Started on recording who did an approval of a release (#13) #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy Backend | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: ["v*.*.*"] | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| type: choice | |
| options: [Development, Stage] | |
| description: "Target environment" | |
| required: true | |
| env: | |
| # kosli commands picks up org, flow, trail and api-token from these environment variables | |
| KOSLI_ORG: kosli-public | |
| KOSLI_FLOW: github-release-example-backend | |
| KOSLI_API_TOKEN: "${{ secrets.KOSLI_PUBLIC_API_TOKEN }}" | |
| KOSLI_CLI_VERSION: "${{ vars.KOSLI_CLI_VERSION }}" | |
| KOSLI_TEMPLATE_FILE: "kosli-flow-templates/backend-template.yml" | |
| KOSLI_ENV_PROD: "github-release-example-prod" | |
| # KOSLI_DRY_RUN: true | |
| JIRA_BASE_URL: "${{ vars.JIRA_BASE_URL }}" | |
| JIRA_USERNAME: ${{ secrets.KOSLI_JIRA_USERNAME }} | |
| JIRA_API_TOKEN: ${{ secrets.KOSLI_JIRA_API_TOKEN }} | |
| jobs: | |
| setup: | |
| name: Begin trail | |
| runs-on: ubuntu-latest | |
| outputs: | |
| kosli-trail: ${{ steps.set-kosli-trail.outputs.kosli-trail }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set KOSLI_TRAIL to tag if available | |
| id: set-kosli-trail | |
| run: | | |
| if [[ "${GITHUB_REF}" == refs/tags/* ]]; then | |
| echo "kosli-trail=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
| else | |
| echo "kosli-trail=${GITHUB_SHA}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Begin trail | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| uses: ./.github/actions/kosli-begin-trail | |
| with: | |
| kosli-trail: ${{ steps.set-kosli-trail.outputs.kosli-trail }} | |
| kosli-template-file: ${{ env.KOSLI_TEMPLATE_FILE }} | |
| build: | |
| name: Build backend | |
| needs: [setup] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image-version: ${{ steps.build-artifact.outputs.image-version }} | |
| fingerprint: ${{ steps.calculate_fingerprint.outputs.fingerprint }} | |
| env: | |
| KOSLI_TRAIL: ${{ needs.setup.outputs.kosli-trail }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build backend | |
| id: build-artifact | |
| run: | | |
| echo "Here we could do some proper build" | |
| echo "image-version=${{ env.KOSLI_TRAIL }}" >> $GITHUB_OUTPUT | |
| - name: Extract short SHA | |
| run: echo "SHORT_SHA=${GITHUB_SHA:0:7}" >> $GITHUB_ENV | |
| - name: Attest artifact | |
| id: calculate_fingerprint | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| uses: ./.github/actions/kosli-attest-dir-artifact | |
| with: | |
| kosli-artifact-template-name: backend | |
| artifact-name: backend:${{ env.SHORT_SHA }} | |
| artifact-dir: apps/backend | |
| pull-request: | |
| name: Pull-request | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| needs: [setup] | |
| runs-on: ubuntu-latest | |
| env: | |
| KOSLI_TRAIL: ${{ needs.setup.outputs.kosli-trail }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Attest GitHub pull-request | |
| uses: ./.github/actions/kosli-attest-pullrequest | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| assert: true | |
| deploy-development: | |
| needs: build | |
| name: Deploy to development | |
| uses: ./.github/workflows/_deploy.yml | |
| with: | |
| environment: Development | |
| version: ${{ needs.build.outputs.image-version }} | |
| resource: dev-backend | |
| secrets: inherit | |
| deploy-stage: | |
| if: ${{ github.event_name != 'workflow_dispatch' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Stage') }} | |
| needs: [build,deploy-development] | |
| name: Deploy to stage | |
| uses: ./.github/workflows/_deploy.yml | |
| with: | |
| environment: Stage | |
| version: ${{ needs.build.outputs.image-version }} | |
| resource: stage-backend | |
| secrets: inherit | |
| get-approver-for-stage: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get workflow run ID | |
| id: get-run-id | |
| run: echo "workflow_run_id=${{ github.run_id }}" >> $GITHUB_ENV | |
| - name: Get approval actor from audit log | |
| id: get-approver | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| OWNER: kosli-dev | |
| REPO: github-release-example | |
| WORKFLOW_RUN_ID: ${{ github.run_id }} | |
| run: | | |
| API_URL="https://api.github.com/orgs/${OWNER}/audit-log" | |
| TIMESTAMP_24H_AGO=$(date -u -d '1 day ago' +"%Y-%m-%dT%H:%M:%SZ") | |
| curl -s -H "Authorization: Bearer ${GH_TOKEN}" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| --get \ | |
| --data-urlencode "phrase=repo:${OWNER}/${REPO}" \ | |
| --data-urlencode "phrase=action:workflows.approve_workflow_job" \ | |
| --data-urlencode "created_after=${TIMESTAMP_24H_AGO}" \ | |
| "$API_URL" > audit.json | |
| APPROVER=$(jq -r --arg run_id "$WORKFLOW_RUN_ID" ' | |
| map(select(.workflow_run_id | tostring == $run_id)) | |
| | sort_by(.created_at) | |
| | reverse | |
| | .[0].actor // "unknown" | |
| ' audit.json) | |
| echo "Approver: $APPROVER" | |
| echo "approver=$APPROVER" >> $GITHUB_OUTPUT | |
| semver-tag: | |
| needs: [build,deploy-stage] | |
| name: Check for semver tag | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release-to-prod: ${{ steps.check-tag.outputs.match }} | |
| steps: | |
| - name: Check Tag | |
| id: check-tag | |
| run: | | |
| if [[ ${{ github.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "match=true" >> $GITHUB_OUTPUT | |
| fi | |
| create-release: | |
| needs: semver-tag | |
| if: needs.semver-tag.outputs.release-to-prod == 'true' | |
| name: Create GitHub Release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Create GitHub Release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAG_NAME: ${{ github.ref_name }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| API_URL="https://api.github.com/repos/${REPO}/releases" | |
| JSON_PAYLOAD=$(jq -n \ | |
| --arg tag "$TAG_NAME" \ | |
| --arg name "$TAG_NAME" \ | |
| '{ tag_name: $tag, name: $name, generate_release_notes: true, draft: false, prerelease: false }') | |
| curl -s -X POST "$API_URL" \ | |
| -H "Authorization: Bearer $GITHUB_TOKEN" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$JSON_PAYLOAD" | |
| assert-artifact: | |
| name: Assert artifacts | |
| if: ${{ (github.event_name != 'workflow_dispatch' && needs.semver-tag.outputs.release-to-prod == 'true') }} | |
| needs: [build, pull-request, deploy-stage, semver-tag] | |
| env: | |
| KOSLI_TRAIL: ${{ needs.setup.outputs.kosli-trail }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup Kosli cli | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: | |
| ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Assert Artifacts | |
| run: | | |
| kosli assert artifact --fingerprint ${{ needs.build.outputs.fingerprint }} | |
| deploy-production: | |
| if: ${{ (github.event_name != 'workflow_dispatch' && needs.semver-tag.outputs.release-to-prod == 'true') }} | |
| needs: [build,deploy-stage,semver-tag,assert-artifact] | |
| name: Deploy to production | |
| uses: ./.github/workflows/_deploy.yml | |
| with: | |
| environment: Production | |
| version: ${{ needs.build.outputs.image-version }} | |
| resource: prod-backend | |
| secrets: inherit |