Set up CI/CD workflows

amosehiguese · Jan 28, 2024 · bb2e834 · bb2e834
1 parent 39b6a5c
commit bb2e834
Show file tree

Hide file tree

Showing 8 changed files with 206 additions and 45 deletions.
diff --git a/.github/workflows/delivery-workflow.yaml b/.github/workflows/delivery-workflow.yaml
@@ -0,0 +1,64 @@
+name: Subd Delivery Workflow
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
+        with:
+          cosign-release: 'v1.13.1'
+
+
+      - name: Setup Docker buildx
+        uses: docker/[email protected]
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/[email protected]
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/[email protected]
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64
+
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
diff --git a/.github/workflows/deploy-aws-app-runner.yaml b/.github/workflows/deploy-aws-app-runner.yaml
@@ -0,0 +1,91 @@
+name: Subd AWS App Runner Workflow
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        description: Enter the target environment for the deployment
+        options:
+        - Staging
+        - Production
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    environment:
+      name: ${{ inputs.environment }}
+      url: ${{ vars.URL }}
+    runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    concurrency:
+      group: deploy-${{ inputs.environment }}
+      cancel-in-progress: false
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Deploy staging with push to ECR
+        if: ${{ inputs.environment }} == 'Staging'
+        id: push
+        run: |
+          docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main
+          docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main ${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}
+          docker push ${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}
+
+      - name: Deploy production with aws CLI
+        if: ${{ inputs.environment }} == 'Production'
+        run: |
+          aws apprunner start-deployment --service-arn="${{ vars.SERVICE_ARN }}"
+
+      - name: Wait for Deployment to Begin
+        run: |
+          STATUS=$(aws apprunner describe-service --query="Service.Status" --output=text --service-arn="${{ vars.SERVICE_ARN }}")
+
+          until [ "${STATUS}" == "OPERATION_IN_PROGRESS" ];
+          do
+            echo "$(date) ${STATUS}"
+            STATUS=$(aws apprunner describe-service --query="Service.Status" --output=text --service-arn="${{ vars.SERVICE_ARN }}")
+            sleep 10;
+          done
+
+      - name: Wait for Deployment to Complete
+        id: status
+        timeout-minutes: 10
+        run: |
+          STATUS=$(aws apprunner describe-service --query="Service.Status" --output=text --service-arn="${{ vars.SERVICE_ARN }}")
+
+          while [ "${STATUS}" == "OPERATION_IN_PROGRESS" ];
+          do
+            echo "$(date) ${STATUS}"
+            STATUS=$(aws apprunner describe-service --query="Service.Status" --output=text --service-arn="${{ vars.SERVICE_ARN }}")
+            sleep 30;
+          done
+          echo "deployment_status=${STATUS}" >> "$GITHUB_OUTPUT"
+
+      - name: Check Deployment Status
+        id: check
+        run: |
+          if [ "${{ steps.status.outputs.deployment_status }}" == "RUNNING" ]; then
+            echo "Deployment successful"
+          else
+            echo "Deployment failed: ${{ steps.status.outputs.deployment_status }}"
+            exit 1
+          fi
diff --git a/.github/workflows/go.yml → .github/workflows/integration-workflow.yml b/.github/workflows/go.yml → .github/workflows/integration-workflow.yml
@@ -1,15 +1,12 @@
-name: Go
-
-env:
-  GIN_MODE: release
+name: Subd Integration Workflow
 
 on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
+  workflow_call:
   workflow_dispatch:
 
+  permissions:
+    contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
@@ -0,0 +1,46 @@
+name: Subd Container Deployment Pipeline
+
+on: 
+  push:
+    branches: ["main"]
+    tags: ['v*.*.*']
+  pull_request:
+    branches: ["main"]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  integration:
+    uses: ./.github/workflows/integration-workflow.yaml
+    permissions: 
+      contents: read
+
+  delivery:
+    needs: [integration]
+    uses: ./.github/workflows/delivery-workflow.yaml
+    permissions: 
+      contents: read
+      packages: write
+      id-token: write
+
+  deploy-staging:
+    needs: [delivery]
+    uses: ./.github/workflows/deploy-aws-app-runner.yaml
+    with:
+      environment: Staging
+    permissions:
+      packages: read
+    secrets: inherit
+
+  deploy-production:
+    needs: [delivery]
+    uses: ./.github/workflows/deploy-aws-app-runner.yaml
+    with:
+      environment: Production
+    permissions:
+      packages: read
+    secrets: inherit
+
diff --git a/terraform/main.tf b/terraform/main.tf
diff --git a/terraform/providers.tf b/terraform/providers.tf
diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars
diff --git a/terraform/variables.tf b/terraform/variables.tf