Skip to content
.github/workflows/base-deploy.yml

(ELI-466) adding act guard for base deploy #4

Sign in to view logs

(ELI-466) adding act guard for base deploy

(ELI-466) adding act guard for base deploy #4

Workflow file for this run

.github/workflows/base-deploy.yml at c28aaea
name: Base Deploy

Check failure on line 1 in .github/workflows/base-deploy.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/base-deploy.yml

Invalid workflow file 

(Line: 23, Col: 5): Required property is missing: runs-on
on:
workflow_call:
inputs:
environment:
description: "Target environment (preprod | prod)"
required: true
type: string
ref:
description: "Git ref to deploy (dev-tag). For prod, supply the RC tag to promote."
required: true
type: string
release_type:
description: "Version bump for base version (preprod only: patch|minor|major)"
required: false
default: "patch"
type: string
secrets: {}
jobs:
act_guard:
steps:
- name: Dry run guard
if: env.DRY_RUN == 'true'
run: |
echo "DRY RUN: would deploy ${INPUT_environment} ref ${INPUT_ref} release_type ${INPUT_release_type}"
exit 0
metadata:
name: "Set CI/CD metadata"
runs-on: ubuntu-latest
timeout-minutes: 2
outputs:
build_datetime: ${{ steps.variables.outputs.build_datetime }}
build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
build_epoch: ${{ steps.variables.outputs.build_epoch }}
nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
python_version: ${{ steps.variables.outputs.python_version }}
terraform_version: ${{ steps.variables.outputs.terraform_version }}
ref: ${{ steps.variables.outputs.ref }}
environment: ${{ steps.variables.outputs.environment }}
tag: ${{ steps.tag.outputs.name }}
promoted_environment: ${{ steps.promoted_env.outputs.promoted_environment }}
steps:
- name: "Checkout ref"
uses: actions/checkout@v5
with:
ref: ${{ inputs.ref }}
fetch-depth: 0 # get full history + tags
- name: "Set CI/CD variables"
id: variables
shell: bash
run: |
set -euo pipefail
datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
echo "nodejs_version=$(grep -E '^nodejs' .tool-versions 2>/dev/null | cut -d' ' -f2 | head -n1)" >> $GITHUB_OUTPUT
echo "python_version=$(grep -E '^python' .tool-versions 2>/dev/null | cut -d' ' -f2 | head -n1)" >> $GITHUB_OUTPUT
echo "terraform_version=$(grep -E '^terraform' .tool-versions 2>/dev/null | cut -d' ' -f2 | head -n1)" >> $GITHUB_OUTPUT
echo "ref=${{ inputs.ref }}" >> $GITHUB_OUTPUT
echo "environment=${{ inputs.environment }}" >> $GITHUB_OUTPUT
- name: "List variables"
shell: bash
run: |
export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
export REF="${{ steps.variables.outputs.ref }}"
export ENVIRONMENT="${{ steps.variables.outputs.environment }}"
export PROMOTED_ENVIRONMENT="${{ steps.variables.outputs.promoted_environment }}"
echo "build_datetime=$BUILD_DATETIME"
echo "build_timestamp=$BUILD_TIMESTAMP"
echo "build_epoch=$BUILD_EPOCH"
echo "nodejs_version=$NODEJS_VERSION"
echo "python_version=$PYTHON_VERSION"
echo "terraform_version=$TERRAFORM_VERSION"
echo "ref=$REF"
echo "environment=$ENVIRONMENT"
echo "promoted_environment=$PROMOTED_ENVIRONMENT"
- name: "Resolve the dev-* tag for this commit"
id: tag
run: |
git fetch --tags --force
SHA="${{ github.event.workflow_run.head_sha }}"
TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true)
if [ -z "$TAG" ]; then
echo "Using the dev tag provided in the input field" >&2
TAG="${{ inputs.ref }}"
fi
echo "name=$TAG" >> $GITHUB_OUTPUT
echo "Resolved tag: $TAG"
- name: "Resolve promoted environment"
id: promoted_env
run: |
ENV="${{ steps.variables.outputs.environment }}"
if [[ "$ENV" == "preprod" ]]; then
echo "promoted_environment=test" >> $GITHUB_OUTPUT
elif [[ "$ENV" == "prod" ]]; then
echo "promoted_environment=preprod" >> $GITHUB_OUTPUT
else
echo "promoted_environment=$ENV" >> $GITHUB_OUTPUT
fi
download-lambda-artifact:
name: "Fetch the lambda artifact from previous stage"
runs-on: ubuntu-latest
needs: [metadata]
timeout-minutes: 45
permissions:
id-token: write
contents: write
environment: ${{ needs.metadata.outputs.promoted_environment }}
steps:
- name: "Checkout repository at ref"
uses: actions/checkout@v5
with:
ref: ${{ needs.metadata.outputs.ref }}
fetch-depth: 0
- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ needs.metadata.outputs.terraform_version }}
- name: "Configure AWS Credentials"
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
aws-region: eu-west-2
- name: "Terraform Init"
env:
ENVIRONMENT: ${{ needs.metadata.outputs.promoted_environment }}
WORKSPACE: "default"
run: |
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init"
make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE
working-directory: ./infrastructure
- name: "Extract S3 bucket name from Terraform output"
id: tf_output
run: |
BUCKET=$(terraform output -raw lambda_artifact_bucket)
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer
- name: "Download lambda artifact from S3"
run: |
aws s3 cp \
s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
./dist/lambda.zip \
--region eu-west-2
- name: "Upload lambda artifact for the current workflow"
uses: actions/upload-artifact@v4
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist/lambda.zip
deploy:
name: "Deploy to ${{ needs.metadata.outputs.environment }}"
runs-on: ubuntu-latest
needs: [metadata, download-lambda-artifact]
timeout-minutes: 45
permissions:
id-token: write
contents: write
environment: ${{ needs.metadata.outputs.environment }}
steps:
- name: "Checkout repository at ref"
uses: actions/checkout@v5
with:
ref: ${{ needs.metadata.outputs.ref }}
fetch-depth: 0
- name: "Setup Terraform"
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ needs.metadata.outputs.terraform_version }}
- name: "Download Lambda Artifact"
uses: actions/download-artifact@v5
with:
name: lambda-${{ needs.metadata.outputs.tag }}
path: ./dist
- name: "Configure AWS Credentials"
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
aws-region: eu-west-2
- name: "Terraform Apply"
env:
ENVIRONMENT: ${{ needs.metadata.outputs.environment }}
WORKSPACE: "default"
TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
working-directory: ./infrastructure
shell: bash
run: |
set -euo pipefail
mkdir -p ./build
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
- name: "Extract S3 bucket name from Terraform output"
id: tf_output
run: |
BUCKET=$(terraform output -raw lambda_artifact_bucket)
echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
working-directory: ./infrastructure/stacks/api-layer
- name: "Upload lambda artifact to S3"
run: |
aws s3 cp ./dist/lambda.zip \
s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
--region eu-west-2
- name: "Validate Feature Toggles"
env:
ENV: ${{ needs.metadata.outputs.environment }}
run: |
pip install boto3
python scripts/feature_toggle/validate_toggles.py
- name: "Tag and Release"
if: ${{ needs.metadata.outputs.environment == 'preprod' || needs.metadata.outputs.environment == 'prod' }}
env:
ENVIRONMENT: ${{ needs.metadata.outputs.environment }}
REF: ${{ needs.metadata.outputs.ref }}
INPUT_RELEASE_TYPE: ${{ inputs.release_type }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: |
pip install requests
python scripts/workflow/tag_and_release.py
regression-tests:
name: "Regression Tests"
if: ${{ needs.metadata.outputs.environment == 'preprod' }}
needs: deploy
uses: ./.github/workflows/regression-tests.yml
with:
ENVIRONMENT: "preprod"
VERSION_NUMBER: "main"
secrets: inherit