Skip to content

ci: move permissions to prod only and always run lint workflows #1961

ci: move permissions to prod only and always run lint workflows

ci: move permissions to prod only and always run lint workflows #1961

Workflow file for this run

on: [push]
jobs:
main:
name: Build, Format and Test
runs-on: ubuntu-latest
steps:
- uses: linz/action-typescript@9bf69b0f313b3525d3ba3116f26b1aff7eb7a6c0 # v3.1.0
- name: Download actionlint
run: docker build --tag actionlint - < .github/workflows/actionlint.dockerfile
- name: Run actionlint to check workflow files
run: docker run --volume="${PWD}:/repo" --workdir=/repo actionlint -color
- name: Install Argo
run: |
curl -sLO https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-linux-amd64.gz
gunzip argo-linux-amd64.gz
chmod +x argo-linux-amd64
./argo-linux-amd64 version
- name: Lint workflows
run: |
./argo-linux-amd64 lint --offline templates/ workflows/
deploy-prod:
runs-on: ubuntu-latest
concurrency: deploy-prod-${{ github.ref }}
needs: [main]
if: ${{ github.ref == 'refs/heads/master' }}
environment:
name: prod
permissions:
id-token: write
contents: read
env:
CLUSTER_NAME: Workflows
steps:
- uses: linz/action-typescript@9bf69b0f313b3525d3ba3116f26b1aff7eb7a6c0 # v3.1.0
# Configure access to AWS / EKS
- name: Setup kubectl
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3
with:
version: 'latest'
- name: AWS Configure
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4
with:
aws-region: ap-southeast-2
mask-aws-account-id: true
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
- name: Find Changes in Infra
id: get-infra-changes
run: |
mapfile -d '' modified_infra_files < <(git diff --name-only -z ${{ github.event.before }} ${{ github.event.after }} -- "infra/*")
if [[ "${#modified_infra_files[@]}" -ge 1 ]]; then
echo "run_infra=true" >> "$GITHUB_OUTPUT"
else
echo "run_infra=false" >> "$GITHUB_OUTPUT"
fi
- name: (CDK) Deploy
if: steps.get-infra-changes.outputs.run_infra == 'true'
run: |
npx cdk deploy ${{ env.CLUSTER_NAME }} \
-c maintainer-arns=${{ secrets.AWS_CI_ROLE }},${{ secrets.AWS_ADMIN_ROLE }},${{ secrets.AWS_WFMAINTAINER_ROLE }} \
-c aws-account-id=${{ secrets.AWS_ACCOUNT_ID }} \
--require-approval never
- name: Login to EKS
run: |
aws eks update-kubeconfig --name ${{ env.CLUSTER_NAME }} --region ap-southeast-2
- name: Check EKS connection
run: |
kubectl get nodes
# Configure the Kubernetes cluster with CDK8s
- name: (CDK8s) Synth
if: steps.get-infra-changes.outputs.run_infra == 'true'
run: |
npx cdk8s synth
# nb: kubectl diff - is somewhat dangerous as it dumps out secrets in plain text
# so it should not be used in this pipeline
# TODO use a --prune and --applyset to remove unused objects
- name: (CDK8s) Deploy
if: steps.get-infra-changes.outputs.run_infra == 'true'
run: |
kubectl apply -f dist/
- name: Deploy workflows
if: github.ref == 'refs/heads/master'
run: |
# Deploy templates first
kubectl apply -f templates/argo-tasks/ --namespace argo
# Find all workflows that have kind "WorkflowTemplate"
WORKFLOWS=$(grep '^kind: WorkflowTemplate$' -R workflows/ -H | cut -d ':' -f1)
# For each workflow template attempt to deploy it using kubectl
for wf in $WORKFLOWS; do
kubectl apply -f "$wf" --namespace argo
done
# Find all cron workflows that have kind "CronWorkflow"
CRON_WORKFLOWS=$(grep '^kind: CronWorkflow$' -R workflows/ -H | cut -d ':' -f1)
# For each cron workflow attempt to deploy it using kubectl
for cwf in $CRON_WORKFLOWS; do
kubectl apply -f "$cwf" --namespace argo
done