don't auth in non default branch #141
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD Pipeline | |
on: | |
workflow_dispatch: | |
push: | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
env: | |
BUNDLE_PATH: vendor/bundle | |
RAILS_ENV: test | |
services: | |
postgres: | |
image: postgres:latest | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_HOST_AUTH_METHOD: trust | |
ports: | |
- 5432:5432 | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
redis: | |
image: redis:6.2.6-alpine | |
ports: | |
- 6379:6379 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ruby/setup-ruby@v1 | |
with: | |
# ruby-version is read from .ruby-version file. | |
bundler-cache: true # runs 'bundle install' and caches installed gems automatically | |
- run: bundle exec rails db:setup db:migrate | |
- name: Run tests | |
run: bundle exec rake | |
- name: Upload test results | |
uses: actions/upload-artifact@v4 | |
with: | |
path: tmp/test-results | |
retention-days: 5 | |
build: | |
permissions: | |
id-token: write | |
contents: read | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Configure AWS credentials | |
if: github.ref_name == github.event.repository.default_branch | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: ${{ secrets.AWS_REGION }} | |
role-to-assume: ${{ secrets.AWS_ECR_ACCESS_ROLE_ARN }} | |
- name: Log into AWS ECR | |
if: github.ref_name == github.event.repository.default_branch | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com | |
- name: Determine ruby version | |
id: ruby-version | |
run: | | |
echo "ruby_version=$(cat .ruby-version)" >> "$GITHUB_OUTPUT" | |
- name: Build and push | |
uses: docker/build-push-action@v6 | |
with: | |
build-args: | | |
RUBY_VERSION=${{ steps.ruby-version.outputs.ruby_version }} | |
REVISION=${{ github.sha }} | |
context: . | |
push: ${{ github.ref_name == github.event.repository.default_branch }} | |
tags: | | |
${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}:sha-${{ github.sha }} | |
deploy: | |
if: github.ref_name == github.event.repository.default_branch | |
needs: | |
- test | |
- build | |
concurrency: | |
group: deploy-to-production | |
cancel-in-progress: false | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Pipeline repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Checkout stack repository | |
uses: actions/checkout@v4 | |
with: | |
repository: barsoom/stack | |
path: stack | |
token: ${{ secrets.STACK_TOKEN }} | |
sparse-checkout: | | |
applications/pipeline/values.yaml | |
script/ci/deploy.sh | |
script/ci/ensure_revision_is_newer_than_deployed_revision.sh | |
- name: Ensure revision is newer than deployed revision | |
run: stack/script/ci/ensure_revision_is_newer_than_deployed_revision.sh | |
- name: Update values.yaml with new image tag | |
run: | | |
NEW_TAG="${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}:sha-${{ github.sha }}" | |
sed -i "s|image:.*|image: $NEW_TAG|g" stack/applications/pipeline/values.yaml | |
- name: Deploy | |
run: stack/script/ci/deploy.sh pipeline.auctionet.dev |