feat: publish stac to odr bucket TDE-1042 (#115)

#### Motivation In order to continuously publish data in the ODR bucket nz-elevation, the publish workflow needs to be updated to point to nz-elevation rather than the current bucket linz-elevation. #### Modification The publish workflow has been duplicated from https://github.com/linz/imagery/blob/7c55691c40e0b6b7d0d578c9fed2e9f7f7ce9b36/.github/workflows/publish.yml GH environment prod has been created along with secrets. This change should not be deployed before the elevation data has been re-processed into the linz-elevation bucket. --------- Co-authored-by: Alice Fage <[email protected]>
linz · Mar 5, 2024 · 4685bda · 4685bda
1 parent 0328dae
commit 4685bda
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 21 deletions.
diff --git a/.github/workflows/actionlint.dockerfile b/.github/workflows/actionlint.dockerfile
@@ -0,0 +1,4 @@
+# Workaround for https://github.com/dependabot/dependabot-core/issues/8362.
+# Once that is fixed, remove this file and replace the Docker build and run
+# lines in `.github/workflows/*.yml` with a `uses: docker://rhysd/…` line.
+FROM rhysd/actionlint:1.6.26@sha256:2362769b1d75056da70e7af1b12d9e52746f3a123b8f22a4322869e8f2cd45f2
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -16,33 +16,78 @@ jobs:
       - uses: linz/action-typescript@dee99184c4305aea6c380a52db9b2d7abaaa3e78 # v3
 
       # FIXME: catalog.json is not pushed to the repository (temporary solution)
-      # - name: Create STAC Catalog
-      #   uses: docker://ghcr.io/linz/argo-tasks:v2
-      #   with:
-      #     args: stac-catalog --output stac/catalog.json --template template/catalog.json /github/workspace/stac/
+      - name: Create STAC Catalog
+        uses: docker://ghcr.io/linz/argo-tasks:v3
+        with:
+          args: stac-catalog --output stac/catalog.json --template template/catalog.json /github/workspace/stac/
 
-      # - name: Validate STAC Catalog
-      #   uses: docker://ghcr.io/linz/argo-tasks:v2
-      #   with:
-      #     args: stac-validate /github/workspace/stac/catalog.json
+      - name: Validate STAC Catalog
+        uses: docker://ghcr.io/linz/argo-tasks:v3
+        with:
+          args: stac-validate /github/workspace/stac/catalog.json
 
       - name: Validate STAC Collections
         run: |
           # Enable double star operator
           shopt -s globstar
-          docker run -v $PWD:$PWD ghcr.io/linz/argo-tasks:v2 stac-validate $PWD/stac/**/collection.json
+          docker run -v "$PWD:$PWD" ghcr.io/linz/argo-tasks:v3 stac-validate "$PWD"/stac/**/collection.json
+
+      - name: Download actionlint
+        run: docker build --tag actionlint - < .github/workflows/actionlint.dockerfile
+
+      - name: Run actionlint to check workflow files
+        run: docker run --volume="${PWD}:/repo" --workdir=/repo actionlint -color
+
+  deploy-prod:
+    name: Publish STAC
+    runs-on: ubuntu-latest
+    concurrency: publish-${{ github.ref }}
+    needs: main
+    if: ${{ github.ref == 'refs/heads/master' }}
+
+    environment:
+      name: prod
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - uses: linz/action-typescript@dee99184c4305aea6c380a52db9b2d7abaaa3e78 # v3
+
+      # FIXME: catalog.json is not pushed to the repository (temporary solution)
+      - name: Create STAC Catalog
+        uses: docker://ghcr.io/linz/argo-tasks:v2
+        with:
+          args: stac-catalog --output stac/catalog.json --template template/catalog.json /github/workspace/stac/
+
+      - name: Validate STAC Catalog
+        uses: docker://ghcr.io/linz/argo-tasks:v2
+        with:
+          args: stac-validate /github/workspace/stac/catalog.json
+
+      - name: Validate STAC Collections
+        run: |
+          # Enable double star operator
+          shopt -s globstar
+          docker run -v "${PWD}:${PWD}" ghcr.io/linz/argo-tasks:v2 stac-validate "$PWD"/stac/**/collection.json
 
       - name: AWS Configure
-        if: github.ref == 'refs/heads/master'
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
         with:
           aws-region: ap-southeast-2
           mask-aws-account-id: true
-          role-to-assume: ${{ secrets.AWS_CI_ROLE }}
-
-      # Sync STAC files only on push to 'master'
-      # - name: Sync STAC
-      #   uses: docker://ghcr.io/linz/argo-tasks:v2
-      #   if: github.ref == 'refs/heads/master'
-      #   with:
-      #     args: stac-sync /github/workspace/stac/ s3://linz-elevation/
+          role-to-assume: ${{ secrets.AWS_ODR_CI_ROLE }}
+
+      - name: AWS Configure ODR
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
+        with:
+          aws-region: ap-southeast-2
+          mask-aws-account-id: true
+          role-to-assume: ${{ secrets.AWS_ODR_DATA_MANAGER_ROLE }}
+          role-chaining: true
+
+      - name: Sync STAC
+        uses: docker://ghcr.io/linz/argo-tasks:v2
+        with:
+          args: stac-sync /github/workspace/stac/ s3://nz-elevation/
diff --git a/docs/tiff-compression/README.md b/docs/tiff-compression/README.md
@@ -2,7 +2,7 @@
 
 ## TLDR
 
-Toitū Te Whenua has decided to store all its DEM and DSM as `lerc` Cloud Optimized GeoTIFFs in `s3://linz-elevation`
+Toitū Te Whenua has decided to store all its DEM and DSM as `lerc` Cloud Optimized GeoTIFFs in `s3://nz-elevation`
 
 ## Background
 
@@ -165,4 +165,4 @@ echo 'export LD_LIBRARY_PATH=/usr/local/lib' >> ~/.bashrc
 GDAL_DATA="/usr/local/share/gdal"
 sudo ldconfig
 
-```
+```