Latest update

packages/csca/.editorconfig → .editorconfig

@@ -7,3 +7,12 @@ end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
+
+[*.sh]
+indent_size = 4
+
+[scripts/*.sh]
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false

.github/PULL_REQUEST_TEMPLATE/release_candidate.md

@@ -1,15 +1,21 @@
-## External 🏡 
+## Manual Release Steps 🦀
 
-### Manual Release Steps
+### Config to update ⚙️
+
+### Db schema or other changes to check against reports 📊
+
+### Other manual release steps 🤏
+
+## External Changes 🏡
 
 ### Features ⭐
 
 ### Tweaks ⚖️ 
 
 ### Bug fixes 🐛
 
-## Internal 🛋️ 
+## Internal Changes 🛋️
 
 ### Infrastructure and maintenance 🛠️
 
-### Miscellaneous / Config changes 🌊 
+### Miscellaneous / Config changes 🌊

.github/actions/setup-cd/action.yml

@@ -0,0 +1,58 @@
+name: CD Setup
+description: Set up Pulumi, Tailscale, and K8S
+inputs:
+  ops-ssh-key:
+    description: SSH key for ops repo
+    required: true
+  ops-ref:
+    description: Ref to checkout in ops repo
+    required: true
+    default: main
+  tailscale-oauth:
+    description: Tailscale OAuth key
+    required: true
+  k8s-core:
+    description: K8S core name
+runs:
+  using: composite
+  steps:
+    - name: Checkout ops
+      uses: actions/checkout@v4
+      with:
+        repository: beyondessential/ops
+        ssh-key: ${{ inputs.ops-ssh-key }}
+        path: ops
+        ref: ${{ inputs.ops-ref }}
+    - name: Remove ops/.git so pulumi doesn't get confused
+      shell: bash
+      run: rm -rf ops/.git
+
+    - name: Install Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20.x
+        cache: npm
+
+    - name: Prepare pulumi
+      shell: bash
+      working-directory: ops/pulumi
+      run: npm ci
+
+    - name: Pre-install pulumi
+      uses: pulumi/actions@v5
+
+    - name: Connect to Tailscale
+      uses: tailscale/github-action@v2
+      with:
+        oauth-secret: ${{ inputs.tailscale-oauth }}
+        tags: tag:infra,tag:infra-gha-deploy
+
+    - name: Configure kubeconfig
+      if: inputs.k8s-core
+      shell: bash
+      run: tailscale configure kubeconfig k8s-operator-${{ inputs.k8s-core }}
+
+    - name: Test kubernetes cluster for readiness
+      if: inputs.k8s-core
+      shell: bash
+      run: kubectl get namespace/tamanu-system

.github/actions/setup-manifest-tool/action.yml

@@ -0,0 +1,12 @@
+name: Setup manifest-tool
+description: Set up manifest-tool
+runs:
+  using: composite
+  steps:
+    - name: Install manifest-tool
+      shell: bash
+      run: |
+        curl -sLo manifest-tool.tar.gz https://github.com/estesp/manifest-tool/releases/download/v2.1.5/binaries-manifest-tool-2.1.5.tar.gz
+        tar -xvf manifest-tool.tar.gz manifest-tool-linux-amd64
+        mv manifest-tool-linux-amd64 manifest-tool
+        sudo install -m755 manifest-tool /usr/local/bin/manifest-tool

.github/pull_request_template.md

@@ -4,9 +4,20 @@ _Add a brief description of the changes in this PR to help give the reviewer con
 
 ### Checklist
 
-- [ ] Code
-- [ ] Tests
-- [ ] UI Screenshots
-- [ ] Update the runbook
-- [ ] Include any config changes in the release PR changelog
-- [ ] Update the [release PR](https://github.com/beyondessential/tamanu/pulls?q=is%3Apr+is%3Aopen+release+in%3Atitle) changelog with a ticket reference (e.g. TAN-001 or WAITM-001 will be automatically linked)
+- [ ] Code is finished
+- [ ] Tests are written
+- [ ] UI Screenshots added to the Linear issue
+- [ ] Testing notes added to the Linear issue
+
+_Upon merging:_
+
+- [ ] Update the changelog (find it [here](https://github.com/beyondessential/tamanu/releases) in the appropriate _draft_ release)
+  - [ ] with a ticket reference (e.g. `TAN-123: a one line description`, keep the lists sorted)
+  - [ ] any config/settings changes and manual deployment steps
+  - [ ] any db schema or other changes that could impact downstream data analysis
+- [ ] Update the [config reference](https://beyond-essential.slab.com/posts/reference-config-file-0c70ukly) or [settings reference](https://beyond-essential.slab.com/posts/reference-settings-0blw1x2q) as needed
+- [ ] Update the [relevant runbook(s)](https://beyond-essential.slab.com/topics/runbooks-bs04ml6c) as needed
+
+### Deploys
+
+- [ ] **Deploy to Tamanu Internal** <!-- #deploy -->

.github/workflows/check-label.yml

@@ -0,0 +1,20 @@
+name: Check label
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - labeled
+      - unlabeled
+
+jobs:
+  merge-paused:
+    name: Merge paused
+    runs-on: ubuntu-latest
+    steps:
+    # fail if the merge paused label is present
+    - if: "contains(github.event.pull_request.labels.*.name, 'merge paused')"
+      run: exit 1
+    # else
+    - run: exit 0

.github/workflows/check-pr-title.yml

@@ -0,0 +1,40 @@
+name: Check PR title
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    env:
+      PR_TITLE: ${{ github.event.pull_request.title }}
+    steps:
+    - name: Check for Conventional Commit format
+      shell: bash
+      run: |
+        if ! grep -qP '^\w+(\(\w+\))?:\s' <<< "$PR_TITLE"; then
+          echo "::warning::PR title should be in Conventional Commit style, e.g. 'feat: ...'"
+          exit 1
+        fi
+
+    - name: Check for conventional type allow-list
+      if: always()
+      shell: bash
+      run: |
+        if ! grep -qP '^(ci|config|db|deps|doc|feat|fix|fmt|merge|refactor|release|repo|revert|style|test|tweak)(\(\w+\))?:\s' <<< "$PR_TITLE"; then
+          echo "::warning::PR title Conventional Type is not on the list; refer to CONTRIBUTING.md"
+          exit 1
+        fi
+
+    - name: Check for Linear card number for feature/ branches
+      if: always() && startsWith(github.head_ref, 'feature/')
+      shell: bash
+      run: |
+        if ! grep -qP '^\w+(\(\w+\))?:\s[A-Z]+-[0-9]+(:\s+\w+)?' <<< "$PR_TITLE"; then
+          echo "::warning::PR title should start with ticket number, e.g. 'feat(scope): ABC-123: ...'"
+          exit 1
+        fi

.github/workflows/ci-fake-db-dump.yml

@@ -0,0 +1,113 @@
+name: Fake DB Dump
+
+on:
+  workflow_dispatch:
+  push:
+
+env:
+  NODE_OPTIONS: "--max-old-space-size=6144"
+  NODE_ENV: test
+  NODE_MODULES_PATHS: |
+    node_modules
+    packages/*/node_modules
+    !packages/mobile/node_modules
+
+jobs:
+  generate-fake:
+    if: >-
+      github.event_name == 'workflow_dispatch' || (
+        github.event_name == 'push' && (
+          github.ref == 'refs/heads/main' ||
+          startsWith(github.ref, 'refs/heads/release/') ||
+          startsWith(github.ref, 'refs/tags/') ||
+          contains(github.event.commits.*.message, '[generate-fake-db]')
+        )
+      )
+    strategy:
+      fail-fast: false
+      matrix:
+        postgres:
+          - "12"
+          - "14"
+          - "15"
+          - "16"
+
+    name: Make a db dump of fake data for pg${{ matrix.postgres }}
+    runs-on: ubuntu-latest
+    env:
+      ARTIFACT_NAME: fake-pg${{ matrix.postgres }}
+    steps:
+      - uses: actions/checkout@v4
+        id: autocheckout
+        if: >-
+          github.event_name == 'workflow_dispatch' || (
+            github.event_name == 'push' && (
+              github.ref == 'refs/heads/main' ||
+              startsWith(github.ref, 'refs/heads/release/') ||
+              startsWith(github.ref, 'refs/tags/')
+            )
+          )
+
+      - uses: actions/github-script@v7
+        if: steps.autocheckout.conclusion == 'skipped'
+        id: commit
+        with:
+          result-encoding: string
+          script: |
+            for (const { message, id } of context.payload.commits) {
+              console.log(id, message);
+              if (message.includes('[generate-fake-db]')) {
+                return id;
+              }
+            }
+      - uses: actions/checkout@v4
+        if: steps.commit.conclusion == 'success'
+        with:
+          ref: ${{ steps.commit.outputs.result }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: yarn
+      - uses: actions/cache/restore@v3
+        with:
+          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
+          path: ${{ env.NODE_MODULES_PATHS }}
+
+      - run: yarn
+      - run: yarn build-shared
+
+      - name: Install and start postgres ${{ matrix.postgres }}
+        run: |
+          source .github/scripts/install-postgres-ubuntu.sh ${{ matrix.postgres }}
+          .github/scripts/setup-postgres-for-one-package.sh fake
+
+      - run: yarn workspace scripts run generate-fake-db
+      - run: pg_dump fake --format custom --file $ARTIFACT_NAME.dump
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}
+          path: ${{ env.ARTIFACT_NAME }}.dump
+
+  upload:
+    needs: generate-fake
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # allow accessing OIDC token for AWS
+      contents: read
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-region: ap-southeast-2
+          role-to-assume: arn:aws:iam::143295493206:role/gha-tamanu-test-data-snapshots-s3
+          role-session-name: GHA@fake=generate
+
+      - uses: actions/download-artifact@v4
+        with:
+          path: fake
+          pattern: fake-*
+          merge-multiple: true
+
+      - name: Push to S3
+        run: aws s3 sync fake s3://bes-tamanu-test-data-snapshots/${{ github.sha }} --no-progress

.github/workflows/ci-non-deterministic.yml

@@ -0,0 +1,81 @@
+name: Test Migrations for Determinism
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release/*
+env:
+  NODE_OPTIONS: "--max-old-space-size=6144"
+  NODE_ENV: test
+  NODE_MODULES_PATHS: |
+    node_modules
+    packages/*/node_modules
+    !packages/mobile/node_modules
+
+jobs:
+  test-for-non-determinism:
+    permissions:
+      id-token: write # allow accessing OIDC token for AWS
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        postgres:
+          - "12"
+          - "14"
+          - "15"
+          - "16"
+    name: Test Migrations for Determinism on pg${{ matrix.postgres }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-region: ap-southeast-2
+          role-to-assume: arn:aws:iam::143295493206:role/gha-tamanu-test-data-snapshots-s3
+          role-session-name: GHA@fake=generate
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 4000
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: yarn
+      - uses: actions/cache/restore@v3
+        with:
+          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
+          path: ${{ env.NODE_MODULES_PATHS }}
+
+      - run: yarn
+      - run: yarn build-shared
+
+      - name: Install and start postgres ${{ matrix.postgres }}
+        run: |
+          source .github/scripts/install-postgres-ubuntu.sh ${{ matrix.postgres }}
+          .github/scripts/setup-postgres-for-one-package.sh fake
+
+      - run: python3 -m pip install boto3
+
+      - id: commit-finder
+        run: |
+          commit=$(.github/scripts/find-dumped.py)
+          (( $? == 0 )) || exit 1
+          echo "commit=$commit" >> $GITHUB_OUTPUT
+
+      - run: aws s3 cp s3://bes-tamanu-test-data-snapshots/${{ steps.commit-finder.outputs.commit }}/fake-pg${{ matrix.postgres }}.dump ./ --no-progress
+
+      - run: yarn workspace scripts run test-determinism --dump-path $(realpath fake-pg${{ matrix.postgres }}.dump)
+
+  # Dummy job to have a stable name for PR requirements
+  tests-pass:
+    if: always() # always run even if dependencies fail
+    name: Non-determinism pass
+    needs: [test-for-non-determinism]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}