kms policies attachment to lambda (#204) #160

Workflow file for this run

.github/workflows/cicd-2-publish.yaml at bdcdaee

	# Description: Deploys merged code to the dev environment.
	# Triggered on push to main. Tags the commit with a dev-<timestamp> label.
	# Does not create GitHub Releases or production tags (v1.x.x).

	name: "CI/CD publish"

	on:
	push:
	branches:
	- main

	concurrency:
	group: terraform-dev
	cancel-in-progress: false

	jobs:
	metadata:
	name: "Set CI/CD metadata"
	runs-on: ubuntu-latest
	timeout-minutes: 1
	outputs:
	build_datetime: ${{ steps.variables.outputs.build_datetime }}
	build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
	build_epoch: ${{ steps.variables.outputs.build_epoch }}
	nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
	python_version: ${{ steps.variables.outputs.python_version }}
	terraform_version: ${{ steps.variables.outputs.terraform_version }}
	version: ${{ steps.variables.outputs.version }}
	steps:
	- name: "Checkout code"
	uses: actions/checkout@v4

	- name: "Set CI/CD variables"
	id: variables
	run: \|
	datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
	echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
	echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
	echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
	echo "nodejs_version=$(grep "^nodejs" .tool-versions \| cut -f2 -d' ')" >> $GITHUB_OUTPUT
	echo "python_version=$(grep "^nodejs" .tool-versions \| cut -f2 -d' ')" >> $GITHUB_OUTPUT
	echo "terraform_version=$(grep "^terraform" .tool-versions \| cut -f2 -d' ')" >> $GITHUB_OUTPUT
	echo "version=dev-$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT

	- name: "List variables"
	run: \|
	echo "Deploying to: DEV"
	echo "VERSION=${{ steps.variables.outputs.version }}"

	publish:
	name: "Publish to dev"
	runs-on: ubuntu-latest
	needs: [metadata]
	timeout-minutes: 10
	environment: "dev"
	permissions:
	id-token: write
	contents: write
	steps:
	- name: "Setup Terraform"
	uses: hashicorp/setup-terraform@v3
	with:
	terraform_version: ${{ needs.metadata.outputs.terraform_version }}

	- name: "Set up Python"
	uses: actions/setup-python@v5
	with:
	python-version: '3.13'

	- name: "Checkout Repository"
	uses: actions/checkout@v4

	- name: "Build lambda artefact"
	run: \|
	make dependencies install-python
	make build

	- name: "Upload lambda artefact"
	uses: actions/upload-artifact@v4
	with:
	name: lambda
	path: dist/lambda.zip

	- name: "Download Built Lambdas"
	uses: actions/download-artifact@v4
	with:
	name: lambda
	path: ./build

	- name: "Configure AWS Credentials"
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
	aws-region: eu-west-2

	- name: "Terraform Plan Stacks"
	env:
	ENVIRONMENT: dev
	WORKSPACE: "default"
	TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
	TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
	TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}

	# just planning for now for safety and until review
	run: \|
	mkdir -p ./build
	echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
	make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
	echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
	make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
	working-directory: ./infrastructure

	- name: "Tag the dev deployment"
	run: \|
	git config user.name "github-actions"
	git config user.email "[email protected]"
	git tag ${{ needs.metadata.outputs.version }}
	git push origin ${{ needs.metadata.outputs.version }}

	# --- Keeping these just in case: Uncomment to release to GitHub ---
	# - name: "Create release"
	# id: create_release
	# uses: actions/create-release@v1
	# env:
	# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	# with:
	# tag_name: ${{ needs.metadata.outputs.version }}
	# release_name: Release ${{ needs.metadata.outputs.version }}
	# body: \|
	# Release of ${{ needs.metadata.outputs.version }}
	# draft: false
	# prerelease: true

	# - name: "Upload release asset"
	# uses: actions/upload-release-asset@v1
	# env:
	# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	# with:
	# upload_url: "${{ steps.create_release.outputs.upload_url }}"
	# asset_path: ./build/lambda.zip
	# asset_name: lambda-${{ needs.metadata.outputs.version }}.zip
	# asset_content_type: application/zip
	- name: "Notify Slack on PR merge"
	uses: slackapi/[email protected]
	with:
	webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
	webhook-type: webhook-trigger
	payload: \|
	status: "${{ job.status }}"
	link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}"
	Author: "${{ github.actor }}"
	title: "Pushed to main"
	version: "${{ needs.metadata.outputs.version }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

kms policies attachment to lambda (#204) #160

Workflow file

kms policies attachment to lambda (#204) #160

Uh oh!

Workflow file for this run