Merge pull request #1932 from asfadmin/will/actions

Setup github actions for vertex deployments
asfadmin · Jul 9, 2024 · 7592710 · 7592710
2 parents 1a4d89c + 127383b
commit 7592710
Show file tree

Hide file tree

Showing 12 changed files with 355 additions and 2 deletions.
diff --git a/.github/workflows/deploy-andy.yml b/.github/workflows/deploy-andy.yml
@@ -0,0 +1,26 @@
+name: Deploy andy SearchUI
+
+on:
+  push:
+    branches:
+      - andy/*
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: dev-andy
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: build
+        uses: ./.github/workflows/search-ui-deploy-composite
+        with:
+          maturity: ${{ vars.MATURITY }}
+          cdn-id: ${{ vars.CDN_ID }}
+          s3-bucket: ${{ vars.S3_BUCKET }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/deploy-andy2.yml b/.github/workflows/deploy-andy2.yml
@@ -0,0 +1,26 @@
+name: Deploy dev SearchUI
+
+on:
+  push:
+    branches:
+      - andy2/*
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: dev-andy2
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: build
+        uses: ./.github/workflows/search-ui-deploy-composite
+        with:
+          maturity: ${{ vars.MATURITY }}
+          cdn-id: ${{ vars.CDN_ID }}
+          s3-bucket: ${{ vars.S3_BUCKET }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/deploy-greg.yml b/.github/workflows/deploy-greg.yml
@@ -0,0 +1,26 @@
+name: Deploy greg SearchUI
+
+on:
+  push:
+    branches:
+      - greg/*
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: dev-greg
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: build
+        uses: ./.github/workflows/search-ui-deploy-composite
+        with:
+          maturity: ${{ vars.MATURITY }}
+          cdn-id: ${{ vars.CDN_ID }}
+          s3-bucket: ${{ vars.S3_BUCKET }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/deploy-kim.yml b/.github/workflows/deploy-kim.yml
@@ -0,0 +1,26 @@
+name: Deploy kim SearchUI
+
+on:
+  push:
+    branches:
+      - kim/*
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: dev-kim
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: build
+        uses: ./.github/workflows/search-ui-deploy-composite
+        with:
+          maturity: ${{ vars.MATURITY }}
+          cdn-id: ${{ vars.CDN_ID }}
+          s3-bucket: ${{ vars.S3_BUCKET }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml
@@ -0,0 +1,26 @@
+name: Deploy test SearchUI
+
+on:
+  push:
+    branches:
+      - test
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: test
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: build
+        uses: ./.github/workflows/search-ui-deploy-composite
+        with:
+          maturity: ${{ vars.MATURITY }}
+          cdn-id: ${{ vars.CDN_ID }}
+          s3-bucket: ${{ vars.S3_BUCKET }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/deploy-tyler.yml b/.github/workflows/deploy-tyler.yml
@@ -0,0 +1,26 @@
+name: Deploy tyler SearchUI
+
+on:
+  push:
+    branches:
+      - tyler/*
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: dev-tyler
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: build
+        uses: ./.github/workflows/search-ui-deploy-composite
+        with:
+          maturity: ${{ vars.MATURITY }}
+          cdn-id: ${{ vars.CDN_ID }}
+          s3-bucket: ${{ vars.S3_BUCKET }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/deploy-will.yml b/.github/workflows/deploy-will.yml
@@ -0,0 +1,26 @@
+name: Deploy will SearchUI
+
+on:
+  push:
+    branches:
+      - will/*
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: dev-will
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: build
+        uses: ./.github/workflows/search-ui-deploy-composite
+        with:
+          maturity: ${{ vars.MATURITY }}
+          cdn-id: ${{ vars.CDN_ID }}
+          s3-bucket: ${{ vars.S3_BUCKET }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/deploy-yoreley.yml b/.github/workflows/deploy-yoreley.yml
@@ -0,0 +1,26 @@
+name: Deploy yoreley SearchUI
+
+on:
+  push:
+    branches:
+      - yoreley/*
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: dev-yoreley
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: build
+        uses: ./.github/workflows/search-ui-deploy-composite
+        with:
+          maturity: ${{ vars.MATURITY }}
+          cdn-id: ${{ vars.CDN_ID }}
+          s3-bucket: ${{ vars.S3_BUCKET }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/search-ui-deploy-composite/action.yml b/.github/workflows/search-ui-deploy-composite/action.yml
@@ -0,0 +1,65 @@
+name: Composite search-ui deploy action
+
+inputs:
+  maturity:
+    required: true
+    type: string
+  cdn-id:
+    required: true
+    type: string
+  s3-bucket:
+    required: true
+    type: string
+  aws-account-id:
+    required: true
+    type: string
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Use Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version: 18
+
+    - name: Configure AWS credentials from Test account
+      uses: aws-actions/configure-aws-credentials@v3
+      with:
+        role-to-assume: arn:aws:iam::${{ inputs.aws-account-id }}:role/GitHub_Actions_Role_SearchUI_${{ inputs.maturity }}
+        aws-region: us-east-1
+
+    - name: Fetch the caller identity
+      shell: bash
+      run: |
+        aws sts get-caller-identity
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        cp src/app/services/envs/env-${{ inputs.maturity }}.ts src/app/services/env.ts
+        echo "{\"hash\":\"${{ github.sha }}\"}" > src/assets/commit-hash.json
+        npm install
+
+    - name: Angular Build
+      shell: bash
+      run: |
+        npm run build
+
+    - name: Deploy to AWS
+      shell: bash
+      run: |
+        cd dist/search-ui
+        aws s3 sync . "s3://${{ inputs.s3-bucket }}"
+        aws cloudfront create-invalidation \
+            --distribution-id ${{ inputs.cdn-id }} \
+            --paths \
+                /index.html \
+                /manifest.json \
+                /ngsw.json \
+                /favicon.ico \
+                /assets/i18n/* \
+                /assets/* \
+                /docs/*
diff --git a/build/github-actions-oidc.yml b/build/github-actions-oidc.yml
@@ -0,0 +1,80 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: GitHub OIDC for when GitHub wants to communicate with AWS.
+Resources:
+
+  # This is the bare-bones role.
+  GitHubActionsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: GitHub_Actions_Role_SearchUI_test
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
+            Action: sts:AssumeRoleWithWebIdentity
+            Condition:
+              StringLike:
+                'token.actions.githubusercontent.com:sub': ['repo:asfadmin/Discovery-SearchUI:*']
+              StringEqualsIgnoreCase:
+                'token.actions.githubusercontent.com:aud': sts.amazonaws.com
+      Policies:
+        - PolicyName: OidcSafetyPolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: OidcSafeties
+                Effect: Deny
+                Action:
+                  - sts:AssumeRole
+                Resource: "*"
+        - PolicyName: GitHubActionsDeployPolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: AllowS3SyncActions
+                Effect: Allow
+                Action:
+                  - s3:DeleteObject
+                  - s3:GetBucketLocation
+                  - s3:GetObject
+                  - s3:ListBucket
+                  - s3:PutObject
+                Resource:
+                  - arn:aws:s3:::asf-search-ui-dev
+                  - arn:aws:s3:::asf-search-ui-dev/*
+                  - arn:aws:s3:::asf-search-ui-test
+                  - arn:aws:s3:::asf-search-ui-test/*
+                  - arn:aws:s3:::search-ui-custom-deployments
+                  - arn:aws:s3:::search-ui-custom-deployments/*
+                  - arn:aws:s3:::asf-search-ui-4
+                  - arn:aws:s3:::asf-search-ui-4/*
+                  - arn:aws:s3:::asf-search-ui-3
+                  - arn:aws:s3:::asf-search-ui-3/*
+                  - arn:aws:s3:::asf-search-ui-2
+                  - arn:aws:s3:::asf-search-ui-2/*
+                  - arn:aws:s3:::asf-search-ui-1
+                  - arn:aws:s3:::asf-search-ui-1/*
+                  - arn:aws:s3:::asf-search-ui-andy-2
+                  - arn:aws:s3:::asf-search-ui-andy-2/*
+        - PolicyName: CloudfrontInvalidation
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: AllowInvalidations
+                Effect: Allow
+                Action:
+                  - cloudfront:CreateInvalidation
+                Resource: "*"
+
+
+  # This is the OIDC provider hookup itself. This tells AWS to delegate authN GitHub
+  GitHubActionsOidcProvider:
+    Type: AWS::IAM::OIDCProvider
+    Properties:
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList:
+        - 6938fd4d98bab03faadb97b34396831e3780aea1
+      Url: https://token.actions.githubusercontent.com
diff --git a/buildspec.yml b/buildspec.yml
@@ -7,7 +7,7 @@ phases:
     commands:
       - n 18
       - npm set progress=false
-      - npm install -g @angular/cli@15.2.7
+      - npm install -g @angular/cli@17.2.7
   pre_build:
     commands:
       - cp src/app/services/envs/env-${MATURITY}.ts src/app/services/env.ts

diff --git a/package.json b/package.json
@@ -4,7 +4,7 @@
   "scripts": {
     "ng": "ng",
     "start": "ng serve",
-    "build": "ng build",
+    "build": "ng build --configuration production",
     "test": "ng test",
     "lint": "eslint -c .eslintrc.js --ext .ts src",
     "e2e": "ng e2e"