2627 pulumi 1p secrets 2 (#643)

* feat: skip approval check when deploying to review * feat: rework workflows, load_commit_ref should be called only once * feat: require approval for deploying UI code * fix: renamin workflows, deploying UI after deployment of BE finished * fix: renamin workflows - forgot to commit some files * feat: switch to use @v1 of gh-workflows
passportxyz · Jul 26, 2024 · aabd726 · aabd726
1 parent ced254b
commit aabd726
Show file tree

Hide file tree

Showing 13 changed files with 198 additions and 120 deletions.
diff --git a/.github/workflows/build_and_deploy_generic.yml b/.github/workflows/build_and_deploy_generic.yml
@@ -1,35 +1,24 @@
-name: Library - Build and Deploy to Review
+name: Library - Build and Deploy API
 
 on:
   workflow_call:
     inputs:
-      commit:
-        description: "Leave blank to use current HEAD, or provide an override commit SHA"
+      refspec:
+        description: "The commit SHA"
         type: string
-        required: false
+        required: True
+      docker_tag:
+        description: "Docker tag"
+        type: string
+        required: True
       environment:
         description: "Environment to deploy to"
         type: string
         required: true
 
 jobs:
-  ref:
-    name: Load Commit Ref
-    runs-on: ubuntu-latest
-    steps:
-      - id: ref
-        uses: passportxyz/gh-workflows/.github/actions/load_commit_ref@main
-        with:
-          commit: ${{ inputs.commit }}
-
-    outputs:
-      version_tag: ${{ steps.ref.outputs.version_tag }}
-      docker_tag: ${{ steps.ref.outputs.docker_tag }}
-      refspec: ${{ steps.ref.outputs.refspec }}
-
   docker-ecs:
     name: Build and push docker image for ECS
-    needs: [ref]
     runs-on: ubuntu-latest
     steps:
       - name: Load secret
@@ -42,10 +31,10 @@ jobs:
           AWS_ACCESS_KEY_ID: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/AWS_ACCESS_KEY_ID
           AWS_SECRET_ACCESS_KEY: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/AWS_SECRET_ACCESS_KEY
       - id: build_and_push_docker_image
-        uses: passportxyz/gh-workflows/.github/actions/build_and_push@main
+        uses: passportxyz/gh-workflows/.github/actions/build_and_push@v1
         with:
-          refspec: ${{ needs.ref.outputs.refspec }}
-          docker_tag: ${{ needs.ref.outputs.docker_tag }}
+          refspec: ${{ inputs.refspec }}
+          docker_tag: ${{ inputs.docker_tag }}
           ecr_repository_name: passport-scorer
           aws_region: us-west-2
           aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
@@ -55,7 +44,6 @@ jobs:
 
   docker-lambda:
     name: Build and push docker image for lambdas
-    needs: [ref]
     runs-on: ubuntu-latest
     steps:
       - name: Load secret
@@ -68,10 +56,10 @@ jobs:
           AWS_ACCESS_KEY_ID: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/AWS_ACCESS_KEY_ID
           AWS_SECRET_ACCESS_KEY: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/AWS_SECRET_ACCESS_KEY
       - id: build_and_push_docker_image
-        uses: passportxyz/gh-workflows/.github/actions/build_and_push@main
+        uses: passportxyz/gh-workflows/.github/actions/build_and_push@v1
         with:
-          refspec: ${{ needs.ref.outputs.refspec }}
-          docker_tag: ${{ needs.ref.outputs.docker_tag }}
+          refspec: ${{ inputs.refspec }}
+          docker_tag: ${{ inputs.docker_tag }}
           ecr_repository_name: submit-passport-lambdas
           aws_region: us-west-2
           aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
@@ -81,7 +69,6 @@ jobs:
 
   docker-indexer:
     name: Build and push docker image for indexer
-    needs: [ref]
     runs-on: ubuntu-latest
     steps:
       - name: Load secret
@@ -94,27 +81,25 @@ jobs:
           AWS_ACCESS_KEY_ID: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/AWS_ACCESS_KEY_ID
           AWS_SECRET_ACCESS_KEY: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/AWS_SECRET_ACCESS_KEY
       - id: build_and_push_docker_image
-        uses: passportxyz/gh-workflows/.github/actions/build_and_push@main
+        uses: passportxyz/gh-workflows/.github/actions/build_and_push@v1
         with:
-          refspec: ${{ needs.ref.outputs.refspec }}
-          docker_tag: ${{ needs.ref.outputs.docker_tag }}
+          refspec: ${{ inputs.refspec }}
+          docker_tag: ${{ inputs.docker_tag }}
           ecr_repository_name: passport-indexer
           aws_region: us-west-2
           aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
           aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
           dockerfile_name: ./indexer/Dockerfile
           build_dir: ./indexer/
 
-
   deploy_preview:
     name: Preview - Deploying AWS Infra
-    needs: [ref]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ needs.ref.outputs.refspec }}
+          ref: ${{ inputs.refspec }}
           fetch-depth: 0
       - name: Install 1Password CLI
         uses: 1password/install-cli-action@v1
@@ -132,11 +117,11 @@ jobs:
           AWS_SECRET_ACCESS_KEY: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/AWS_SECRET_ACCESS_KEY
           PULUMI_ACCESS_TOKEN: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/PULUMI_ACCESS_TOKEN
       - name: Prepare to Deploy to AWS
-        uses: passportxyz/gh-workflows/.github/actions/prepare_deploy_to_aws@main
+        uses: passportxyz/gh-workflows/.github/actions/prepare_deploy_to_aws@v1
       - name: Deploy Preview
-        uses: passportxyz/gh-workflows/.github/actions/deploy_to_aws@main
+        uses: passportxyz/gh-workflows/.github/actions/deploy_to_aws@v1
         with:
-          docker_tag: ${{ needs.ref.outputs.docker_tag }}
+          docker_tag: ${{ inputs.docker_tag }}
           stack_name: gitcoin/passport-scorer/${{ inputs.environment }}
           aws_region: us-west-2
           pulumi_command: preview
@@ -148,23 +133,31 @@ jobs:
 
   deploy_confirm:
     name: Review Approval Pending
-    needs: [ref, deploy_preview]
+    needs: [deploy_preview]
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     steps:
       - name: Approve Release to Review (check pulumi preview)
+        if: ${{ inputs.environment != 'review' }}
         run: |
-          echo "Ref" ${{ needs.ref.outputs.refspec }}
+          echo "Ref" ${{ inputs.refspec }}
 
   deploy_backends:
     name: Deploying AWS Infra
-    needs: [ref, docker-ecs, docker-indexer, docker-lambda, deploy_preview, deploy_confirm]
+    needs:
+      [
+        docker-ecs,
+        docker-indexer,
+        docker-lambda,
+        deploy_preview,
+        deploy_confirm,
+      ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ needs.ref.outputs.refspec }}
+          ref: ${{ inputs.refspec }}
           fetch-depth: 0
       - name: Install 1Password CLI
         uses: 1password/install-cli-action@v1
@@ -182,11 +175,11 @@ jobs:
           AWS_SECRET_ACCESS_KEY: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/AWS_SECRET_ACCESS_KEY
           PULUMI_ACCESS_TOKEN: op://DevOps/passport-scorer-${{ inputs.environment }}-secrets/ci/PULUMI_ACCESS_TOKEN
       - name: Prepare to Deploy to AWS
-        uses: passportxyz/gh-workflows/.github/actions/prepare_deploy_to_aws@main
+        uses: passportxyz/gh-workflows/.github/actions/prepare_deploy_to_aws@v1
       - name: Deploy Review
-        uses: passportxyz/gh-workflows/.github/actions/deploy_to_aws@main
+        uses: passportxyz/gh-workflows/.github/actions/deploy_to_aws@v1
         with:
-          docker_tag: ${{ needs.ref.outputs.docker_tag }}
+          docker_tag: ${{ inputs.docker_tag }}
           stack_name: gitcoin/passport-scorer/${{ inputs.environment }}
           pulumi_command: up
           aws_region: us-west-2

diff --git a/.github/workflows/build_and_deploy_production.yml b/.github/workflows/build_and_deploy_production.yml
@@ -1,4 +1,4 @@
-name: Build and Deploy to Production
+name: Build and Deploy API to Production
 on:
   workflow_dispatch:
     inputs:
@@ -8,19 +8,35 @@ on:
         required: false
 
 jobs:
+  ref:
+    name: Load Commit Ref
+    runs-on: ubuntu-latest
+    steps:
+      - id: ref
+        uses: passportxyz/gh-workflows/.github/actions/load_commit_ref@v1
+        with:
+          commit: ${{ inputs.commit }}
+
+    outputs:
+      version_tag: ${{ steps.ref.outputs.version_tag }}
+      docker_tag: ${{ steps.ref.outputs.docker_tag }}
+      refspec: ${{ steps.ref.outputs.refspec }}
+
   test:
     name: Test
+    needs: [ref]
     uses: ./.github/workflows/test_generic.yml
     with:
-      commit: ${{ inputs.commit }}
+      refspec: ${{ needs.ref.outputs.refspec }}
       environment: review
     secrets: inherit
 
   deploy:
     name: Deploy
-    needs: [test]
+    needs: [test, ref]
     uses: ./.github/workflows/build_and_deploy_generic.yml
     with:
-      commit: ${{ inputs.commit }}
+      refspec: ${{ needs.ref.outputs.refspec }}
+      docker_tag: ${{ needs.ref.outputs.docker_tag }}
       environment: production
     secrets: inherit
diff --git a/.github/workflows/build_and_deploy_review.yml b/.github/workflows/build_and_deploy_review.yml
@@ -1,4 +1,4 @@
-name: Build and Deploy to Review
+name: Build and Deploy API to Review
 on:
   workflow_dispatch:
     inputs:
@@ -11,19 +11,36 @@ on:
     branches: [main]
 
 jobs:
+  ref:
+    name: Load Commit Ref
+    runs-on: ubuntu-latest
+    steps:
+      - id: ref
+        uses: passportxyz/gh-workflows/.github/actions/load_commit_ref@v1
+        with:
+          commit: ${{ inputs.commit }}
+
+    outputs:
+      version_tag: ${{ steps.ref.outputs.version_tag }}
+      docker_tag: ${{ steps.ref.outputs.docker_tag }}
+      refspec: ${{ steps.ref.outputs.refspec }}
+
   test:
     name: Test
+    needs: [ref]
     uses: ./.github/workflows/test_generic.yml
     with:
-      commit: ${{ inputs.commit }}
+      refspec: ${{ needs.ref.outputs.refspec }}
       environment: review
     secrets: inherit
 
   deploy:
     name: Deploy
-    needs: [test]
+    needs: [test, ref]
     uses: ./.github/workflows/build_and_deploy_generic.yml
     with:
-      commit: ${{ inputs.commit }}
+      refspec: ${{ needs.ref.outputs.refspec }}
+      docker_tag: ${{ needs.ref.outputs.docker_tag }}
       environment: review
+
     secrets: inherit
diff --git a/.github/workflows/build_and_deploy_staging.yml b/.github/workflows/build_and_deploy_staging.yml
@@ -1,4 +1,4 @@
-name: Build and Deploy to Staging
+name: Build and Deploy API to Staging
 on:
   workflow_dispatch:
     inputs:
@@ -8,19 +8,35 @@ on:
         required: false
 
 jobs:
+  ref:
+    name: Load Commit Ref
+    runs-on: ubuntu-latest
+    steps:
+      - id: ref
+        uses: passportxyz/gh-workflows/.github/actions/load_commit_ref@v1
+        with:
+          commit: ${{ inputs.commit }}
+
+    outputs:
+      version_tag: ${{ steps.ref.outputs.version_tag }}
+      docker_tag: ${{ steps.ref.outputs.docker_tag }}
+      refspec: ${{ steps.ref.outputs.refspec }}
+
   test:
     name: Test
+    needs: [ref]
     uses: ./.github/workflows/test_generic.yml
     with:
-      commit: ${{ inputs.commit }}
+      refspec: ${{ needs.ref.outputs.refspec }}
       environment: review
     secrets: inherit
 
   deploy:
     name: Deploy
-    needs: [test]
+    needs: [test, ref]
     uses: ./.github/workflows/build_and_deploy_generic.yml
     with:
-      commit: ${{ inputs.commit }}
+      refspec: ${{ needs.ref.outputs.refspec }}
+      docker_tag: ${{ needs.ref.outputs.docker_tag }}
       environment: staging
     secrets: inherit