map-backend/.github/workflows/deploy.yaml at bff5544a49248564c8759ed8beee71bab878c696 · hello-nrfcloud/map-backend · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Deployment

on:
  workflow_dispatch:
    inputs:
      ref:
        description: "Version to deploy"
        required: true
      openssl_lambda_tag:
        description: "OpenSSL Lambda container tag to deploy"
        required: true

permissions:
  id-token: write
  packages: write

env:
  STACK_NAME: ${{ vars.STACK_NAME }}
  AWS_REGION: ${{ vars.AWS_REGION }}
  FORCE_COLOR: 3
  JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION: 1
  REGISTRY: ghcr.io
  API_DOMAIN_NAME: ${{ vars.API_DOMAIN_NAME }}
  API_DOMAIN_ROUTE_53_ROLE_ARN: ${{ secrets.API_DOMAIN_ROUTE_53_ROLE_ARN }}

jobs:
  print-inputs:
    name: Print inputs
    runs-on: ubuntu-24.04
    steps:
      - name: Print inputs
        run: |
          echo ref=${{ github.event.inputs.ref }}
          echo openssl_lambda_tag=${{ github.event.inputs.openssl_lambda_tag }}

  docker:
    name: Push Docker images to ECR

    runs-on: ubuntu-24.04

    environment: production

    strategy:
      matrix:
        image:
          - openssl-lambda
        include:
          - image: openssl-lambda
            tag: ${{ github.event.inputs.openssl_lambda_tag }}

    steps:
      - name: Log in to the repo's container registry
        uses: docker/login-action@de05a6d3a24346d4659bce540fac29c04a309bad
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Pull Docker image from repository registry
        run: |
          docker pull ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:${{ matrix.tag }}

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE }}
          aws-region: ${{ vars.AWS_REGION }}

      - name: Get credentials for ECR
        id: token
        run: |
          CREDS=$(aws ecr get-authorization-token | jq -r '.authorizationData[0].authorizationToken')
          PARTS=($(echo $CREDS | tr ':' '\n'))
          TOKEN=${PARTS[1]}
          echo "token=$TOKEN" >> $GITHUB_OUTPUT
          echo "::add-mask::$TOKEN"

      - name: Get repository on ECR
        id: repositoryUri
        run: |
          REPO_URI=$(aws ecr describe-repositories --repository-names ${{ env.STACK_NAME }}-${{ matrix.image }} | jq -r '.repositories[0].repositoryUri')
          echo "repositoryUri=$REPO_URI" >> $GITHUB_OUTPUT

      - name: Log in to the repo's container registry
        uses: docker/login-action@de05a6d3a24346d4659bce540fac29c04a309bad
        with:
          registry: ${{ steps.repositoryUri.outputs.repositoryUri }}
          username: AWS
          password: ${{ steps.token.outputs.token }}

      - name: Tag Docker image for ECR
        run: |
          docker tag ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:${{ matrix.tag }} ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }}

      - name: Check if Docker image exists on ECR
        id: check-docker-image
        continue-on-error: true
        run: |
          docker manifest inspect ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }}

      - name: Push Docker image to ECR
        if: steps.check-docker-image.outcome == 'failure'
        run: |
          docker push ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }}

  deploy:
    runs-on: ubuntu-24.04

    environment: production

    needs: docker

    env:
      FORCE_COLOR: 3
      JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION: 1
      OPENSSL_LAMBDA_CONTAINER_TAG:
        ${{ github.event.inputs.openssl_lambda_tag }}

    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.inputs.ref }}

      - name: Determine released version
        id: version
        run: |
          git fetch --tags
          VERSION=`git describe --abbrev=0 --tags --always | tr -d '\n'`
          echo "VERSION=$VERSION" >> $GITHUB_ENV

      - uses: actions/setup-node@v4
        with:
          node-version: "22.x"
          cache: "npm"

      - name: Install dependencies
        run: npm ci --no-audit

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE }}
          aws-region: ${{ vars.AWS_REGION }}

      - run: npx cdk diff

      - name: Deploy solution stack
        run: npx cdk deploy --all --require-approval never