-
Notifications
You must be signed in to change notification settings - Fork 11
232 lines (203 loc) · 11.1 KB
/
workflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# This workflow will build and push a new container image to Amazon ECR, and then deploy a new task definition to Amazon ECS.
#
# To use this workflow, assume you have your infrastructure already provisioned, if not, you will need to complete the following set-up steps:
#
# 1. Create an ECR repository to store your images.
# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-1`.
# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name.
# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region.
#
# 2. Create an ECS task definition, an ECS cluster, and an ECS service.
# For example, follow the Getting Started guide on the ECS console:
# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun
# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service.
# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster.
#
# 3. Store your ECS task definition as a JSON file in your repository.
# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`.
# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file.
# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container
# in the `containerDefinitions` section of the task definition.
#
# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
# See the documentation for each action used below for the recommended IAM policies for this IAM user,
# and best practices on handling the access key credentials.
name: App CI/CD for building and deploying customer-service to ECS Fargate
on:
push:
branches: [ main ]
tags: "*"
pull_request:
branches: [ main ]
repository_dispatch:
# this is the event_type passed in from the webhook, needs to match exactly what was defined in the webhook custom data payload
types: [ "event-triggered-by-jira" ]
# env section defines environment variables, for now, we have them configured in the github environment secrets
#env:
#AWS_REGION: us-east-1 # set this to your preferred AWS region, e.g. us-west-1
#ECR_REPOSITORY: customer-service # set this to your Amazon ECR repository name
#ECS_SERVICE: customer-service # set this to your Amazon ECS service name
#ECS_CLUSTER: default # set this to your Amazon ECS cluster name
#ECS_TASK_DEFINITION: customer-service # set this to your Amazon ECS task definition
#CONTAINER_NAME: customer-service # set this to the name of the container in the containerDefinitions section of your task definition
# The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs.
# Actions generate a new token for each job and expires the token when a job completes. The token has read permission to contents.
# This configuration allows you to follow a principle of least privilege in your workflows.
permissions:
contents: read
jobs:
buildAndTest:
name: Build & Test
runs-on: ubuntu-latest
environment: ${{ github.event.client_payload.env }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
with:
egress-policy: block
allowed-endpoints: >
api.adoptopenjdk.net:443
github.com:443
objects.githubusercontent.com:443
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
# Merely to print out the jira issue number and the env variables passed in from the webhook for verification
- name: Print JIRA ticket number and environment
run: |
echo JIRA number is ${{ github.event.client_payload.jira-issue }}
echo environment is ${{ github.event.client_payload.env }}
# this action provides the following functionality for the runners:
# - download and set up java 17
# - configure runner for publisher using maven
# - caching dependencies managed by maven
- name: Setup jdk-17
uses: actions/setup-java@5b36705a13905facb447b6812d613a06a07e371d
with:
java-version: 17
distribution: 'adopt'
#This action has a built-in functionality for caching dependencies by using actions/cache under the hood.
cache: maven
# run maven command to build the artifact, skipping test because no connectivity to a real postgres db in the backend, revise data source jdbc url in application.yml to enable testing
- name: Build with Maven
run: mvn clean install -Dmaven.test.skip --file pom.xml
# The output of one job is not automatically available to the subsequent jobs in a workflow.
# GitHub Actions Artifacts allow us to persist data after a job has completed, and share that data with another job in the same workflow.
# So we upload the artifact here so it can be reused by the deploy job later on
- name: Upload the build output
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
with:
name: exec-jar
# this path and file name is app specific, be sure to modify if your app differs
path: target/customerservice-0.0.1-SNAPSHOT-exec.jar
#- name: test to see if harden-runner blocks this URL
# run: |
# curl -X GET https://www.google.com/
autoMerge:
name: Auto Merge for Dependabot PRs
# uses "needs" to specify sequence of jobs
needs: buildAndTest
runs-on: ubuntu-latest
# specify "write" permission for GITHUB_TOKEN, so it can merge the PRs raised by Dependabot, see step below.
permissions:
pull-requests: write
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
with:
egress-policy: block
allowed-endpoints: >
4qfyacprodeus2file2.blob.core.windows.net:443
api.adoptopenjdk.net:443
artifactcache.actions.githubusercontent.com:443
github.com:443
objects.githubusercontent.com:443
pipelines.actions.githubusercontent.com:443
repo.maven.apache.org:443
# step to auto merge PRs raised by dependabot
- uses: fastify/github-action-merge-dependabot@35d92790eac1b82eb5b6f4a0b48fedced08edb63
if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' }}
with:
# it is an automatically generated secret that lets you make authenticated calls to the GitHub APIs.
github-token: ${{ secrets.GITHUB_TOKEN }}
deploy:
name: Deploy to AWS ECS Fargate
runs-on: ubuntu-latest
# important to specify the environment here so workflow knows where to deploy your artifact to.
# default environment to "dev" if it is not passed in through workflow_dispatch manual trigger
environment: ${{ github.event.inputs.environment || 'dev' }}
needs: autoMerge
# notice the if condition below, no need for ${{ }} as GitHub automatically evaluates the if conditional as an expression
if: startsWith(github.ref, 'refs/tags/') || github.event.inputs.environment != null
steps:
- name: Harden Runner
uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
with:
egress-policy: block
allowed-endpoints: >
4qfyacprodeus2file2.blob.core.windows.net:443
api.adoptopenjdk.net:443
artifactcache.actions.githubusercontent.com:443
github.com:443
objects.githubusercontent.com:443
pipelines.actions.githubusercontent.com:443
repo.maven.apache.org:443
# this print env step merely prints the env for debugging purpose
- name: Print environment
run: |
echo environment is ${{ github.event.inputs.environment }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Set tag
id: vars
run: echo "::set-output name=tag::${GITHUB_REF#refs/*/}"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@9149ade017c57f86dea2f76a01f8b2d5bd06b10f
- name: Download the build output
uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869
with:
name: exec-jar
path: rest-controller/target # this value may vary depending on your application
- name: Build, tag, and push image to AWS ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY_NAME }}
IMAGE_TAG: ${{ github.sha }}
run: |
# Build a docker container and push it to ECR so that it can be deployed to ECS.
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ secrets.ECS_TASK_DEFINITION }} --query taskDefinition > task-definition.json
- name: Fill in the new image ID and pass in the environment variable in the ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@374ee96751fffe528c09b5f427848da60469bb55
with:
task-definition: task-definition.json
container-name: ${{ secrets.CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
environment-variables: |
ENVIRONMENT=${{ github.event.inputs.environment || 'dev' }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@9c18d81893224634ac107b91720119c91c1d600e
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ secrets.ECS_SERVICE }}
cluster: ${{ secrets.ECS_CLUSTER }}
wait-for-service-stability: true
- name: Create commit comment
if: github.event_name == 'repository_dispatch'
uses: peter-evans/commit-comment@024efe46f6e45f651301d75870c4bd8fbe17cbc8
with:
body: |
${{ github.event.client_payload.jira-issue }} has been deployed in ${{ github.event.client_payload.env }}