From 42ef6b79331034b185101a8565db9d72fc41e8d1 Mon Sep 17 00:00:00 2001 From: digorgonzola <29941279+digorgonzola@users.noreply.github.com> Date: Sat, 30 Dec 2023 01:55:59 +1100 Subject: [PATCH] update staging/production workflows --- ...oy-production.yml => build-production.yml} | 71 ++++++++++-- .github/workflows/build-staging.yml | 98 +++++++++++++++++ .github/workflows/deploy-staging.yml | 104 ------------------ 3 files changed, 158 insertions(+), 115 deletions(-) rename .github/workflows/{deploy-production.yml => build-production.yml} (66%) create mode 100644 .github/workflows/build-staging.yml delete mode 100644 .github/workflows/deploy-staging.yml diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/build-production.yml similarity index 66% rename from .github/workflows/deploy-production.yml rename to .github/workflows/build-production.yml index 380ba08..7733d3d 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/build-production.yml @@ -1,21 +1,20 @@ -name: Deploy Production +name: Build, Test and Push - Production on: release: types: - published - workflow_dispatch: permissions: id-token: write contents: read jobs: - build_push: + build_test_push: runs-on: ubuntu-latest environment: production outputs: - image_digest: ${{ steps.build_and_push.outputs.digest || steps.get_digest_from_tagged_image.outputs.image_tag }} + image_digest: ${{ steps.build_and_push.outputs.digest }} steps: - name: Checkout uses: actions/checkout@v4 @@ -26,6 +25,30 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Setup Docker Structure Test + run: > + curl -LO + https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 + && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 + /usr/local/bin/container-structure-test + + - name: Set Image Tag + id: set_image_tag + run: | + tag=${{ github.ref_name }} + echo "image_tag=${tag//\v/}" >> $GITHUB_OUTPUT + + - name: Build Docker Image + uses: docker/build-push-action@v5 + with: + context: . + load: true + tags: ${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} + + - name: Test Docker Image + run: | + container-structure-test test --image ${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} --config tests/config.yaml + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -38,12 +61,6 @@ jobs: with: registry: ${{ vars.ECR_REGISTRY }} - - name: Set Image Tag - id: set_image_tag - run: | - tag=${{ github.ref_name }} - echo "image_tag=${tag//\v/}" >> $GITHUB_OUTPUT - - name: Build and Push Docker Image if: ${{ github.event_name != 'workflow_dispatch' }} id: build_and_push @@ -73,7 +90,7 @@ jobs: tf_version: '1.5.7' tg_version: '0.54.0' tg_dir: './deploy/tg' - needs: [build_push] + needs: [build_test_push] steps: - name: Checkout uses: actions/checkout@v4 @@ -120,3 +137,35 @@ jobs: TF_IN_AUTOMATION: true # get the image digest from the build job with optional override from vars context TF_VAR_image: ${{ vars.IMAGE || needs.build_push.outputs.image_digest }} + + trigger_deploy: + runs-on: ubuntu-latest + needs: [build_test_push] + steps: + - name: Generate App Token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.DEPLOY_APP_ID }} + private-key: ${{ secrets.DEPLOY_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "appdeploy" + + - name: Trigger Deploy Workflow + uses: actions/github-script@v7 + with: + github-token: ${{ steps.app-token.outputs.token }} + retries: 3 + retry-exempt-status-codes: 204 + script: | + github.rest.actions.createWorkflowDispatch({ + owner: 'aodn', + repo: 'appdeploy', + workflow_id: 'deploy.yml', + ref: 'main', + inputs: { + app_name: 'sample-django-app', + environment: 'production', + image_tag: '${{ needs.build_test_push.outputs.image_digest }}', + } + }) diff --git a/.github/workflows/build-staging.yml b/.github/workflows/build-staging.yml new file mode 100644 index 0000000..b11e094 --- /dev/null +++ b/.github/workflows/build-staging.yml @@ -0,0 +1,98 @@ +name: Build, Test and Push - Staging + +on: + push: + branches: + - master + +permissions: + id-token: write + contents: read + +jobs: + build_test_push: + runs-on: ubuntu-latest + environment: staging + outputs: + image_digest: ${{ steps.build_and_push.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Setup Docker Structure Test + run: > + curl -LO + https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 + && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 + /usr/local/bin/container-structure-test + + - name: Build Docker Image + uses: docker/build-push-action@v5 + with: + context: . + load: true + tags: ${{ vars.ECR_REPOSITORY }}:latest + + - name: Test Docker Image + run: | + container-structure-test test --image ${{ vars.ECR_REPOSITORY }}:latest --config tests/config.yaml + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + audience: sts.amazonaws.com + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + + - name: Login to ECR + uses: docker/login-action@v3 + with: + registry: ${{ vars.ECR_REGISTRY }} + + - name: Build and Push Docker Image + id: build_and_push + uses: docker/build-push-action@v5 + with: + context: . +# Only building for AMD64 for now +# platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:latest + + trigger_deploy: + runs-on: ubuntu-latest + needs: [build_test_push] + steps: + - name: Generate App Token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.DEPLOY_APP_ID }} + private-key: ${{ secrets.DEPLOY_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "appdeploy" + + - name: Trigger Deploy Workflow + uses: actions/github-script@v7 + with: + github-token: ${{ steps.app-token.outputs.token }} + retries: 3 + retry-exempt-status-codes: 204 + script: | + github.rest.actions.createWorkflowDispatch({ + owner: 'aodn', + repo: 'appdeploy', + workflow_id: 'deploy.yml', + ref: 'main', + inputs: { + app_name: 'sample-django-app', + environment: 'staging', + image_tag: '${{ needs.build_test_push.outputs.image_digest }}', + } + }) diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml deleted file mode 100644 index a0c4e8e..0000000 --- a/.github/workflows/deploy-staging.yml +++ /dev/null @@ -1,104 +0,0 @@ -name: Deploy Staging - -on: - push: - branches: - - master - workflow_dispatch: - -permissions: - id-token: write - contents: read - -jobs: - build_push: - runs-on: ubuntu-latest - environment: staging - outputs: - image_digest: ${{ steps.build_and_push.outputs.digest }} - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - audience: sts.amazonaws.com - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_ROLE_ARN }} - - - name: Login to ECR - uses: docker/login-action@v3 - with: - registry: ${{ vars.ECR_REGISTRY }} - - - name: Build and Push Docker Image - id: build_and_push - uses: docker/build-push-action@v5 - with: - context: . -# Only building for AMD64 for now -# platforms: linux/amd64,linux/arm64 - push: true - tags: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:latest - - staging_deploy: - runs-on: ubuntu-latest - environment: staging - env: - tf_version: '1.5.7' - tg_version: '0.54.0' - tg_dir: './deploy/tg' - needs: build_push - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - audience: sts.amazonaws.com - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_ROLE_ARN }} - - - name: Expose github environment as shell variables - env: - SECRETS_CONTEXT: ${{ toJson(secrets) }} - VARS_CONTEXT: ${{ toJson(vars) }} - run: | - EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) - to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; } - echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV - echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV - - - name: Terragrunt Plan - uses: gruntwork-io/terragrunt-action@v2 - with: - tf_version: ${{ env.tf_version }} - tg_version: ${{ env.tg_version }} - tg_dir: ${{ env.tg_dir }} - tg_command: 'run-all plan -out=tf.plan' - env: - TF_INPUT: 0 - TF_IN_AUTOMATION: true - # get the image digest from the build job with optional override from vars context - TF_VAR_image: ${{ vars.IMAGE || needs.build_push.outputs.image_digest }} - - - name: Terragrunt Apply - uses: gruntwork-io/terragrunt-action@v2 - with: - tf_version: ${{ env.tf_version }} - tg_version: ${{ env.tg_version }} - tg_dir: ${{ env.tg_dir }} - tg_command: '--terragrunt-non-interactive --terragrunt-log-level info run-all apply -auto-approve tf.plan' - env: - TF_INPUT: 0 - TF_IN_AUTOMATION: true - # get the image digest from the build job with optional override from vars context - TF_VAR_image: ${{ vars.IMAGE || needs.build_push.outputs.image_digest }}