add permissions to integration test workflow (#120) #73
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy to Dev & Staging | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [main] | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| packages: write # Required for publishing packages/images to gcr | |
| pull-requests: write # This allows the workflow to comment on PRs | |
| jobs: | |
| check-changes: | |
| name: Check Changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| terraform_changed: ${{ steps.check.outputs.terraform_changed }} | |
| code_changed: ${{ steps.check.outputs.code_changed }} | |
| services_with_config_changed: ${{ steps.check.outputs.services_with_config_changed }} | |
| steps: | |
| - name: Check-out Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Ensure full checkout | |
| - name: Check for Terraform & Code Changes | |
| id: check | |
| run: | | |
| echo "Processing Push Event" | |
| BASE_SHA=${{ github.event.before }} | |
| HEAD_SHA=${{ github.event.after }} | |
| git diff --name-only $BASE_SHA $HEAD_SHA > changed_files.txt | |
| echo "Changed files:" | |
| cat changed_files.txt | |
| echo $'\nChecking for Terraform changes...' | |
| if grep "^infra/terraform/" changed_files.txt | grep -qv "\.md$"; then | |
| echo "terraform_changed=true" >> $GITHUB_OUTPUT | |
| echo "Matching Terraform files:" | |
| grep "^infra/terraform/" changed_files.txt | grep -v "\.md$" | |
| else | |
| echo "terraform_changed=false" >> $GITHUB_OUTPUT | |
| echo "No matching Terraform files" | |
| fi | |
| echo $'\nChecking for Code changes...' | |
| if grep -qE "^(services|packages)/.*\.(py|toml|ya?ml|lock)$" changed_files.txt; then | |
| echo "code_changed=true" >> $GITHUB_OUTPUT | |
| echo "Matching Code files:" | |
| grep -E "^services/|^packages/" changed_files.txt | |
| else | |
| echo "code_changed=false" >> $GITHUB_OUTPUT | |
| echo "No matching Code files" | |
| fi | |
| echo "Checking for Service Config changes..." | |
| services_with_config_changed=$(grep "^services/.*/config/" changed_files.txt | cut -d'/' -f2 | sort -u | jq -R -s -c 'split("\n")[:-1]') | |
| echo "services_with_config_changed=$services_with_config_changed" >> $GITHUB_OUTPUT | |
| - name: Display check-changes Output | |
| run: | | |
| echo "Terraform changed: ${{ steps.check.outputs.terraform_changed }}" | |
| echo "Code changed: ${{ steps.check.outputs.code_changed }}" | |
| echo "Services with Config changed: ${{ steps.check.outputs.services_with_config_changed }}" | |
| deploy-infra: | |
| name: Deploy Infrastructure | |
| needs: [check-changes] | |
| strategy: | |
| matrix: | |
| environment: [dev, staging] | |
| uses: ./.github/workflows/terraform-apply-reusable.yml | |
| with: | |
| environment: ${{ matrix.environment }} | |
| terraform_changed: ${{ needs.check-changes.outputs.terraform_changed }} | |
| deploy-service-config: | |
| name: Deploy Service Config | |
| needs: [check-changes, deploy-infra] | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| environment: [dev, staging] | |
| environment: ${{ matrix.environment }} | |
| steps: | |
| - name: Check-out Code | |
| if: needs.check-changes.outputs.services_with_config_changed != '[]' | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| if: needs.check-changes.outputs.services_with_config_changed != '[]' | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ vars.AWS_GITHUB_ACTIONS_ROLE }} | |
| role-session-name: GithubWorkflow-ServiceConfigDeployment-${{ matrix.environment }} | |
| aws-region: ${{ vars.AWS_PRIMARY_REGION }} | |
| role-duration-seconds: 900 | |
| role-skip-session-tagging: true | |
| - name: Deploy Service Configurations | |
| if: needs.check-changes.outputs.services_with_config_changed != '[]' | |
| run: | | |
| services_array=$(echo '${{ needs.check-changes.outputs.services_with_config_changed }}' | jq -r '.[]') | |
| chmod +x .github/scripts/deploy-service-configuration.sh | |
| for service in $services_array; do | |
| echo "Deploying configuration for service: $service" | |
| if ! .github/scripts/deploy-service-configuration.sh --service-name "$service" --stage ${{ matrix.environment }} --region ${{ vars.AWS_PRIMARY_REGION }} --platform AWS; then | |
| echo "Error: Failed to deploy configuratio for service $service on environment ${{ matrix.environment }} in region ${{ vars.AWS_PRIMARY_REGION }} . Aborting." | |
| return 1 | |
| fi | |
| done | |
| echo "Services' configuration deployment completed successfully!" | |
| deploy-services: | |
| name: Deploy Services | |
| needs: [check-changes, deploy-service-config] | |
| if: needs.check-changes.outputs.code_changed == 'true' | |
| strategy: | |
| matrix: | |
| environment: [dev, staging] | |
| uses: ./.github/workflows/deploy-services-reusable.yml | |
| with: | |
| environment: ${{ matrix.environment }} | |
| # deploy-services: | |
| # runs-on: ubuntu-latest | |
| # needs: [check-changes, deploy-service-config] | |
| # if: needs.check-changes.outputs.code_changed == 'true' | |
| # strategy: | |
| # matrix: | |
| # environment: [dev, staging] | |
| # environment: ${{ matrix.environment }} | |
| # steps: | |
| # - name: Check-out Code | |
| # uses: actions/checkout@v4 | |
| # with: | |
| # fetch-depth: 0 # Ensure full checkout | |
| # - name: Configure AWS credentials | |
| # id: aws-creds | |
| # uses: aws-actions/configure-aws-credentials@v4 | |
| # with: | |
| # role-to-assume: ${{ vars.AWS_GITHUB_ACTIONS_ROLE }} | |
| # role-session-name: GithubWorkflow-Deployment-dev-staging | |
| # aws-region: ${{ vars.AWS_PRIMARY_REGION }} | |
| # output-credentials: true | |
| # - name: Set-up Devcontainer Environment Variables | |
| # run: | | |
| # echo "PWD=${GITHUB_WORKSPACE}" >> $GITHUB_ENV | |
| # cp .devcontainer/.env.ci .devcontainer/.env | |
| # echo ".devcontainer/.env:" | |
| # cat .devcontainer/.env | |
| # - name: Deploy Services to ${{ matrix.environment }} | |
| # uses: devcontainers/[email protected] | |
| # env: | |
| # GH_ACTIONS_PAT: ${{ secrets.GH_ACTIONS_PAT }} | |
| # with: | |
| # cacheFrom: ghcr.io/limorl/monorepo-python-sample-devcontainer | |
| # push: never | |
| # env: | | |
| # AWS_REGION=${{ vars.AWS_PRIMARY_REGION }} | |
| # AWS_ACCOUNT_ID=${{ vars.AWS_ACCOUNT_ID }} | |
| # AWS_PRIMARY_REGION=${{ vars.AWS_PRIMARY_REGION }} | |
| # AWS_GITHUB_ACTIONS_ROLE=${{ vars.AWS_GITHUB_ACTIONS_ROLE }} | |
| # ENV=${{ matrix.environment }} | |
| # runCmd: | | |
| # echo $"\nVerifying AWS credentials..." | |
| # if ! aws sts get-caller-identity; then | |
| # echo "AWS authentication failed. Debug info:" | |
| # aws sts get-caller-identity --debug | |
| # exit 1 | |
| # fi | |
| # echo "Successfully authenticated with AWS" | |
| # if [ -z "$AWS_ACCOUNT_ID" ] || [ -z "$AWS_PRIMARY_REGION" ] || [ -z "$AWS_GITHUB_ACTIONS_ROLE" ]; then | |
| # echo "Failed to retrieve necessary AWS variables for $ENV environment" | |
| # return 1 | |
| # fi | |
| # echo $"\nDeploying to $ENV environment..." | |
| # chmod +x .github/scripts/sam-build-and-deploy-services.sh | |
| # chmod +x .github/scripts/deploy-service-configuration.sh | |
| # if ! .github/scripts/sam-build-and-deploy-services.sh $ENV $AWS_ACCOUNT_ID $AWS_PRIMARY_REGION false ; then | |
| # echo "Deployment failed for $ENV environment" | |
| # return 1 | |
| # fi | |
| # echo "Deployment completed successfully for $ENV environment" |