Skip to content
.github/workflows/base-deploy.yml

modify base deploy to reuse lambda artifact #3

Sign in to view logs

modify base deploy to reuse lambda artifact

modify base deploy to reuse lambda artifact #3

Workflow file for this run

.github/workflows/base-deploy.yml at 43f9707
name: Base Deploy
on:
workflow_call:
inputs:
environment:
description: "Target environment (preprod | prod)"
required: true
type: string
ref:
description: "Git ref to deploy (branch/tag/SHA). For prod, supply the RC tag to promote."
required: true
type: string
release_type:
description: "Version bump for base version (preprod only: patch|minor|major)"
required: false
default: "patch"
type: string
secrets: {}
jobs:
metadata:
name: "Set CI/CD metadata"
runs-on: ubuntu-latest
timeout-minutes: 2
outputs:
build_datetime: ${{ steps.variables.outputs.build_datetime }}
build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
build_epoch: ${{ steps.variables.outputs.build_epoch }}
nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
python_version: ${{ steps.variables.outputs.python_version }}
terraform_version: ${{ steps.variables.outputs.terraform_version }}
ref: ${{ steps.variables.outputs.ref }}
environment: ${{ steps.variables.outputs.environment }}
tag: ${{ steps.tag.outputs.name }}
steps:
- name: "Checkout ref"
uses: actions/checkout@v5
with:
ref: ${{ inputs.ref }}
fetch-depth: 0 # get full history + tags
- name: "Set CI/CD variables"
id: variables
shell: bash
run: |
set -euo pipefail
datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
echo "nodejs_version=$(grep -E '^nodejs' .tool-versions 2>/dev/null | cut -d' ' -f2 | head -n1)" >> $GITHUB_OUTPUT
echo "python_version=$(grep -E '^python' .tool-versions 2>/dev/null | cut -d' ' -f2 | head -n1)" >> $GITHUB_OUTPUT
echo "terraform_version=$(grep -E '^terraform' .tool-versions 2>/dev/null | cut -d' ' -f2 | head -n1)" >> $GITHUB_OUTPUT
echo "ref=${{ inputs.ref }}" >> $GITHUB_OUTPUT
echo "environment=${{ inputs.environment }}" >> $GITHUB_OUTPUT
- name: "List variables"
shell: bash
run: |
export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
export REF="${{ steps.variables.outputs.ref }}"
export ENVIRONMENT="${{ steps.variables.outputs.environment }}"
echo "build_datetime=$BUILD_DATETIME"
echo "build_timestamp=$BUILD_TIMESTAMP"
echo "build_epoch=$BUILD_EPOCH"
echo "nodejs_version=$NODEJS_VERSION"
echo "python_version=$PYTHON_VERSION"
echo "terraform_version=$TERRAFORM_VERSION"
echo "ref=$REF"
echo "environment=$ENVIRONMENT"
- name: "Resolve the dev-* tag for this commit"
id: tag
run: |
git fetch --tags --force
SHA="${{ github.event.workflow_run.head_sha }}"
TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true)
if [ -z "$TAG" ]; then
echo "No dev-* tag found on $SHA" >&2
exit 1
fi
echo "name=$TAG" >> $GITHUB_OUTPUT
echo "Resolved tag: $TAG"
download-lambda-artifact:
name: "Fetch the lambda artifact from previous stage"
runs-on: ubuntu-latest
needs: [metadata]
timeout-minutes: 45
permissions:
id-token: write
contents: write
env:

Check failure on line 99 in .github/workflows/base-deploy.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/base-deploy.yml

Invalid workflow file 

You have an error in your yaml syntax on line 99
PROMOTED_ENV: ${{
contains(needs.metadata.outputs.environment, 'preprod') && 'test' ||
contains(needs.metadata.outputs.environment, 'prod') && 'preprod' ||
needs.metadata.outputs.environment
}}
environment: ${{ env.PROMOTED_ENV }}
steps:
- name: "Checkout repository at ref"
uses: actions/checkout@v5
with:
ref: ${{ needs.metadata.outputs.ref }}
fetch-depth: 0
- name: "Extract S3 bucket name from Terraform output"
id: tf_output
run: |
BUCKET=$(terraform output -raw lambda_artifact_bucket)
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer
- name: "Download lambda artifact from S3"
run: |
aws s3 cp \
s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
./build/lambda.zip \
--region eu-west-2
- name: "Upload lambda artifact for the current workflow"
uses: actions/upload-artifact@v4
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./build/lambda.zip
deploy:
name: "Deploy to ${{ needs.metadata.outputs.environment }}"
runs-on: ubuntu-latest
needs: [metadata]
timeout-minutes: 45
permissions:
id-token: write
contents: write
environment: ${{ needs.metadata.outputs.environment }}
steps:
- name: "Checkout repository at ref"
uses: actions/checkout@v5
with:
ref: ${{ needs.metadata.outputs.ref }}
fetch-depth: 0
- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ needs.metadata.outputs.terraform_version }}
- name: "Download Lambda Artifact"
uses: actions/download-artifact@v5
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./build
- name: "Configure AWS Credentials"
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
aws-region: eu-west-2
- name: "Terraform Apply"
env:
ENVIRONMENT: ${{ needs.metadata.outputs.environment }}
WORKSPACE: "default"
TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
working-directory: ./infrastructure
shell: bash
run: |
set -euo pipefail
mkdir -p ./build
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
- name: "Extract S3 bucket name from Terraform output"
id: tf_output
run: |
BUCKET=$(terraform output -raw lambda_artifact_bucket)
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer
- name: "Upload lambda artifact to S3"
run: |
aws s3 cp ./build/lambda.zip \
s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
--region eu-west-2
- name: "Validate Feature Toggles"
env:
ENV: ${{ needs.metadata.outputs.environment }}
run: |
pip install boto3
python scripts/feature_toggle/validate_toggles.py
- name: "Tag and Release"
if: ${{ needs.metadata.outputs.environment == 'preprod' || needs.metadata.outputs.environment == 'prod' }}
env:
ENVIRONMENT: ${{ needs.metadata.outputs.environment }}
REF: ${{ needs.metadata.outputs.ref }}
INPUT_RELEASE_TYPE: ${{ inputs.release_type }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: poetry run python scripts/workflow/tag_and_release.py
regression-tests:
name: "Regression Tests"
if: ${{ needs.metadata.outputs.environment == 'preprod' }}
needs: deploy
uses: ./.github/workflows/regression-tests.yml
with:
ENVIRONMENT: "preprod"
VERSION_NUMBER: "main"
secrets: inherit