Deploy security.txt to Azure #22
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Deploy security.txt to Azure | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '**.txt' | |
| - 'index.html' | |
| - 'timestamp.sh' | |
| - 'terraform/**' | |
| - '.github/workflows/deploy-to-azure.yml' | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| storage_account: ${{ steps.run-tf.outputs.STORAGE_ACCOUNT_NAME }} | |
| cdn_profile: ${{ steps.run-tf.outputs.CDN_PROFILE_NAME }} | |
| cdn_endpoint: ${{ steps.run-tf.outputs.CDN_ENDPOINT_NAME }} | |
| resource_group: ${{ steps.run-tf.outputs.RESOURCE_GROUP_NAME }} | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v4 | |
| - name: Timestamp security.txt | |
| run: ./timestamp.sh | |
| - name: Deploy terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: 1.7.4 | |
| terraform_wrapper: false | |
| - name: Terraform version | |
| run: terraform -version | |
| - name: Run terraform | |
| id: run-tf | |
| env: | |
| ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} | |
| ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} | |
| ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} | |
| ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} | |
| ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} | |
| run: | | |
| cd terraform/; terraform init; terraform apply -auto-approve | |
| terraform output -raw storage_account_name | |
| terraform output -raw cdn_profile_name | |
| terraform output -raw cdn_endpoint_name | |
| terraform output -raw resource_group_name | |
| echo "STORAGE_ACCOUNT_NAME=$(terraform output -raw storage_account_name)" >> $GITHUB_OUTPUT | |
| echo "CDN_PROFILE_NAME=$(terraform output -raw cdn_profile_name)" >> $GITHUB_OUTPUT | |
| echo "CDN_ENDPOINT_NAME=$(terraform output -raw cdn_endpoint_name)" >> $GITHUB_OUTPUT | |
| echo "RESOURCE_GROUP_NAME=$(terraform output -raw resource_group_name)" >> $GITHUB_OUTPUT | |
| # - name: Get terraform output values and set them as repo variables | |
| # id: tf-outputs | |
| # run: | | |
| # terraform output -raw storage_account_name | |
| # terraform output -raw cdn_profile_name | |
| # terraform output -raw cdn_endpoint_name | |
| # terraform output -raw resource_group_name | |
| # echo "STORAGE_ACCOUNT_NAME=$(terraform output -raw storage_account_name)" >> $GITHUB_OUTPUT | |
| # echo "CDN_PROFILE_NAME=$(terraform output -raw cdn_profile_name)" >> $GITHUB_OUTPUT | |
| # echo "CDN_ENDPOINT_NAME=$(terraform output -raw cdn_endpoint_name)" >> $GITHUB_OUTPUT | |
| # echo "RESOURCE_GROUP_NAME=$(terraform output -raw resource_group_name)" >> $GITHUB_OUTPUT | |
| - name: Availability test | |
| run: | | |
| status_code=$(curl -s -o /dev/null -w "%{http_code}" https://vdp.security.education.gov.uk/.well-known/security.txt) | |
| if [ $status_code == 200 ] | |
| then | |
| echo "Security.txt successfully deployed to https://vdp.security.education.gov.uk" | |
| else | |
| echo "Error deploying to https://vdp.security.education.gov.uk, status code returned: $status_code" | |
| exit 1 | |
| fi | |
| push-files: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v4 | |
| - name: Timestamp security.txt | |
| run: ./timestamp.sh | |
| - name: Azure Login | |
| uses: azure/login@v2 | |
| with: | |
| creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}' | |
| - name: Upload to blob storage | |
| uses: azure/CLI@v2 | |
| with: | |
| inlineScript: | | |
| az storage blob upload --account-name ${{ needs.build.outputs.storage_account }} --file 'security.txt' --name 'security.txt' --auth-mode key --container-name '$web' | |
| az storage blob upload --account-name ${{ needs.build.outputs.storage_account }} --file 'security.txt' --name '.well-known/security.txt' --auth-mode key --container-name '$web' | |
| az storage blob upload --account-name ${{ needs.build.outputs.storage_account }} --file 'thanks.txt' --name 'thanks.txt' --auth-mode key --container-name '$web' | |
| az storage blob upload --account-name ${{ needs.build.outputs.storage_account }} --file 'index.html' --name 'index.html' --auth-mode key --container-name '$web' | |
| - name: Purge CDN endpoint | |
| uses: azure/CLI@v2 | |
| with: | |
| inlineScript: | | |
| az cdn endpoint purge --content-paths "/*" --profile-name ${{ needs.build.outputs.cdn_profile }} --name ${{ needs.build.outputs.cdn_profile }} --resource-group ${{ needs.build.outputs.resource_group }} | |