-
Notifications
You must be signed in to change notification settings - Fork 0
148 lines (134 loc) · 5.64 KB
/
deploy_thru_prod.yml
File metadata and controls
148 lines (134 loc) · 5.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Deploy thru Prod
on:
workflow_call:
inputs:
commit-identifier:
description: SHA or tag to apply
type: string
required: true
oidc-domain:
description: 'OIDC Domain. Ex: "core" or "reveng"'
required: true
type: string
terraform-workspace:
description: Terraform Workspace, (optional) when omitted, the environment is used
type: string
required: false
terraform-root-dev:
description: Root directory of terraform dev. When omitted, terraform/dev is used
type: string
required: false
terraform-root-stage:
description: Root directory of terraform stage. When omitted, terraform/stage is used
type: string
required: false
terraform-root-prod:
description: Root directory of terraform prod. When omitted, terraform/prod is used
type: string
required: false
terraform-version:
description: Terraform version to use
type: string
required: true
secrets:
ORG_READ_ONLY_SSH_KEY:
required: true
ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN:
required: true
concurrency: ${{ github.repository }}
permissions:
id-token: write
contents: write
pull-requests: write
jobs:
Set-Release-Tag:
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.merged || github.event_name == 'workflow_dispatch' }}
outputs:
release-tag: ${{ steps.releaseTag.outputs.release-tag }}
steps:
- name: Set Release Tag
id: releaseTag
run: echo "release-tag=$(date +'%Y.%m.%d-%H-%M')" >> $GITHUB_OUTPUT
DeployDev:
name: Apply Dev
needs: [Set-Release-Tag]
uses: ./.github/workflows/deploy_environment.yml
with:
environment: dev
oidc-domain: ${{ inputs.oidc-domain }}
terraform-workspace: ${{ inputs.terraform-workspace || 'dev' }}
commit-identifier: ${{ inputs.commit-identifier }}
release-tag: ${{ needs.Set-Release-Tag.outputs.release-tag }}
terraform-root: ${{ inputs.terraform-root-dev || 'terraform/dev' }}
terraform-version: ${{ inputs.terraform-version }}
secrets:
ORG_READ_ONLY_SSH_KEY: ${{ secrets.ORG_READ_ONLY_SSH_KEY }}
ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN: ${{ secrets.ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN }}
DeployStage:
name: Apply Stage
needs: [Set-Release-Tag, DeployDev]
uses: ./.github/workflows/deploy_environment.yml
with:
environment: stage
oidc-domain: ${{ inputs.oidc-domain }}
terraform-workspace: ${{ inputs.terraform-workspace || 'stage'}}
commit-identifier: ${{ inputs.commit-identifier }}
release-tag: ${{ needs.Set-Release-Tag.outputs.release-tag }}
terraform-root: ${{ inputs.terraform-root-stage || 'terraform/stage' }}
terraform-version: ${{ inputs.terraform-version }}
secrets:
ORG_READ_ONLY_SSH_KEY: ${{ secrets.ORG_READ_ONLY_SSH_KEY }}
ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN: ${{ secrets.ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN }}
DeployProd:
name: Apply Prod
needs: [Set-Release-Tag, DeployStage]
uses: ./.github/workflows/deploy_environment.yml
with:
environment: prod
oidc-domain: ${{ inputs.oidc-domain }}
terraform-workspace: ${{ inputs.terraform-workspace || 'prod' }}
commit-identifier: ${{ inputs.commit-identifier }}
release-tag: ${{ needs.Set-Release-Tag.outputs.release-tag }}
terraform-root: ${{ inputs.terraform-root-prod || 'terraform/prod' }}
terraform-version: ${{ inputs.terraform-version }}
secrets:
ORG_READ_ONLY_SSH_KEY: ${{ secrets.ORG_READ_ONLY_SSH_KEY }}
ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN: ${{ secrets.ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN }}
CreateRelease:
name: Create New Release
needs: [Set-Release-Tag, DeployProd]
runs-on: ubuntu-latest
steps:
- name: Checkout Actions
uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-identifier }}
fetch-depth: "0"
- name: Create release
uses: ncipollo/release-action@v1
with:
tag: ${{ needs.Set-Release-Tag.outputs.release-tag }}
commit: ${{ inputs.commit-identifier }}
token: ${{ secrets.GITHUB_TOKEN }}
ReportStatus:
name: Report Status on PR
runs-on: ubuntu-latest
needs: [DeployDev, DeployStage, DeployProd, CreateRelease]
if: always()
env:
BUILD_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
steps:
- uses: mshick/add-pr-comment@v2
with:
message: |
# :page_with_curl: Status Report :page_with_curl:
**Deploy to Stage Status:** This job has ${{ needs.DeployStage.result == 'success' && 'passed! :heavy_check_mark:' ||
needs.DeployStage.result == 'failure' && 'failed. :x:' || needs.DeployStage.result == 'skipped' && 'skipped. :warning:' || 'canceled. :no_entry_sign:'}}
**Deploy to Prod Status:** This job has ${{ needs.DeployProd.result == 'success' && 'passed! :heavy_check_mark:' ||
needs.DeployProd.result == 'failure' && 'failed. :x:' || needs.DeployProd.result == 'skipped' && 'skipped. :warning:' || 'canceled. :no_entry_sign:'}}
**Create Release:** This job has ${{ needs.CreateRelease.result == 'success' && 'passed! :heavy_check_mark:' ||
needs.CreateRelease.result == 'failure' && 'failed. :x:' || needs.CreateRelease.result == 'skipped' && 'skipped. :warning:' || 'canceled. :no_entry_sign:'}}
[Click here to view the job](${{ env.BUILD_URL }})
repo-token: ${{ secrets.GITHUB_TOKEN }}
repo-token-user-login: "github-actions[bot]"