diff --git a/.github/workflows/deploy-edc-test.yml b/.github/workflows/deploy-edc-test.yml new file mode 100644 index 000000000..68f60e98b --- /dev/null +++ b/.github/workflows/deploy-edc-test.yml @@ -0,0 +1,26 @@ +name: Deploy edc test SearchUI + +on: + push: + branches: + - test + +jobs: + deploy: + runs-on: ubuntu-latest + environment: test + permissions: + id-token: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: build + uses: ./.github/workflows/search-ui-deploy-composite + with: + maturity: ${{ vars.MATURITY }} + cdn-id: ${{ vars.CDN_ID }} + s3-bucket: ${{ vars.S3_BUCKET }} + aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }} diff --git a/.github/workflows/search-ui-edc-deploy-composite/action.yml b/.github/workflows/search-ui-edc-deploy-composite/action.yml new file mode 100644 index 000000000..cf223c6fa --- /dev/null +++ b/.github/workflows/search-ui-edc-deploy-composite/action.yml @@ -0,0 +1,55 @@ +name: Composite search-ui deploy action + +inputs: + maturity: + required: true + type: string + cdn-id: + required: true + type: string + s3-bucket: + required: true + type: string + aws-account-id: + required: true + type: string + +runs: + using: "composite" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + + - name: Configure AWS credentials from Test account + uses: aws-actions/configure-aws-credentials@v3 + with: + role-to-assume: arn:aws:iam::${{ inputs.aws-account-id }}:role/GitHub_Actions_Role_SearchUI_${{ inputs.maturity }} + aws-region: us-east-1 + + - name: Fetch the caller identity + shell: bash + run: | + aws sts get-caller-identity + + - name: Install dependencies + shell: bash + run: | + cp src/app/services/envs/env-${{ inputs.maturity }}.ts src/app/services/env.ts + echo "{\"hash\":\"${{ github.sha }}\"}" > src/assets/commit-hash.json + npm install + + - name: Angular Build + shell: bash + run: | + npm run build + + - name: Deploy to AWS + shell: bash + run: | + cd dist/search-ui + aws s3 sync . "s3://${{ inputs.s3-bucket }}" diff --git a/build/github-actions-oidc-edc-test.yml b/build/github-actions-oidc-edc-test.yml new file mode 100644 index 000000000..b800fb801 --- /dev/null +++ b/build/github-actions-oidc-edc-test.yml @@ -0,0 +1,57 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: GitHub OIDC for when GitHub wants to communicate with AWS EDC Test Account. + +Resources: + # This is the bare-bones role. + GitHubActionsRole: + Type: AWS::IAM::Role + Properties: + RoleName: GitHub_Actions_Role_SearchUI_test + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com + Action: sts:AssumeRoleWithWebIdentity + Condition: + StringLike: + 'token.actions.githubusercontent.com:sub': ['repo:asfadmin/Discovery-SearchUI:*'] + StringEqualsIgnoreCase: + 'token.actions.githubusercontent.com:aud': sts.amazonaws.com + Policies: + - PolicyName: OidcSafetyPolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: OidcSafeties + Effect: Deny + Action: + - sts:AssumeRole + Resource: "*" + - PolicyName: GitHubActionsDeployPolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AllowS3SyncActions + Effect: Allow + Action: + - s3:DeleteObject + - s3:GetBucketLocation + - s3:GetObject + - s3:ListBucket + - s3:PutObject + Resource: + - arn:aws:s3:::asf-search-ui-edc-test + - arn:aws:s3:::asf-search-ui-edc-test/* + + + # This is the OIDC provider hookup itself. This tells AWS to delegate authN GitHub + GitHubActionsOidcProvider: + Type: AWS::IAM::OIDCProvider + Properties: + ClientIdList: + - sts.amazonaws.com + ThumbprintList: + - 6938fd4d98bab03faadb97b34396831e3780aea1 + Url: https://token.actions.githubusercontent.com