Create GitHub Actions for auto deployment to AWS

.github/workflows/backend.yml

@@ -0,0 +1,83 @@
+name: Deploy Backend Services
+
+on:
+  push:
+    branches: [ 'main' ]
+    paths: [
+      'services/question/**',
+      'services/user/**',
+      'services/match/**',
+      'services/collaboration/**',
+    ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
+env:
+  AWS_REGION: ap-southeast-1
+  ECS_CLUSTER: backend-cluster
+
+jobs:
+  deploy:
+    name: Deploy Backend Service
+    runs-on: ubuntu-latest
+    environment: production
+
+    strategy:
+      matrix:
+        service: [ 'question', 'user', 'match', 'collaboration' ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check for changes in ${{ matrix.service }} directory
+        uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            service:
+              - '.services/${{ matrix.service }}/**'
+
+      - name: Configure AWS credentials
+        id: aws-configure
+        if: steps.changes.output.service == 'true'
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_BACKEND_ROLE }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to AWS ECR
+        id: login-ecr
+        if: steps.changes.output.service == 'true'
+        uses: aws-actions/amazon-ecr-login@v2.0.1
+
+      - name: Build and push ${{ matrix.service }} image to AWS ECR
+        id: build-image
+        if: steps.changes.output.service == 'true'
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ${{ matrix.service }}
+          IMAGE_TAG: latest
+        run: |
+          echo "Building $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./services/${{ matrix.service }}
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+      - name: Update AWS Service (${{ matrix.service }}) # Trigger re-deployment with latest image
+        id: update-service
+        if: steps.changes.output.service == 'true'
+        env:
+          ECS_SERVICE: ${{ matrix.service }}-service
+        run: |
+          echo "Updating $ECS_SERVICE for $ECS_CLUSTER"
+          aws ecs update-service \
+            --cluster $ECS_CLUSTER \
+            --service $ECS_SERVICE \
+            --force-new-deployment \
+            --region $AWS_REGION

.github/workflows/backend_force.yml

@@ -0,0 +1,65 @@
+# Deploys all backend services regardless of file changes.
+# Can only be triggered manually.
+
+name: Force Deploy All Backend Services
+
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
+env:
+  AWS_REGION: ap-southeast-1
+  ECS_CLUSTER: backend-cluster
+
+jobs:
+  deploy:
+    name: Deploy Backend Service
+    runs-on: ubuntu-latest
+    environment: production
+
+    strategy:
+      matrix:
+        service: [ 'question', 'user', 'match', 'collaboration' ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        id: aws-configure
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_BACKEND_ROLE }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to AWS ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2.0.1
+
+      - name: Build and push ${{ matrix.service }} image to AWS ECR
+        id: build-image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ${{ matrix.service }}
+          IMAGE_TAG: latest
+        run: |
+          echo "Building $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./services/${{ matrix.service }}
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+      - name: Update AWS Service (${{ matrix.service }}) # Trigger re-deployment with latest image
+        id: update-service
+        env:
+          ECS_SERVICE: ${{ matrix.service }}-service
+        run: |
+          echo "Updating $ECS_SERVICE for $ECS_CLUSTER"
+          aws ecs update-service \
+            --cluster $ECS_CLUSTER \
+            --service $ECS_SERVICE \
+            --force-new-deployment \
+            --region $AWS_REGION

.github/workflows/frontend force.yml

@@ -0,0 +1,44 @@
+# Deploys frontend regardless of file changes.
+# Can only be triggered manually.
+
+name: Force Deploy Frontend
+
+on:
+  workflow_dispatch:
+
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
+env:
+  AWS_REGION: ap-southeast-1
+  S3_BUCKET_NAME: app.peerprep.org
+
+jobs:
+  deploy:
+    name: Deploy Frontend
+    runs-on: ubuntu-latest
+    environment: production
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        id: aws-configure
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_FRONTEND_ROLE }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Build frontend distribution
+        working-directory: frontend
+        run: npm ci && npm run build
+
+      - name: Sync distribution to S3
+        run: |
+          aws s3 sync ./frontend/dist/frontend/browser/ s3://$S3_BUCKET_NAME --delete
+
+      - name: Invalidate Cloudfront Cache
+        run: |
+          aws cloudfront create-invalidation --distribution-id ${{ secrets.AWS_CLOUDFRONT_ID }} --paths "/*"

.github/workflows/frontend.yml

@@ -0,0 +1,46 @@
+name: Deploy Frontend
+
+on:
+  push:
+    branches: [ 'main' ]
+    paths:
+      - 'frontend/**'
+
+  workflow_dispatch:
+
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
+env:
+  AWS_REGION: ap-southeast-1
+  S3_BUCKET_NAME: app.peerprep.org
+
+jobs:
+  deploy:
+    name: Deploy Frontend
+    runs-on: ubuntu-latest
+    environment: production
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        id: aws-configure
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_FRONTEND_ROLE }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Build frontend distribution
+        working-directory: frontend
+        run: npm ci && npm run build
+
+      - name: Sync distribution to S3
+        run: |
+          aws s3 sync ./frontend/dist/frontend/browser/ s3://$S3_BUCKET_NAME --delete
+
+      - name: Invalidate Cloudfront Cache
+        run: |
+          aws cloudfront create-invalidation --distribution-id ${{ secrets.AWS_CLOUDFRONT_ID }} --paths "/*"