Skip to content
3. CD | Deploy to Test

3. CD | Deploy to Test #62

Sign in to view logs

3. CD | Deploy to Test

3. CD | Deploy to Test #62

Workflow file for this run

.github/workflows/cicd-3-test-deploy.yaml at 2149cb1
name: "3. CD | Deploy to Test"
on:
workflow_run:
workflows: ["2. CD | Deploy to Dev"]
types: [completed]
permissions:
contents: read
id-token: write
actions: read
jobs:
metadata:
name: "Resolve metadata from triggering run"
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
outputs:
terraform_version: ${{ steps.vars.outputs.terraform_version }}
tag: ${{ steps.tag.outputs.name }}
steps:
- name: "Checkout exact commit from CI/CD publish"
uses: actions/checkout@v5
with:
ref: ${{ github.event.workflow_run.head_sha }}
- name: "Set CI/CD variables"
id: vars
run: |
echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
- name: "Resolve the dev-* tag for this commit"
id: tag
run: |
git fetch --tags --force
SHA="${{ github.event.workflow_run.head_sha }}"
TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true)
if [ -z "$TAG" ]; then
echo "No dev-* tag found on $SHA" >&2
exit 1
fi
echo "name=$TAG" >> $GITHUB_OUTPUT
echo "Resolved tag: $TAG"
deploy:
name: "Deploy to TEST (approval required)"
runs-on: ubuntu-latest
needs: [metadata]
environment: test
timeout-minutes: 10080
permissions:
id-token: write
contents: read
steps:
- name: "Acquire deploy lock"
uses: softprops/turnstyle@v3
with:
poll-interval-seconds: 10
- name: "Checkout same commit"
uses: actions/checkout@v5
with:
ref: ${{ github.event.workflow_run.head_sha }}
- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ needs.metadata.outputs.terraform_version }}
- name: "Configure AWS Credentials"
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
aws-region: eu-west-2
- name: "Download lambda artefact from dev workflow"
uses: actions/download-artifact@v5
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./build
run-id: ${{ github.event.workflow_run.id }}
- name: "Terraform Apply (TEST)"
env:
ENVIRONMENT: test
WORKSPACE: "default"
TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
run: |
mkdir -p ./build
echo "Deploying tag: ${{ needs.metadata.outputs.tag }}"
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
working-directory: ./infrastructure
- name: "Extract S3 bucket name from Terraform output"
id: tf_output
run: |
BUCKET=$(terraform output -raw lambda_artifact_bucket)
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer
- name: "Upload lambda artifact to S3"
run: |
aws s3 cp ./build/lambda.zip \
s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
--region eu-west-2
regression-tests:
name: "Regression Tests"
needs: deploy
uses: ./.github/workflows/regression-tests.yml
with:
ENVIRONMENT: "test"
VERSION_NUMBER: "main"
secrets: inherit