Build Production #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Test and Push - Production | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| build_test_push: | |
| runs-on: ubuntu-latest | |
| environment: production | |
| outputs: | |
| image_digest: ${{ steps.build_and_push.outputs.digest }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Setup Docker Structure Test | |
| run: > | |
| curl -LO | |
| https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 | |
| && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 | |
| /usr/local/bin/container-structure-test | |
| - name: Set Image Tag | |
| id: set_image_tag | |
| run: | | |
| tag=${{ github.ref_name }} | |
| echo "image_tag=${tag//\v/}" >> $GITHUB_OUTPUT | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| load: true | |
| tags: ${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} | |
| - name: Test Docker Image | |
| run: | | |
| container-structure-test test --image ${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} --config tests/config.yaml | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| audience: sts.amazonaws.com | |
| aws-region: ${{ vars.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| - name: Login to ECR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ vars.ECR_REGISTRY }} | |
| - name: Build and Push Docker Image | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| id: build_and_push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| # Only building for AMD64 for now | |
| # platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} | |
| # For manually triggered runs, grab the image digest from the already built image | |
| - name: Get Digest from Tagged Image | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| id: get_digest_from_tagged_image | |
| run: | | |
| image_digest=$(aws ecr describe-images \ | |
| --repository-name ${{ vars.ECR_REPOSITORY }} \ | |
| --image-ids imageTag=${{ steps.set_image_tag.outputs.image_tag }} \ | |
| | jq -r '.imageDetails[].imageDigest') | |
| echo "image_digest=$image_digest" >> $GITHUB_OUTPUT | |
| production_deploy: | |
| runs-on: ubuntu-latest | |
| environment: production | |
| env: | |
| tf_version: '1.5.7' | |
| tg_version: '0.54.0' | |
| tg_dir: './deploy/tg' | |
| needs: [build_test_push] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| audience: sts.amazonaws.com | |
| aws-region: ${{ vars.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| - name: Expose github environment as shell variables | |
| env: | |
| SECRETS_CONTEXT: ${{ toJson(secrets) }} | |
| VARS_CONTEXT: ${{ toJson(vars) }} | |
| run: | | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; } | |
| echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV | |
| echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV | |
| - name: Terragrunt Plan | |
| uses: gruntwork-io/terragrunt-action@v2 | |
| with: | |
| tf_version: ${{ env.tf_version }} | |
| tg_version: ${{ env.tg_version }} | |
| tg_dir: ${{ env.tg_dir }} | |
| tg_command: 'run-all plan -out=tf.plan' | |
| env: | |
| TF_INPUT: 0 | |
| TF_IN_AUTOMATION: true | |
| # get the image digest from the build job with optional override from vars context | |
| TF_VAR_image: ${{ vars.IMAGE || needs.build_test_push.outputs.image_digest }} | |
| - name: Terragrunt Apply | |
| uses: gruntwork-io/terragrunt-action@v2 | |
| with: | |
| tf_version: ${{ env.tf_version }} | |
| tg_version: ${{ env.tg_version }} | |
| tg_dir: ${{ env.tg_dir }} | |
| tg_command: '--terragrunt-non-interactive --terragrunt-log-level info run-all apply -auto-approve tf.plan' | |
| env: | |
| TF_INPUT: 0 | |
| TF_IN_AUTOMATION: true | |
| # get the image digest from the build job with optional override from vars context | |
| TF_VAR_image: ${{ vars.IMAGE || needs.build_test_push.outputs.image_digest }} | |
| trigger_deploy: | |
| runs-on: ubuntu-latest | |
| needs: [build_test_push] | |
| steps: | |
| - name: Generate App Token | |
| uses: actions/create-github-app-token@v1 | |
| id: app-token | |
| with: | |
| app-id: ${{ vars.DEPLOY_APP_ID }} | |
| private-key: ${{ secrets.DEPLOY_APP_PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| repositories: "appdeploy" | |
| - name: Trigger Deploy Workflow | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ steps.app-token.outputs.token }} | |
| retries: 3 | |
| retry-exempt-status-codes: 204 | |
| script: | | |
| github.rest.actions.createWorkflowDispatch({ | |
| owner: 'aodn', | |
| repo: 'appdeploy', | |
| workflow_id: 'deploy.yml', | |
| ref: 'main', | |
| inputs: { | |
| app_name: 'sample-django-app', | |
| environment: 'production', | |
| image_tag: '${{ needs.build_test_push.outputs.image_digest }}', | |
| } | |
| }) |