Deployment #603
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deployment | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: "Version to deploy" | |
| required: true | |
| openssl_lambda_tag: | |
| description: "OpenSSL Lambda container tag to deploy" | |
| required: true | |
| permissions: | |
| id-token: write | |
| packages: write | |
| env: | |
| STACK_NAME: ${{ vars.STACK_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| FORCE_COLOR: 3 | |
| JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION: 1 | |
| REGISTRY: ghcr.io | |
| API_DOMAIN_NAME: ${{ vars.API_DOMAIN_NAME }} | |
| API_DOMAIN_ROUTE_53_ROLE_ARN: ${{ secrets.API_DOMAIN_ROUTE_53_ROLE_ARN }} | |
| jobs: | |
| print-inputs: | |
| name: Print inputs | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Print inputs | |
| run: | | |
| echo ref=${{ github.event.inputs.ref }} | |
| echo openssl_lambda_tag=${{ github.event.inputs.openssl_lambda_tag }} | |
| docker: | |
| name: Push Docker images to ECR | |
| runs-on: ubuntu-24.04 | |
| environment: production | |
| strategy: | |
| matrix: | |
| image: | |
| - openssl-lambda | |
| include: | |
| - image: openssl-lambda | |
| tag: ${{ github.event.inputs.openssl_lambda_tag }} | |
| steps: | |
| - name: Log in to the repo's container registry | |
| uses: docker/login-action@1f36f5b7a2d2f7bfd524795fc966e6d88c37baa9 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Pull Docker image from repository registry | |
| run: | | |
| docker pull ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:${{ matrix.tag }} | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| aws-region: ${{ vars.AWS_REGION }} | |
| - name: Get credentials for ECR | |
| id: token | |
| run: | | |
| CREDS=$(aws ecr get-authorization-token | jq -r '.authorizationData[0].authorizationToken') | |
| PARTS=($(echo $CREDS | tr ':' '\n')) | |
| TOKEN=${PARTS[1]} | |
| echo "token=$TOKEN" >> $GITHUB_OUTPUT | |
| echo "::add-mask::$TOKEN" | |
| - name: Get repository on ECR | |
| id: repositoryUri | |
| run: | | |
| REPO_URI=$(aws ecr describe-repositories --repository-names ${{ env.STACK_NAME }}-${{ matrix.image }} | jq -r '.repositories[0].repositoryUri') | |
| echo "repositoryUri=$REPO_URI" >> $GITHUB_OUTPUT | |
| - name: Log in to the repo's container registry | |
| uses: docker/login-action@1f36f5b7a2d2f7bfd524795fc966e6d88c37baa9 | |
| with: | |
| registry: ${{ steps.repositoryUri.outputs.repositoryUri }} | |
| username: AWS | |
| password: ${{ steps.token.outputs.token }} | |
| - name: Tag Docker image for ECR | |
| run: | | |
| docker tag ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:${{ matrix.tag }} ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }} | |
| - name: Check if Docker image exists on ECR | |
| id: check-docker-image | |
| continue-on-error: true | |
| run: | | |
| docker manifest inspect ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }} | |
| - name: Push Docker image to ECR | |
| if: steps.check-docker-image.outcome == 'failure' | |
| run: | | |
| docker push ${{ steps.repositoryUri.outputs.repositoryUri }}:${{ matrix.tag }} | |
| deploy: | |
| runs-on: ubuntu-24.04 | |
| environment: production | |
| needs: docker | |
| env: | |
| FORCE_COLOR: 3 | |
| JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION: 1 | |
| OPENSSL_LAMBDA_CONTAINER_TAG: | |
| ${{ github.event.inputs.openssl_lambda_tag }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.inputs.ref }} | |
| - name: Determine released version | |
| id: version | |
| run: | | |
| git fetch --tags | |
| VERSION=`git describe --abbrev=0 --tags --always | tr -d '\n'` | |
| echo "VERSION=$VERSION" >> $GITHUB_ENV | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22.x" | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: npm ci --no-audit | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| aws-region: ${{ vars.AWS_REGION }} | |
| - run: npx cdk diff | |
| - name: Deploy solution stack | |
| run: npx cdk deploy --all --require-approval never |