angularai/.github/workflows/deploy.yml at master · JuergGood/angularai · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: CD to Demo Environment

on:
  push:
    tags:
      - 'v*'
  workflow_dispatch:
    inputs:
      environment:
        description: 'Environment to deploy to'
        required: true
        default: 'demo'
        type: choice
        options:
          - demo

jobs:
  deploy-demo:
    name: Deploy to Demo
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
    environment: demo
    steps:
      - uses: actions/checkout@v4

      - name: Set up JDK 21
        uses: actions/setup-java@v4
        with:
          java-version: '21'
          distribution: 'temurin'
          cache: 'maven'

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-central-1

      - name: Validate Secrets Manager JSON
        env:
          AWS_PAGER: ""
          SECRET_ID: goodone-config
        run: |
          echo "Fetching secret $SECRET_ID from AWS..."
          SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id $SECRET_ID --query 'SecretString' --output text)

          # Check if it's valid JSON
          if ! echo "$SECRET_VALUE" | jq empty; then
            echo "::error::Secret $SECRET_ID is NOT a valid JSON object. Deployment aborted."
            echo "This usually happens when updating secrets via PowerShell without proper escaping."
            exit 1
          fi

          # Check for critical keys and their properties (min length for JWT_SECRET)
          JWT_SECRET_LEN=$(echo "$SECRET_VALUE" | jq -r '.JWT_SECRET // "" | length')
          if [ "$JWT_SECRET_LEN" -lt 32 ]; then
             echo "::error::JWT_SECRET in $SECRET_ID is missing or too short (found $JWT_SECRET_LEN chars, minimum 32 required for demo/prod)."
             exit 1
          fi

          echo "Secret $SECRET_ID validation successful: Valid JSON and secure JWT_SECRET found."

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Extract version
        id: vars
        run: |
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
          else
            VERSION=${GITHUB_REF#refs/tags/v}
          fi
          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT

      - name: Build, tag, and push image to Amazon ECR
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY: goodone-app
          IMAGE_TAG: ${{ steps.vars.outputs.VERSION }}
          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
        run: |
          # Use NVD_API_KEY if available as a secret
          if [ -n "$NVD_API_KEY" ]; then
            echo "$NVD_API_KEY" > nvd_api_key.txt
            docker build --secret id=NVD_API_KEY,src=nvd_api_key.txt -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f deploy/dev/Dockerfile .
            rm nvd_api_key.txt
          else
            docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f deploy/dev/Dockerfile .
          fi
          docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest

      - name: Update ECS service
        env:
          AWS_PAGER: ""
          CLUSTER_NAME: goodone-cluster
          SERVICE_NAME: goodone-backend-test-service
          TASK_DEF_FILE: deploy/aws/backend-test-task-definition.json
          VERSION: ${{ steps.vars.outputs.VERSION }}
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
        run: |
          # Read the task definition and update the image
          NEW_TASK_DEF=$(cat $TASK_DEF_FILE | jq --arg IMAGE "$ECR_REGISTRY/goodone-app:$VERSION" '.containerDefinitions[0].image = $IMAGE')

          # Remove fields not allowed in register-task-definition
          FINAL_TASK_DEF=$(echo $NEW_TASK_DEF | jq 'del(.taskDefinitionArn, .revision, .status, .requiresAttributes, .compatibilities, .registeredAt, .registeredBy)')

          # Register new task definition
          NEW_TASK_DEF_ARN=$(aws ecs register-task-definition --cli-input-json "$FINAL_TASK_DEF" --query 'taskDefinition.taskDefinitionArn' --output text)

          # Update service
          aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --task-definition $NEW_TASK_DEF_ARN --desired-count 1 --force-new-deployment --deployment-configuration "maximumPercent=100,minimumHealthyPercent=0"

          # Wait for stability
          aws ecs wait services-stable --cluster $CLUSTER_NAME --services $SERVICE_NAME