diff --git a/.github/workflows/deploy-andy.yml b/.github/workflows/deploy-andy.yml new file mode 100644 index 000000000..8328b7f5c --- /dev/null +++ b/.github/workflows/deploy-andy.yml @@ -0,0 +1,26 @@ +name: Deploy andy SearchUI + +on: + push: + branches: + - andy/* + +jobs: + deploy: + runs-on: ubuntu-latest + environment: dev-andy + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/deploy-andy2.yml b/.github/workflows/deploy-andy2.yml new file mode 100644 index 000000000..6c71389c9 --- /dev/null +++ b/.github/workflows/deploy-andy2.yml @@ -0,0 +1,26 @@ +name: Deploy dev SearchUI + +on: + push: + branches: + - andy2/* + +jobs: + deploy: + runs-on: ubuntu-latest + environment: dev-andy2 + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/deploy-greg.yml b/.github/workflows/deploy-greg.yml new file mode 100644 index 000000000..c71807213 --- /dev/null +++ b/.github/workflows/deploy-greg.yml @@ -0,0 +1,26 @@ +name: Deploy greg SearchUI + +on: + push: + branches: + - greg/* + +jobs: + deploy: + runs-on: ubuntu-latest + environment: dev-greg + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/deploy-kim.yml b/.github/workflows/deploy-kim.yml new file mode 100644 index 000000000..65d350778 --- /dev/null +++ b/.github/workflows/deploy-kim.yml @@ -0,0 +1,26 @@ +name: Deploy kim SearchUI + +on: + push: + branches: + - kim/* + +jobs: + deploy: + runs-on: ubuntu-latest + environment: dev-kim + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml new file mode 100644 index 000000000..b985af511 --- /dev/null +++ b/.github/workflows/deploy-test.yml @@ -0,0 +1,26 @@ +name: Deploy test SearchUI + +on: + push: + branches: + - test + +jobs: + deploy: + runs-on: ubuntu-latest + environment: test + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/deploy-tyler.yml b/.github/workflows/deploy-tyler.yml new file mode 100644 index 000000000..2d1fb9146 --- /dev/null +++ b/.github/workflows/deploy-tyler.yml @@ -0,0 +1,26 @@ +name: Deploy tyler SearchUI + +on: + push: + branches: + - tyler/* + +jobs: + deploy: + runs-on: ubuntu-latest + environment: dev-tyler + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/deploy-will.yml b/.github/workflows/deploy-will.yml new file mode 100644 index 000000000..720250b1f --- /dev/null +++ b/.github/workflows/deploy-will.yml @@ -0,0 +1,26 @@ +name: Deploy will SearchUI + +on: + push: + branches: + - will/* + +jobs: + deploy: + runs-on: ubuntu-latest + environment: dev-will + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/deploy-yoreley.yml b/.github/workflows/deploy-yoreley.yml new file mode 100644 index 000000000..8b4e325c6 --- /dev/null +++ b/.github/workflows/deploy-yoreley.yml @@ -0,0 +1,26 @@ +name: Deploy yoreley SearchUI + +on: + push: + branches: + - yoreley/* + +jobs: + deploy: + runs-on: ubuntu-latest + environment: dev-yoreley + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/search-ui-deploy-composite/action.yml b/.github/workflows/search-ui-deploy-composite/action.yml new file mode 100644 index 000000000..6ed4da3a0 --- /dev/null +++ b/.github/workflows/search-ui-deploy-composite/action.yml @@ -0,0 +1,65 @@ +name: Composite search-ui deploy action + +inputs: + maturity: + required: true + type: string + cdn-id: + required: true + type: string + s3-bucket: + required: true + type: string + aws-account-id: + required: true + type: string + +runs: + using: "composite" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + + - name: Configure AWS credentials from Test account + uses: aws-actions/configure-aws-credentials@v3 + with: + role-to-assume: arn:aws:iam::${{ inputs.aws-account-id }}:role/GitHub_Actions_Role_SearchUI_${{ inputs.maturity }} + aws-region: us-east-1 + + - name: Fetch the caller identity + shell: bash + run: | + aws sts get-caller-identity + + - name: Install dependencies + shell: bash + run: | + cp src/app/services/envs/env-${{ inputs.maturity }}.ts src/app/services/env.ts + echo "{\"hash\":\"${{ github.sha }}\"}" > src/assets/commit-hash.json + npm install + + - name: Angular Build + shell: bash + run: | + npm run build + + - name: Deploy to AWS + shell: bash + run: | + cd dist/search-ui + aws s3 sync . "s3://${{ inputs.s3-bucket }}" + aws cloudfront create-invalidation \ + --distribution-id ${{ inputs.cdn-id }} \ + --paths \ + /index.html \ + /manifest.json \ + /ngsw.json \ + /favicon.ico \ + /assets/i18n/* \ + /assets/* \ + /docs/* diff --git a/build/github-actions-oidc.yml b/build/github-actions-oidc.yml new file mode 100644 index 000000000..3723cbfc2 --- /dev/null +++ b/build/github-actions-oidc.yml @@ -0,0 +1,80 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: GitHub OIDC for when GitHub wants to communicate with AWS. +Resources: + + # This is the bare-bones role. + GitHubActionsRole: + Type: AWS::IAM::Role + Properties: + RoleName: GitHub_Actions_Role_SearchUI_test + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com + Action: sts:AssumeRoleWithWebIdentity + Condition: + StringLike: + 'token.actions.githubusercontent.com:sub': ['repo:asfadmin/Discovery-SearchUI:*'] + StringEqualsIgnoreCase: + 'token.actions.githubusercontent.com:aud': sts.amazonaws.com + Policies: + - PolicyName: OidcSafetyPolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: OidcSafeties + Effect: Deny + Action: + - sts:AssumeRole + Resource: "*" + - PolicyName: GitHubActionsDeployPolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AllowS3SyncActions + Effect: Allow + Action: + - s3:DeleteObject + - s3:GetBucketLocation + - s3:GetObject + - s3:ListBucket + - s3:PutObject + Resource: + - arn:aws:s3:::asf-search-ui-dev + - arn:aws:s3:::asf-search-ui-dev/* + - arn:aws:s3:::asf-search-ui-test + - arn:aws:s3:::asf-search-ui-test/* + - arn:aws:s3:::search-ui-custom-deployments + - arn:aws:s3:::search-ui-custom-deployments/* + - arn:aws:s3:::asf-search-ui-4 + - arn:aws:s3:::asf-search-ui-4/* + - arn:aws:s3:::asf-search-ui-3 + - arn:aws:s3:::asf-search-ui-3/* + - arn:aws:s3:::asf-search-ui-2 + - arn:aws:s3:::asf-search-ui-2/* + - arn:aws:s3:::asf-search-ui-1 + - arn:aws:s3:::asf-search-ui-1/* + - arn:aws:s3:::asf-search-ui-andy-2 + - arn:aws:s3:::asf-search-ui-andy-2/* + - PolicyName: CloudfrontInvalidation + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AllowInvalidations + Effect: Allow + Action: + - cloudfront:CreateInvalidation + Resource: "*" + + + # This is the OIDC provider hookup itself. This tells AWS to delegate authN GitHub + GitHubActionsOidcProvider: + Type: AWS::IAM::OIDCProvider + Properties: + ClientIdList: + - sts.amazonaws.com + ThumbprintList: + - 6938fd4d98bab03faadb97b34396831e3780aea1 + Url: https://token.actions.githubusercontent.com diff --git a/buildspec.yml b/buildspec.yml index b3973eafd..17d627cd3 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -7,7 +7,7 @@ phases: commands: - n 18 - npm set progress=false - - npm install -g @angular/cli@15.2.7 + - npm install -g @angular/cli@17.2.7 pre_build: commands: - cp src/app/services/envs/env-${MATURITY}.ts src/app/services/env.ts diff --git a/package.json b/package.json index 0c0b60bf6..ce3252e04 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,7 @@ "scripts": { "ng": "ng", "start": "ng serve", - "build": "ng build", + "build": "ng build --configuration production", "test": "ng test", "lint": "eslint -c .eslintrc.js --ext .ts src", "e2e": "ng e2e"