Skip to content
Production Deployment

Add public-samples/mint-mobile-app-ncuwqw/src/web/src/services/api/tr… #423

Sign in to view logs

Add public-samples/mint-mobile-app-ncuwqw/src/web/src/services/api/tr…

Add public-samples/mint-mobile-app-ncuwqw/src/web/src/services/api/tr… #423

Workflow file for this run

.github/workflows/deploy-production.yml at 9d4ac2f
# Human Tasks:
# 1. Configure AWS IAM OIDC provider for GitHub Actions
# 2. Set up required GitHub repository secrets:
# - AWS_ACCOUNT_ID
# - AWS_ROLE_ARN (for production environment)
# - SLACK_WEBHOOK_URL (for notifications)
# 3. Configure branch protection rules for 'main'
# 4. Set up required environment protection rules for 'production'
# 5. Configure AWS KMS encryption keys for secrets
# 6. Set up monitoring dashboards for canary metrics
# Required GitHub Actions versions:
# actions/checkout@v3
# aws-actions/configure-aws-credentials@v2
# aws-actions/amazon-ecr-login@v1
# hashicorp/setup-terraform@v2
# azure/k8s-set-context@v2
name: Production Deployment
# Requirement: CI/CD Pipeline - Implements production deployment with canary release strategy
on:
push:
branches:
- main
workflow_dispatch:
inputs:
deploy_version:
description: 'Version to deploy'
required: true
type: string
canary_percentage:
description: 'Percentage of traffic for canary'
required: false
type: number
default: 10
# Requirement: Production Environment Deployment - Environment Configuration
env:
ENVIRONMENT: production
AWS_REGION: us-west-2
ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com

Check failure on line 42 in .github/workflows/deploy-production.yml

View workflow run for this annotation

GitHub Actions / Production Deployment

Invalid workflow file 

The workflow is not valid. .github/workflows/deploy-production.yml (Line: 42, Col: 17): Unrecognized named-value: 'env'. Located at position 1 within expression: env.AWS_REGION .github/workflows/deploy-production.yml (Line: 56, Col: 3): Unexpected value 'environments'
CANARY_PERCENTAGE: ${{ github.event.inputs.canary_percentage || 10 }}
# Prevent concurrent deployments to production
concurrency:
group: production-deploy
cancel-in-progress: false
# Required permissions for deployment
permissions:
id-token: write
contents: read
packages: write
deployments: write
environments: write
jobs:
# Requirement: Production Environment Deployment - Infrastructure Management
deploy-infrastructure:
name: Deploy Production Infrastructure
runs-on: ubuntu-latest
environment: production
outputs:
eks_cluster_endpoint: ${{ steps.terraform-apply.outputs.eks_cluster_endpoint }}
rds_primary_endpoint: ${{ steps.terraform-apply.outputs.rds_primary_endpoint }}
redis_endpoint: ${{ steps.terraform-apply.outputs.redis_endpoint }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: "1.4.x"
- name: Initialize Terraform
working-directory: infrastructure/terraform/environments/production
run: terraform init
- name: Plan infrastructure changes
working-directory: infrastructure/terraform/environments/production
run: terraform plan -out=tfplan
- name: Request manual approval
uses: trstringer/manual-approval@v1
with:
secret: ${{ github.token }}
approvers: required-approvers
minimum-approvals: 2
timeout: 3600
- name: Apply infrastructure changes
id: terraform-apply
working-directory: infrastructure/terraform/environments/production
run: terraform apply -auto-approve tfplan
# Requirement: CI/CD Pipeline - Security Scanning
security-scan:
name: Security Scanning
runs-on: ubuntu-latest
steps:
- name: Scan container images
run: |
# Install and run Trivy scanner
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy filesystem --security-checks vuln,config .
- name: Check infrastructure compliance
run: |
# Run tfsec for Terraform security scanning
curl -s https://raw.githubusercontent.com/tfsec/tfsec/master/scripts/install_linux.sh | bash
tfsec infrastructure/terraform
- name: Analyze dependencies
run: |
# Run OWASP Dependency Check
docker run --rm \
-v $(pwd):/src \
owasp/dependency-check \
--scan /src \
--format HTML \
--out /src/dependency-check-report.html
- name: Generate security report
run: |
echo "Security Scan Summary" > security-report.txt
echo "===================" >> security-report.txt
echo "Completed scans:" >> security-report.txt
echo "- Container security scan" >> security-report.txt
echo "- Infrastructure compliance check" >> security-report.txt
echo "- Dependency analysis" >> security-report.txt
# Requirement: CI/CD Pipeline - Build and Push
build-and-push:
name: Build and Push Images
needs: [deploy-infrastructure, security-scan]
runs-on: ubuntu-latest
outputs:
backend_image_tag: ${{ steps.build-tags.outputs.backend_tag }}
web_image_tag: ${{ steps.build-tags.outputs.web_tag }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v1
- name: Generate build tags
id: build-tags
run: |
echo "backend_tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "web_tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Build backend image
run: |
docker build -t ${{ env.ECR_REGISTRY }}/backend:${{ steps.build-tags.outputs.backend_tag }} \
--build-arg ENV=production \
./backend
- name: Build web image
run: |
docker build -t ${{ env.ECR_REGISTRY }}/web:${{ steps.build-tags.outputs.web_tag }} \
--build-arg ENV=production \
./web
- name: Scan images for vulnerabilities
run: |
trivy image ${{ env.ECR_REGISTRY }}/backend:${{ steps.build-tags.outputs.backend_tag }}
trivy image ${{ env.ECR_REGISTRY }}/web:${{ steps.build-tags.outputs.web_tag }}
- name: Push images to ECR
run: |
docker push ${{ env.ECR_REGISTRY }}/backend:${{ steps.build-tags.outputs.backend_tag }}
docker push ${{ env.ECR_REGISTRY }}/web:${{ steps.build-tags.outputs.web_tag }}
# Requirement: CI/CD Pipeline - Canary Deployment
deploy-canary:
name: Deploy Canary Release
needs: [build-and-push]
runs-on: ubuntu-latest
environment: production
steps:
- name: Configure kubectl
uses: azure/k8s-set-context@v2
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBE_CONFIG }}
- name: Deploy canary backend
run: |
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend-api-canary
namespace: mint-replica-backend
spec:
replicas: 1
template:
spec:
containers:
- name: backend-api
image: ${{ env.ECR_REGISTRY }}/backend:${{ needs.build-and-push.outputs.backend_image_tag }}
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "2000m"
memory: "2Gi"
EOF
- name: Deploy canary web frontend
run: |
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-frontend-canary
namespace: mint-replica-web
spec:
replicas: 1
template:
spec:
containers:
- name: web-frontend
image: ${{ env.ECR_REGISTRY }}/web:${{ needs.build-and-push.outputs.web_image_tag }}
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "500m"
memory: "512Mi"
EOF
- name: Monitor canary metrics
run: |
# Wait for canary pods to be ready
kubectl wait --for=condition=ready pod -l app=mint-replica-lite,deployment=canary --timeout=300s
# Monitor error rates and latency for 10 minutes
for i in {1..10}; do
kubectl logs -l app=mint-replica-lite,deployment=canary --tail=100
sleep 60
done
- name: Validate canary health
run: |
# Check error rates
if [[ $(kubectl logs -l app=mint-replica-lite,deployment=canary --tail=1000 | grep ERROR | wc -l) -gt 5 ]]; then
echo "Error rate too high in canary deployment"
exit 1
fi
# Requirement: High Availability - Production Promotion
promote-to-production:
name: Promote to Production
needs: [deploy-canary]
runs-on: ubuntu-latest
environment: production
steps:
- name: Validate canary metrics
run: |
# Check performance metrics
kubectl get --raw /apis/metrics.k8s.io/v1beta1/namespaces/mint-replica-backend/pods | jq .
kubectl get --raw /apis/metrics.k8s.io/v1beta1/namespaces/mint-replica-web/pods | jq .
- name: Request manual approval
uses: trstringer/manual-approval@v1
with:
secret: ${{ github.token }}
approvers: required-approvers
minimum-approvals: 2
timeout: 3600
- name: Scale up production deployment
run: |
# Scale backend deployment
kubectl scale deployment backend-api -n mint-replica-backend --replicas=3
# Scale web deployment
kubectl scale deployment web-frontend -n mint-replica-web --replicas=3
# Update images
kubectl set image deployment/backend-api backend-api=${{ env.ECR_REGISTRY }}/backend:${{ needs.build-and-push.outputs.backend_image_tag }} -n mint-replica-backend
kubectl set image deployment/web-frontend web-frontend=${{ env.ECR_REGISTRY }}/web:${{ needs.build-and-push.outputs.web_image_tag }} -n mint-replica-web
- name: Scale down canary
run: |
kubectl delete deployment backend-api-canary -n mint-replica-backend
kubectl delete deployment web-frontend-canary -n mint-replica-web
- name: Verify production health
run: |
# Wait for production pods to be ready
kubectl wait --for=condition=ready pod -l app=mint-replica-lite -n mint-replica-backend --timeout=300s
kubectl wait --for=condition=ready pod -l app=mint-replica-lite -n mint-replica-web --timeout=300s
# Verify endpoints
kubectl get endpoints -n mint-replica-backend
kubectl get endpoints -n mint-replica-web