.github/workflows/deploy-common.yml

name: Common Deployment Steps

on:
  workflow_call:
    inputs:
      working-directory:
        required: true
        type: string
      stack-name:
        required: true
        type: string
    secrets:
      AWS_ACCESS_KEY_ID:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true
      ARN_OF_IAM_ROLE_TO_ASSUME:
        required: true
      PULUMI_CONFIG_PASSPHRASE:
        required: true
      SENTRY_AUTH_TOKEN:
        required: true

jobs:
  deployment:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '20'

      - name: Install pnpm
        uses: pnpm/action-setup@v2
        with:
          version: 9

      - name: Get pnpm store directory
        shell: bash
        run: |
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - uses: actions/cache@v3
        name: Setup pnpm cache
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pnpm-store-

      - name: Install dependencies
        run: pnpm install
        working-directory: ${{ inputs.working-directory }}

      - name: Setup Pulumi
        uses: pulumi/setup-pulumi@v2

      - name: Deploy with Pulumi
        working-directory: ${{ inputs.working-directory }}
        run: |
          aws configure set aws_access_key_id ${AWS_ACCESS_KEY_ID}
          aws configure set aws_secret_access_key ${AWS_SECRET_ACCESS_KEY}
          aws configure set region "${AWS_REGION:-eu-central-1}"

          CREDS_JSON=$(aws sts assume-role \
                       --role-arn "${ARN_OF_IAM_ROLE_TO_ASSUME}" \
                       --role-session-name "GatewayDeployment-${GITHUB_RUN_ID}" \
                       --external-id "gateway-production")

          export AWS_ACCESS_KEY_ID=$(echo "${CREDS_JSON}" | jq ".Credentials.AccessKeyId" --raw-output)
          export AWS_SECRET_ACCESS_KEY=$(echo "${CREDS_JSON}" | jq ".Credentials.SecretAccessKey" --raw-output)
          export AWS_SESSION_TOKEN=$(echo "${CREDS_JSON}" | jq ".Credentials.SessionToken" --raw-output)

          echo "Assumed AWS identity:"
          aws sts get-caller-identity

          echo "Deploying Pulumi stack: ${{ inputs.stack-name }}"
          pulumi up --stack ${{ inputs.stack-name }} --yes
        env:
          ARN_OF_IAM_ROLE_TO_ASSUME: ${{ secrets.ARN_OF_IAM_ROLE_TO_ASSUME }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}