/config-internal.yml
-          VAR: image=${{ steps.docker-push.outputs.image }},versionId=${{ github.sha }}
-          VARS: .nais/vars/${{ inputs.DEPLOY_INSTANCE }}.yml
+          image_suffix: ${{ inputs.IMAGE_SUFFIX }}

.github/workflows/deploy-application.yml

@@ -0,0 +1,60 @@
+name: Deploy app to nais
+on:
+  workflow_call:
+    inputs:
+      DEPLOY_INSTANCE:
+        required: true
+        type: string
+      CLUSTER:
+        required: true
+        type: string
+      IMAGE:
+        required: true
+        type: string
+      DEPLOY_INTERNAL:
+        required: false
+        type: boolean
+    secrets:
+      VARS_UPDATE_TOKEN:
+        required: true
+
+jobs:
+  deploy_to_nais:
+    name: Deploy to nais
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.DEPLOY_INSTANCE }}
+    env:
+      PREV_VERSION_ID: ${{ vars.PREV_VERSION_ID }}
+      PREV_IMAGE: ${{ vars.PREV_IMAGE }}
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Set version id from short commit hash
+        run: |
+          shortSha=$(git rev-parse --short ${{ github.sha }})
+          echo "VERSION_ID=$shortSha" >> $GITHUB_ENV
+      - name: Deploy internal versioned app
+        uses: nais/deploy/actions/deploy@v2
+        if: inputs.DEPLOY_INTERNAL == true && env.PREV_VERSION_ID != '' && env.PREV_IMAGE != ''
+        env:
+          CLUSTER: ${{ inputs.CLUSTER }}
+          RESOURCE: .nais/config-internal.yml
+          VAR: image=${{ env.PREV_IMAGE }},versionId=${{ env.PREV_VERSION_ID }}
+          VARS: .nais/vars/${{ inputs.DEPLOY_INSTANCE }}.yml
+      - name: Deploy external app
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: ${{ inputs.CLUSTER }}
+          RESOURCE: .nais/config.yml
+          VAR: image=${{ inputs.IMAGE }},versionId=${{ env.VERSION_ID }}
+          VARS: .nais/vars/${{ inputs.DEPLOY_INSTANCE }}.yml
+      - name: Update vars
+        env:
+          GITHUB_TOKEN: ${{ secrets.VARS_UPDATE_TOKEN }} # This is a PAT with repo or Variables permission
+        run: |
+          gh variable set PREV_VERSION_ID --env ${{ inputs.DEPLOY_INSTANCE }} --body "${{ env.VERSION_ID }}"
+          gh variable set PREV_IMAGE --env ${{ inputs.DEPLOY_INSTANCE }} --body "${{ inputs.IMAGE }}"
+          gh variable list --env ${{ inputs.DEPLOY_INSTANCE }}

.github/workflows/deploy-network-policy.yml

@@ -0,0 +1,28 @@
+name: Deploy network policy to nais
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .nais/network-policy.yml
+
+jobs:
+  deploy-network-policy:
+    name: Deploy network policy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Deploy to prod
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: prod-gcp
+          RESOURCE: .nais/network-policy.yml
+      - name: Deploy to dev
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: dev-gcp
+          RESOURCE: .nais/network-policy.yml

.github/workflows/deploy-unleash-api-token.yml

@@ -1,6 +1,8 @@
 name: Deploy unleash-apitoken
 on:
   push:
+    branches:
+      - main
     paths:
       - ".nais/unleash-api-token.dev.yaml"
       - ".nais/unleash-api-token.prod.yaml"
@@ -26,7 +28,6 @@ jobs:
     permissions:
       contents: read
       id-token: write
-    if: github.ref == 'refs/heads/main'
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/deploy.beta.navno.yml

@@ -1,14 +1,31 @@
 name: Deploy to Team nav.no beta
 on:
   workflow_dispatch:
+    inputs:
+      DEPLOY_INTERNAL:
+        description: "Deploy previous version to internal"
+        required: false
+        type: boolean
 
 jobs:
+  build:
+    uses: ./.github/workflows/build-and-test.yml
+    permissions:
+      id-token: write
+      contents: read
+    with:
+      IMAGE_SUFFIX: dev-beta-navno
+    secrets: inherit
   deploy:
-    uses: ./.github/workflows/build-and-deploy.yml
+    uses: ./.github/workflows/deploy-application.yml
+    needs: build
     permissions:
       id-token: write
       contents: read
     with:
       DEPLOY_INSTANCE: dev-beta-navno
       CLUSTER: dev-gcp
-    secrets: inherit
+      IMAGE: ${{ needs.build.outputs.IMAGE }}
+      DEPLOY_INTERNAL: ${{ inputs.DEPLOY_INTERNAL }}
+    secrets:
+      VARS_UPDATE_TOKEN: ${{ secrets.VARS_UPDATE_TOKEN }}

.github/workflows/deploy.beta.tms.yml

@@ -1,14 +1,31 @@
-name: Deploy to TMS beta
+name: Deploy to Team min-side beta
 on:
   workflow_dispatch:
+    inputs:
+      DEPLOY_INTERNAL:
+        description: "Deploy previous version to internal"
+        required: false
+        type: boolean
 
 jobs:
+  build:
+    uses: ./.github/workflows/build-and-test.yml
+    permissions:
+      id-token: write
+      contents: read
+    with:
+      IMAGE_SUFFIX: dev-beta-tms
+    secrets: inherit
   deploy:
-    uses: ./.github/workflows/build-and-deploy.yml
+    uses: ./.github/workflows/deploy-application.yml
+    needs: build
     permissions:
       id-token: write
       contents: read
     with:
       DEPLOY_INSTANCE: dev-beta-tms
       CLUSTER: dev-gcp
-    secrets: inherit
+      IMAGE: ${{ needs.build.outputs.IMAGE }}
+      DEPLOY_INTERNAL: ${{ inputs.DEPLOY_INTERNAL }}
+    secrets:
+      VARS_UPDATE_TOKEN: ${{ secrets.VARS_UPDATE_TOKEN }}

.github/workflows/deploy.dev.yml

@@ -1,14 +1,31 @@
 name: Deploy to dev
 on:
   workflow_dispatch:
+    inputs:
+      DEPLOY_INTERNAL:
+        description: "Deploy previous version to internal"
+        required: false
+        type: boolean
 
 jobs:
+  build:
+    uses: ./.github/workflows/build-and-test.yml
+    permissions:
+      id-token: write
+      contents: read
+    with:
+      IMAGE_SUFFIX: dev-stable
+    secrets: inherit
   deploy:
-    uses: ./.github/workflows/build-and-deploy.yml
+    uses: ./.github/workflows/deploy-application.yml
+    needs: build
     permissions:
       id-token: write
       contents: read
     with:
       DEPLOY_INSTANCE: dev-stable
       CLUSTER: dev-gcp
-    secrets: inherit
+      IMAGE: ${{ needs.build.outputs.IMAGE }}
+      DEPLOY_INTERNAL: ${{ inputs.DEPLOY_INTERNAL }}
+    secrets:
+      VARS_UPDATE_TOKEN: ${{ secrets.VARS_UPDATE_TOKEN }}