Build 'n Deploy #42
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build 'n Deploy | |
on: | |
push: | |
branches: | |
- '*' | |
tags-ignore: | |
- '*' | |
paths-ignore: | |
- 'pyproject.toml' | |
- 'bumpver.toml' | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
venue: | |
type: choice | |
description: Venue to deploy to | |
options: | |
- SIT | |
- UAT | |
jobs: | |
build: | |
name: build, lint, and test ingest-to-sds | |
runs-on: ubuntu-latest | |
outputs: | |
deploy_env: ${{ steps.package-build.outputs.deploy_env }} | |
steps: | |
# -- Setup -- | |
- uses: getsentry/action-github-app-token@v2 | |
name: my-app-install token | |
id: podaac-cicd | |
with: | |
app_id: ${{ secrets.CICD_APP_ID }} | |
private_key: ${{ secrets.CICD_APP_PRIVATE_KEY }} | |
- uses: hashicorp/[email protected] | |
with: | |
terraform_version: 1.3.7 | |
- uses: actions/checkout@v3 | |
with: | |
repository: ${{ github.repository }} | |
token: ${{ steps.podaac-cicd.outputs.token }} | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.9' | |
- name: Install bumpver & poetry | |
run: pip3 install bumpver poetry poetry-plugin-bundle | |
- name: Setup git user | |
run: | | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
git config user.name "github-actions[bot]" | |
- name: Install dependencies | |
run: poetry install | |
# -- Testing & Linting -- | |
- name: Lint | |
run: | | |
poetry run flake8 podaac/ tests/ | |
poetry run pylint podaac/ tests/ | |
- name: Test | |
run: poetry run pytest | |
- name: Validate Terraform | |
run: terraform validate -no-color | |
- name: No version bump | |
# If triggered by workflow dispatch, no version bump | |
if: ${{ github.event_name == 'workflow_dispatch' }} | |
run: | | |
echo "TARGET_ENV=${{ github.event.inputs.venue }}" >> $GITHUB_ENV | |
# -- Version Bumping -- | |
- name: Bump alpha version | |
if: github.ref == 'refs/heads/develop' | |
run: | | |
TAG=$(bumpver show -e | awk -F= '$1 == "TAG" {print $2};') | |
if [ $TAG == 'final' ]; then | |
# Bump patch version first then append tag | |
bumpver update --patch --tag alpha --tag-num | |
else | |
bumpver update --tag alpha --tag-num | |
fi | |
- name: Bump rc version | |
if: startsWith(github.ref, 'refs/heads/release/') | |
run: bumpver --tag rc --tag-num | |
- name: Release version | |
if: github.ref == 'refs/heads/main' | |
run: bumpver --tag final | |
# -- Build -- | |
- name: Build lambda package | |
id: package-build | |
run: ./build.sh | |
- name: Upload packaged zip | |
uses: actions/[email protected] | |
with: | |
name: dist | |
path: dist/*.zip | |
# # -- Terraform -- | |
# - name: Deploy to SIT | |
# if: github.ref == 'refs/heads/develop' | |
# working-directory: terraform/ | |
# env: | |
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_SERVICES_SIT }} | |
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_SERVICES_SIT }} | |
# AWS_DEFAULT_REGION: us-west-2 | |
# TF_VAR_sds_ca_cert_path: ${{ runner.temp }}/JPLICA.pem | |
# TF_VAR_sds_host: ${{ secrets.SDS_HOST }} | |
# TF_VAR_sds_username: ${{ secrets.SDS_USERNAME }} | |
# TF_VAR_sds_password: ${{ secrets.SDS_PASSWORD }} | |
# run: | | |
# echo "${{ secrets.JPLICA_CERT }}" >> ${{ runner.temp }}/JPLICA.pem | |
# source bin/config.sh sit | |
# terraform apply -auto-approve | |
deploy: | |
name: Deploy | |
needs: build | |
# The type of runner that the job will run on | |
runs-on: ubuntu-latest | |
environment: | |
name: ${{ needs.build.outputs.deploy_env }} | |
if: | | |
github.ref == 'refs/heads/develop' || | |
github.ref == 'refs/heads/main' || | |
startsWith(github.ref, 'refs/heads/release') || | |
github.event_name == 'workflow_dispatch' | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: us-west-2 | |
role-session-name: GitHubActions | |
aws-access-key-id: ${{ secrets[vars.AWS_ACCESS_KEY_ID_SECRET_NAME] }} | |
aws-secret-access-key: ${{ secrets[vars.AWS_SECRET_ACCESS_KEY_SECRET_NAME] }} | |
mask-aws-account-id: true | |
- uses: actions/checkout@v3 | |
with: | |
repository: ${{ github.repository }} | |
- uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Retrieve artifact from build step | |
uses: actions/download-artifact@v3 | |
with: | |
name: dist | |
path: dist/ | |
- name: Deploy to venue | |
id: terraform-deploy | |
working-directory: terraform/ | |
env: | |
AWS_DEFAULT_REGION: us-west-2 | |
TF_VAR_edl_base_url: ${{ secrets.EDL_BASE_URL }} | |
TF_VAR_edl_client_id: ${{ secrets.EDL_CLIENT_ID }} | |
TF_VAR_edl_client_secret: ${{ secrets.EDL_CLIENT_SECRET }} | |
TF_VAR_session_encryption_key: ${{ secrets.SESSION_ENCRYPTION_KEY }} | |
TF_VAR_ingest_aws_account: ${{ secrets.INGEST_AWS_ACCOUNT }} | |
TF_VAR_ingest_aws_role: ${{ secrets.INGEST_AWS_ROLE }} | |
run: | | |
echo "${{ secrets.JPLICA_CERT }}" >> ${{ runner.temp }}/JPLICA.pem | |
source bin/config.sh ${{ vars.TF_VENUE }} | |
terraform apply -auto-approve |