3. CD | Deploy to Test #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "3. CD | Deploy to Test" | |
| on: | |
| workflow_run: | |
| workflows: ["2. CD | Deploy to Dev"] | |
| types: [completed] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| actions: read | |
| jobs: | |
| metadata: | |
| name: "Resolve metadata from triggering run" | |
| runs-on: ubuntu-latest | |
| if: > | |
| ${{ | |
| github.event.workflow_run.conclusion == 'success' && | |
| github.event.workflow_run.head_branch == 'main' | |
| }} | |
| outputs: | |
| terraform_version: ${{ steps.vars.outputs.terraform_version }} | |
| tag: ${{ steps.tag.outputs.name }} | |
| steps: | |
| - name: "Checkout exact commit from CI/CD publish" | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.event.workflow_run.head_sha }} | |
| - name: "Set CI/CD variables" | |
| id: vars | |
| run: | | |
| echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| - name: "Resolve the dev-* tag for this commit" | |
| id: tag | |
| run: | | |
| git fetch --tags --force | |
| SHA="${{ github.event.workflow_run.head_sha }}" | |
| TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true) | |
| if [ -z "$TAG" ]; then | |
| echo "No dev-* tag found on $SHA" >&2 | |
| exit 1 | |
| fi | |
| echo "name=$TAG" >> $GITHUB_OUTPUT | |
| echo "Resolved tag: $TAG" | |
| deploy: | |
| name: "Deploy to TEST (approval required)" | |
| runs-on: ubuntu-latest | |
| needs: [metadata] | |
| environment: test | |
| timeout-minutes: 10080 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: "Acquire deploy lock" | |
| uses: softprops/turnstyle@v2 | |
| with: | |
| poll-interval-seconds: 10 | |
| - name: "Checkout same commit" | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.event.workflow_run.head_sha }} | |
| - name: "Setup Terraform" | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ needs.metadata.outputs.terraform_version }} | |
| - name: "Set up Python" | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.13" | |
| - name: "Configure AWS Credentials" | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role | |
| aws-region: eu-west-2 | |
| - name: "Build lambda artefact (rebuild in TEST)" | |
| run: | | |
| make dependencies install-python | |
| make build | |
| - name: "Terraform Apply (TEST)" | |
| env: | |
| ENVIRONMENT: test | |
| WORKSPACE: "default" | |
| TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} | |
| TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} | |
| TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} | |
| TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} | |
| TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} | |
| run: | | |
| mkdir -p ./build | |
| echo "Deploying tag: ${{ needs.metadata.outputs.tag }}" | |
| echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" | |
| make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE | |
| echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" | |
| make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE | |
| working-directory: ./infrastructure | |
| regression-tests: | |
| name: "Regression Tests" | |
| needs: deploy | |
| uses: ./.github/workflows/regression-tests.yml | |
| with: | |
| ENVIRONMENT: "test" | |
| VERSION_NUMBER: "main" | |
| secrets: inherit |