-
Notifications
You must be signed in to change notification settings - Fork 13
153 lines (131 loc) · 5.97 KB
/
pr-review-client-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: Deploy PR Review Client environment
on:
pull_request:
branches:
- develop
- feature/*
types:
- labeled
- opened
- reopened
- synchronize
env:
AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }}
AWS_REGION: ca-central-1
FUNCTION_NAME: "forms-client-pr"
IMAGE: pr_review
REGISTRY: ${{ vars.STAGING_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com
ROLE_ARN: arn:aws:iam::${{ vars.STAGING_AWS_ACCOUNT_ID }}:role/forms-lambda-client
COGNITO_APP_CLIENT_ID: ${{secrets.STAGING_COGNITO_APP_CLIENT_ID}}
COGNITO_USER_POOL_ID: ${{ secrets.STAGING_COGNITO_USER_POOL_ID}}
permissions:
id-token: write
contents: read
pull-requests: write
jobs:
run-check:
runs-on: ubuntu-latest
outputs:
has-migrations: ${{ steps.filter.outputs.migrations }}
steps:
- name: path-filter
uses: cds-snc/paths-filter@b316143212d841aed668b7b29240c719d603a9b9 # tag=v2.10.4
id: filter
with:
filters: |
migrations:
- 'prisma/migrations/**'
build-and-push-container:
needs: [run-check]
if: ${{ !contains(github.event.pull_request.labels.*.name, 'Renovate') && needs.run-check.outputs.has-migrations == 'false' }}
runs-on: ubuntu-latest
steps:
- name: Set envs
run: echo "PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")" >> $GITHUB_ENV
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/platform-forms-client-pr-review-env
role-session-name: PRReviewECRPush
aws-region: ${{ env.AWS_REGION }}
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
- name: Build Docker image
run: |
docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.PR_NUMBER }} \
-f Dockerfile.pr \
--build-arg COGNITO_APP_CLIENT_ID=$COGNITO_APP_CLIENT_ID \
--build-arg COGNITO_USER_POOL_ID=$COGNITO_USER_POOL_ID .
- name: Push Docker image to ECR
run: |
docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.PR_NUMBER }}
- name: Delete old images
run: |
IMAGES_TO_DELETE="$(aws ecr list-images --repository-name $IMAGE --filter "tagStatus=UNTAGGED" --query 'imageIds[*]' --output json)"
aws ecr batch-delete-image \
--repository-name $IMAGE \
--image-ids "$IMAGES_TO_DELETE" || true
- name: Logout of Amazon ECR
run: docker logout $REGISTRY
deploy-test-client:
if: ${{ !contains(github.event.pull_request.labels.*.name, 'Renovate') }}
runs-on: ubuntu-latest
needs: build-and-push-container
steps:
- name: Set envs
run: echo "PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")" >> $GITHUB_ENV
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/platform-forms-client-pr-review-env
role-session-name: PRReviewDeploy
aws-region: ${{ env.AWS_REGION }}
- name: Create/Update lambda function
run: |
if aws lambda get-function --function-name $FUNCTION_NAME-$PR_NUMBER > /dev/null 2>&1; then
aws lambda update-function-code \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--image-uri $REGISTRY/$IMAGE:$PR_NUMBER > /dev/null 2>&1
else
aws lambda create-function \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--package-type Image \
--role $ROLE_ARN \
--timeout 15 \
--memory-size 2048 \
--code ImageUri=$REGISTRY/$IMAGE:$PR_NUMBER \
--description "$GITHUB_REPOSITORY/pull/$PR_NUMBER" \
--vpc-config SubnetIds=${{ secrets.PR_REVIEW_ENV_SUBNET_IDS }},SecurityGroupIds=${{ secrets.PR_REVIEW_ENV_SECURITY_GROUP_IDS }} > /dev/null 2>&1
aws lambda wait function-active --function-name $FUNCTION_NAME-$PR_NUMBER
aws lambda add-permission \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--statement-id FunctionURLAllowPublicAccess \
--action lambda:InvokeFunctionUrl \
--principal "*" \
--function-url-auth-type NONE > /dev/null 2>&1
URL="$(aws lambda create-function-url-config --function-name $FUNCTION_NAME-$PR_NUMBER --auth-type NONE | jq .FunctionUrl)"
echo "URL=$URL" >> $GITHUB_ENV
aws lambda update-function-configuration \
--function-name $FUNCTION_NAME-$PR_NUMBER > /dev/null 2>&1
aws logs create-log-group --log-group-name /aws/lambda/$FUNCTION_NAME-$PR_NUMBER > /dev/null 2>&1
aws logs put-retention-policy --log-group-name /aws/lambda/$FUNCTION_NAME-$PR_NUMBER --retention-in-days 14 > /dev/null 2>&1
fi
aws lambda wait function-updated --function-name $FUNCTION_NAME-$PR_NUMBER
aws lambda put-function-concurrency \
--function-name $FUNCTION_NAME-$PR_NUMBER \
--reserved-concurrent-executions 10 > /dev/null 2>&1
- name: Update PR
if: env.URL != ''
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## :test_tube: Review environment\n${process.env.URL.slice(1, -1)}`
})