Unfudge the worst of it #163
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Terraform and Serverless Deployment | |
# https://github.com/hashicorp/setup-terraform#setup-terraform | |
# yamllint disable-line rule:truthy | |
on: | |
pull_request: | |
branches: [main] | |
# only if we've changed terraform/ or botcpdf/ directories | |
paths: | |
- botcpdf/** | |
- data/** | |
- icons/** | |
- templates/** | |
- terraform/** | |
- www/** | |
push: | |
tags: | |
- '*' | |
# only allow one workflow to run at a time | |
concurrency: | |
group: terraform-matrix | |
cancel-in-progress: false | |
permissions: | |
id-token: write | |
contents: read | |
issues: write | |
pull-requests: write | |
# set default (empty) env vars (keeps liter happy in IDE) | |
env: | |
WORKSPACE: '' | |
DEPLOY_ENV: '' | |
jobs: | |
terraform-matrix: | |
name: Terraform Matrix | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
aws-account-id: | |
- 436158765452 | |
session-tag: | |
- botc-json2pdf | |
include: | |
- account-name-prefix: chizography | |
aws-account-id: 436158765452 | |
aws-deployment-role: botc/deploy_json2pdf | |
aws-region: eu-west-2 | |
terraform-dir: terraform | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Set Workspace Env | |
# if we're a PR then we user 'dev', otherwise we use 'prod' | |
# https://support.hashicorp.com/hc/en-us/articles/360043550953-Selecting-a-workspace-when-running-Terraform-in-automation | |
run: | | |
if [ -n "${{ github.event.pull_request.head.sha }}" ]; then | |
echo "WORKSPACE=dev" >> "$GITHUB_ENV" | |
else | |
echo "WORKSPACE=prod" >> "$GITHUB_ENV" | |
fi | |
# because we know some of our terraform has an external poetry data | |
# source, we need to install poetry | |
- name: Setup Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
- name: Setup Poetry | |
uses: abatilo/actions-poetry@v2 | |
with: | |
poetry-version: 1.4.2 | |
- name: Prerelease Version | |
shell: bash | |
if: github.event_name == 'pull_request' | |
run: | | |
# for convenience we bump the version number (prerelease) if we're a | |
# PR; we don't care about keeping this, we just _never_ want to have | |
# a PR with a normal release version number | |
poetry version prerelease | |
- name: Run Tests | |
shell: bash | |
run: | | |
make test | |
- name: Run terraform actions | |
id: run-terraform-actions | |
# yamllint disable-line rule:line-length | |
uses: chizmw/[email protected] | |
with: | |
# yamllint disable rule:line-length | |
use-workspaces: true | |
workspace: ${{ env.WORKSPACE }} | |
terraform-dir: ${{ matrix.terraform-dir }} | |
# state-key: ${{ github.repository }}-${{ matrix.aws-account-id }}-${{ matrix.session-tag }}.tfstate | |
aws-account-id: ${{ matrix.aws-account-id }} | |
aws-account-name-prefix: ${{ matrix.account-name-prefix }} | |
aws-session-tag: ${{ matrix.session-tag }} | |
aws-access-key-id: ${{ secrets.CHIZOGRAPHY_GITHUB_AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.CHIZOGRAPHY_GITHUB_AWS_SECRET_ACCESS_KEY }} | |
aws-deployment-role: ${{ matrix.aws-deployment-role }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
aws-region: ${{ matrix.aws-region }} | |
# if we're in a PR or a tag push, set auto-apply to true | |
auto-apply: ${{ github.event_name == 'pull_request' || github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }} | |
# yamllint enable rule:line-length | |
- name: Notify Discord | |
uses: th0th/[email protected] | |
if: ${{ always() }} | |
env: | |
# yamllint disable rule:line-length | |
DISCORD_WEBHOOK_URL: https://discord.com/api/webhooks/1099136707108020305/r86TwsFW_T3BDX0VOvdcCNVFaGTLTSeVkwS8NikvynVrU-4jZLqq--FlyPVGAmQWJWu9 | |
GITHUB_ACTOR: ${{ github.actor }} | |
GITHUB_JOB_NAME: Deploy Serverless (${{ env.DEPLOY_ENV }}) | |
GITHUB_JOB_STATUS: ${{ job.status }} |