Dependabot updates for week of 31 July 2023 (#2443) #401
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Deploy Update to QA Server" | |
on: | |
push: | |
branches: | |
- master | |
permissions: | |
contents: read | |
jobs: | |
build: | |
strategy: | |
matrix: | |
component: [frontend, backend, maintenance, database] | |
runs-on: ubuntu-latest | |
outputs: | |
image_tag: ${{ steps.build_combine.outputs.image_tag }} | |
steps: | |
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on | |
# configuring harden-runner and identifying allowed endpoints. | |
- name: Harden Runner | |
uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
*.data.mcr.microsoft.com:443 | |
${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com | |
api.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 | |
api.github.com:443 | |
api.nuget.org:443 | |
archive.ubuntu.com:80 | |
auth.docker.io:443 | |
codecov.io:443 | |
dc.services.visualstudio.com:443 | |
deb.debian.org:80 | |
docker.io:443 | |
dotnetcli.azureedge.net:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
mcr.microsoft.com:443 | |
pipelines.actions.githubusercontent.com:443 | |
production.cloudflare.docker.com:443 | |
pypi.org:443 | |
registry-1.docker.io:443 | |
registry.npmjs.org:443 | |
security.debian.org:80 | |
security.ubuntu.com:80 | |
storage.googleapis.com:443 | |
sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 | |
uploader.codecov.io:443 | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
with: | |
fetch-depth: 0 | |
- name: Build The Combine | |
id: build_combine | |
uses: ./.github/actions/combine-build | |
with: | |
image_registry: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com | |
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws_default_region: ${{ secrets.AWS_DEFAULT_REGION }} | |
build_component: ${{ matrix.component }} | |
clean_ecr_repo: | |
needs: build | |
env: | |
RM_PATTERN_1: \d+\.\d+\.\d+-master\.\d+ | |
RM_PATTERN_2: \d+\.\d+\.\d+-[a-z]+\.\d+-master\.\d+ | |
runs-on: ubuntu-latest | |
steps: | |
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on | |
# configuring harden-runner and identifying allowed endpoints. | |
- name: Harden Runner | |
uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 | |
github.com:443 | |
sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v2.2.0 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ secrets.AWS_DEFAULT_REGION }} | |
- name: Remove old AWS ECR images | |
run: scripts/clean_aws_repo.py combine_frontend combine_backend combine_maint combine_database --keep ${{ needs.build.outputs.image_tag }} --remove "${{ env.RM_PATTERN_1 }}" "${{ env.RM_PATTERN_2 }}" --verbose | |
deploy_update: | |
needs: build | |
# Only push to the QA server when built on the master branch | |
if: ${{ github.ref_name == 'master' }} | |
runs-on: [self-hosted, thecombine] | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Deploy The Combine Update | |
uses: ./.github/actions/combine-deploy-update | |
with: | |
image_registry: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com | |
image_tag: ${{ needs.build.outputs.image_tag }} | |
kube_context: ${{ secrets.LTOPS_K8S_STAGING_CONTEXT }} | |
update_cert_proxy: false |