ci: tag, release, build and deploy on merge

c-wygoda · c-wygoda · commit 710d865343d5 · 2024-05-09T19:15:56.000+02:00
diff --git a/.github/actions/bump/action.yml b/.github/actions/bump/action.yml
@@ -0,0 +1,34 @@
+name: bump version
+description: bump version
+outputs:
+  version:
+    description: new version
+    value: ${{ steps.bump.outputs.version }}
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: pipx install poetry==1.7.1
+    - shell: bash
+      run: |
+        git config --local user.name "github-actions[bot]"
+        git config --local user.email "github-actions[bot]@users.noreply.github.com"
+        git config --local pull.rebase true
+    - id: bump
+      shell: bash
+      env:
+        BRANCH: ${{ github.event.repository.default_branch }}
+      run: |
+        export OLD=$(poetry version --short)
+        export BASE=$(echo ${OLD} | cut -d "+" -f 1)
+        export NEW=${BASE}+$(date +%y%m%d-%H%M%S)
+
+        poetry version ${NEW}
+        git add pyproject.toml
+        git commit -m "bump: ${OLD} → ${NEW}"
+        git tag v${NEW}
+
+        git pull origin ${BRANCH}
+        git push origin HEAD:${BRANCH} --tags
+
+        echo "version=v${NEW}" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/tag-n-release.yml b/.github/workflows/tag-n-release.yml
@@ -0,0 +1,114 @@
+name: tag and release new version
+
+on:
+  pull_request_target:
+    types:
+      - closed
+
+jobs:
+  tag:
+    name: create git tag
+    if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == github.event.repository.default_branch
+    runs-on: ubuntu-latest
+    outputs:
+      tag: v${{ steps.bump.outputs.version }}
+    steps:
+      - id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_SECRET }}
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          ref: ${{ github.event.repository.default_branch }}
+      - id: bump
+        uses: ./.github/actions/bump
+
+  relase:
+    name: create new release
+    needs: tag
+    if: ${{ needs.tag.outputs.tag }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/github-script@v7
+        env:
+          TAG: ${{ needs.tag.outputs.tag }}
+        with:
+          script: |
+            const { TAG } = process.env
+            github.rest.repos.createRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag_name: TAG,
+            })
+
+  build-docker:
+    name: build docker image
+    needs: tag
+    if: ${{ needs.tag.outputs.tag }}
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.tag.outputs.tag }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to ECR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com
+          username: ${{ vars.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      - name: Set up Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/stapi-spec/stapi-fastapi
+            ${{ vars.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/stapi-spec/stapi-fastapi
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: lambda
+          push: true
+          platforms: linux/amd64
+          provenance: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs:
+      - tag
+      - build-docker
+    if: ${{ needs.tag.outputs.tag }}
+    steps:
+      - uses: actions/checkout@v4
+      - run: pipx install poetry==1.7.1
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: poetry
+      - name: Install deploy dependencies
+        run: poetry install --only=deploy-aws
+      - name: Run CDK deploy
+        uses: ./.github/actions/cdk-deploy
+        with:
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ vars.AWS_ACCESS_KEY_ID }}
+          AWS_ECR_REPOSITORY_ARN: arn:aws:ecr:${{ vars.AWS_REGION }}:${{ vars.AWS_ACCOUNT_ID}}:repository/stapi-spec/stapi-fastapi
+          IMAGE_TAG_OR_DIGEST: ${{ needs.tag.outputs.tag }}
