Merge branch 'develop' of https://github.com/podaac/swodlr-ingest-to-… #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build 'n Deploy | |
on: | |
push: | |
branches: | |
- '*' | |
tags-ignore: | |
- '*' | |
paths-ignore: | |
- 'pyproject.toml' | |
- 'bumpver.toml' | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
inputs: | |
venue: | |
type: choice | |
description: Venue to deploy to | |
options: | |
- SIT | |
- UAT | |
jobs: | |
build: | |
name: build, lint, and test ingest-to-sds | |
runs-on: ubuntu-latest | |
outputs: | |
deploy_env: ${{ steps.set-env.outputs.deploy_env }} | |
github_sha: ${{ steps.update-sha.outputs.github_sha }} | |
steps: | |
# -- Setup -- | |
- uses: getsentry/action-github-app-token@v2 | |
name: my-app-install token | |
id: podaac-cicd | |
with: | |
app_id: ${{ secrets.CICD_APP_ID }} | |
private_key: ${{ secrets.CICD_APP_PRIVATE_KEY }} | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: 1.3.7 | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.repository }} | |
token: ${{ steps.podaac-cicd.outputs.token }} | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.9' | |
- name: Install bumpver & poetry | |
run: pip3 install bumpver poetry poetry-plugin-bundle | |
- name: Setup git user | |
run: | | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
git config user.name "github-actions[bot]" | |
- name: Install dependencies | |
run: poetry install | |
# -- Testing & Linting -- | |
- name: Lint | |
run: | | |
poetry run flake8 podaac/ tests/ | |
poetry run pylint podaac/ tests/ | |
- name: Test | |
run: poetry run pytest | |
- name: Validate Terraform | |
run: terraform validate -no-color | |
# -- Version Bumping -- | |
- name: Manual execution means no version bump | |
# If triggered by workflow dispatch, no version bump | |
if: ${{ github.event_name == 'workflow_dispatch' }} | |
run: | | |
echo "TARGET_ENV=${{ github.event.inputs.venue }}" >> $GITHUB_ENV | |
TARGET_ENV=${{ github.event.inputs.venue }} | |
- name: Bump alpha version | |
if: github.ref == 'refs/heads/develop' && github.event_name != 'workflow_dispatch' | |
run: | | |
TAG=$(bumpver show -e | awk -F= '$1 == "TAG" {print $2};') | |
if [ $TAG == 'final' ]; then | |
# Bump patch version first then append tag | |
bumpver update --patch --tag alpha --tag-num | |
else | |
bumpver update --tag alpha --tag-num | |
fi | |
echo "TARGET_ENV=SIT" >> $GITHUB_ENV | |
- name: Bump rc version | |
if: startsWith(github.ref, 'refs/heads/release/') && github.event_name != 'workflow_dispatch' | |
run: | | |
bumpver --tag rc --tag-num | |
echo "TARGET_ENV=UAT" >> $GITHUB_ENV | |
- name: Release version | |
if: github.ref == 'refs/heads/main' && github.event_name != 'workflow_dispatch' | |
run: | | |
bumpver --tag final | |
- name: Set the target environment to ${{ env.TARGET_ENV }} | |
id: set-env | |
run: | | |
echo "deploy_env=${{ env.TARGET_ENV }}" >> $GITHUB_OUTPUT | |
# -- Build -- | |
- name: Build lambda package | |
run: | | |
./build.sh | |
- name: Upload packaged zip | |
uses: actions/upload-artifact@v4 | |
with: | |
name: dist | |
path: dist/*.zip | |
- name: Set github SHA for deployment | |
id: update-sha | |
run: | | |
SHA=$(git rev-parse HEAD) | |
echo "github_sha=${SHA}" >> $GITHUB_OUTPUT | |
deploy: | |
name: Deploy | |
needs: build | |
# The type of runner that the job will run on | |
runs-on: ubuntu-latest | |
environment: | |
name: ${{ needs.build.outputs.deploy_env }} | |
if: | | |
github.ref == 'refs/heads/develop' || | |
github.ref == 'refs/heads/main' || | |
startsWith(github.ref, 'refs/heads/release') || | |
github.event_name == 'workflow_dispatch' | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: us-west-2 | |
role-session-name: GitHubActions | |
aws-access-key-id: ${{ secrets[vars.AWS_ACCESS_KEY_ID_SECRET_NAME] }} | |
aws-secret-access-key: ${{ secrets[vars.AWS_SECRET_ACCESS_KEY_SECRET_NAME] }} | |
mask-aws-account-id: true | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.repository }} | |
ref: ${{ needs.build.outputs.github_sha }} | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Retrieve artifact from build step | |
uses: actions/download-artifact@v4 | |
with: | |
name: dist | |
path: dist/ | |
- name: Deploy to ${{ needs.build.outputs.deploy_env }} | |
id: terraform-deploy | |
working-directory: terraform/ | |
env: | |
TF_VAR_edl_base_url: ${{ secrets.EDL_BASE_URL }} | |
TF_VAR_edl_client_id: ${{ secrets.EDL_CLIENT_ID }} | |
TF_VAR_edl_client_secret: ${{ secrets.EDL_CLIENT_SECRET }} | |
TF_VAR_session_encryption_key: ${{ secrets.SESSION_ENCRYPTION_KEY }} | |
TF_VAR_ingest_aws_account: ${{ secrets.INGEST_AWS_ACCOUNT }} | |
TF_VAR_ingest_aws_role: ${{ secrets.INGEST_AWS_ROLE }} | |
TF_VAR_sds_ca_cert_path: ${{ runner.temp }}/JPLICA.pem | |
TF_VAR_sds_host: ${{ secrets.SDS_HOST }} | |
TF_VAR_sds_username: ${{ secrets.SDS_USERNAME }} | |
TF_VAR_sds_password: ${{ secrets.SDS_PASSWORD }} | |
run: | | |
echo "${{ secrets.JPLICA_CERT }}" >> ${{ runner.temp }}/JPLICA.pem | |
source bin/config.sh ${{ vars.TF_VENUE }} | |
terraform apply -auto-approve |