From 1e1972716ecce18eae73b6ab3f84be7619e07c97 Mon Sep 17 00:00:00 2001
From: Paul Fouquet <pfouquet@linz.govt.nz>
Date: Fri, 23 Feb 2024 11:04:00 +1300
Subject: [PATCH] feat: publish stac to odr bucket TDE-1042

---
 .github/workflows/publish.yml | 58 +++++++++++++++++++++++++++++++----
 1 file changed, 52 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f2108581..b766cb58 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,6 +8,46 @@ jobs:
     runs-on: ubuntu-latest
     concurrency: publish-${{ github.ref }}
 
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - uses: linz/action-typescript@dee99184c4305aea6c380a52db9b2d7abaaa3e78 # v3
+
+      # FIXME: catalog.json is not pushed to the repository (temporary solution)
+      - name: Create STAC Catalog
+        uses: docker://ghcr.io/linz/argo-tasks:v3
+        with:
+          args: stac-catalog --output stac/catalog.json --template template/catalog.json /github/workspace/stac/
+
+      - name: Validate STAC Catalog
+        uses: docker://ghcr.io/linz/argo-tasks:v3
+        with:
+          args: stac-validate /github/workspace/stac/catalog.json
+
+      - name: Validate STAC Collections
+        run: |
+          # Enable double star operator
+          shopt -s globstar
+          docker run -v $PWD:$PWD ghcr.io/linz/argo-tasks:v3 stac-validate $PWD/stac/**/collection.json
+
+      - name: Download actionlint
+        run: docker build --tag actionlint - < .github/workflows/actionlint.dockerfile
+  
+      - name: Run actionlint to check workflow files
+        run: docker run --volume="${PWD}:/repo" --workdir=/repo actionlint -color
+
+  deploy-prod:
+    name: Publish STAC
+    runs-on: ubuntu-latest
+    concurrency: publish-${{ github.ref }}
+    needs: main
+    if: ${{ github.ref == 'refs/heads/master' }}
+
+    environment:
+      name: prod
+
     permissions:
       id-token: write
       contents: read
@@ -30,19 +70,25 @@ jobs:
         run: |
           # Enable double star operator
           shopt -s globstar
-          docker run -v $PWD:$PWD ghcr.io/linz/argo-tasks:v2 stac-validate $PWD/stac/**/collection.json
+          docker run -v "${PWD}:${PWD}" ghcr.io/linz/argo-tasks:v2 stac-validate "$PWD"/stac/**/collection.json
 
       - name: AWS Configure
-        if: github.ref == 'refs/heads/master'
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
+        with:
+          aws-region: ap-southeast-2
+          mask-aws-account-id: true
+          role-to-assume: ${{ secrets.AWS_ODR_CI_ROLE }}
+
+      - name: AWS Configure ODR
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
         with:
           aws-region: ap-southeast-2
           mask-aws-account-id: true
-          role-to-assume: ${{ secrets.AWS_CI_ROLE }}
+          role-to-assume: ${{ secrets.AWS_ODR_DATA_MANAGER_ROLE }}
+          role-chaining: true
 
       # Sync STAC files only on push to 'master'
       - name: Sync STAC
         uses: docker://ghcr.io/linz/argo-tasks:v2
-        if: github.ref == 'refs/heads/master'
         with:
-          args: stac-sync /github/workspace/stac/ s3://linz-elevation/
\ No newline at end of file
+          args: stac-sync /github/workspace/stac/ s3://nz-elevation/