-
Notifications
You must be signed in to change notification settings - Fork 4
131 lines (123 loc) · 4.85 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Continuous Integration
on:
pull_request_target: {}
permissions:
contents: read
jobs:
qa:
permissions:
contents: read
uses: ./.github/workflows/qa.yml
with:
ref: ${{ github.event.pull_request.head.sha }}
debug:
run: echo ${{ github.event.pull_request.head.sha }}
publish-qa-results:
name: Publish QA Results
permissions:
contents: read
pull-requests: write
if: always() && (needs.qa.result != 'skipped' && needs.qa.result != 'cancelled')
needs:
- qa
uses: "./.github/workflows/publish-qa-results.yml"
with:
api-test-outcome: ${{ needs.qa.outputs.api-test-outcome }}
api-test-coverage-markdown-report: ${{ needs.qa.outputs.api-test-coverage-markdown-report }}
python-test-outcome: ${{ needs.qa.outputs.python-test-outcome }}
python-test-coverage-markdown-report: ${{ needs.qa.outputs.python-test-coverage-markdown-report }}
web-test-outcome: ${{ needs.qa.outputs.web-test-outcome }}
web-test-coverage-markdown-report: ${{ needs.qa.outputs.web-test-coverage-markdown-report }}
eslint-outcome: ${{ needs.qa.outputs.eslint-outcome }}
ruff-outcome: ${{ needs.qa.outputs.ruff-outcome }}
mypy-outcome: ${{ needs.qa.outputs.mypy-outcome }}
tflint-outcome: ${{ needs.qa.outputs.tflint-outcome }}
pr-number: ${{ github.event.pull_request.number }}
write-summary: true
write-comment: true
build:
permissions:
contents: read
packages: write
name: Build deployment artifacts
uses: ./.github/workflows/build.yml
with:
ref: ${{ github.event.pull_request.head.sha }}
docker-image-push: true
docker-image-args-ref: ${{ github.ref }}
docker-image-tag-latest: false
docker-image-tag-pr: "${{ github.event.pull_request.number }}"
docker-image-upload-attestations: true
docker-image-artifacts-retention-days: 14
docker-image-version: "rc-pr-${{ github.event.pull_request.number }}"
build-api-image: false
build-console-image: true
build-api-functions: true
api-function-artifact-retention-days: 14
build-python-functions: true
python-function-artifact-retention-days: 14
build-web: true
web-artifact-retention-days: 14
web-dotenv: |
API_URL=https://api.staging.cpf.usdr.dev
aws-auth:
name: Configure AWS Credentials
permissions:
contents: read
id-token: write
uses: ./.github/workflows/aws-auth.yml
with:
aws-region: us-west-2
secrets:
role-to-assume: ${{ secrets.CI_ROLE_ARN }}
gpg-passphrase: ${{ secrets.TFPLAN_SECRET }}
tf-plan:
name: Plan Terraform
permissions:
contents: read
needs:
- aws-auth
- build
uses: ./.github/workflows/terraform-plan.yml
with:
ref: ${{ github.event.pull_request.head.sha }}
concurrency-group: run_terraform-staging
api-functions-artifacts-key: ${{ needs.build.outputs.api-functions-artifacts-key }}
api-functions-artifacts-path: ${{ needs.build.outputs.api-functions-artifacts-path }}
console-image: ${{ needs.build.outputs.console-image-full-name }}
python-functions-artifacts-key: ${{ needs.build.outputs.python-functions-artifacts-key }}
python-functions-artifacts-path: ${{ needs.build.outputs.python-functions-artifacts-path }}
web-artifacts-key: ${{ needs.build.outputs.web-artifacts-key }}
web-artifacts-path: ${{ needs.build.outputs.web-artifacts-path }}
aws-region: us-west-2
environment-key: staging
tf-backend-config-file: staging.s3.tfbackend
tf-var-file: staging.tfvars
upload-artifacts: false
artifacts-retention-days: 14
secrets:
aws-access-key-id: ${{ needs.aws-auth.outputs.aws-access-key-id }}
aws-secret-access-key: ${{ needs.aws-auth.outputs.aws-secret-access-key }}
aws-session-token: ${{ needs.aws-auth.outputs.aws-session-token }}
datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
datadog-app-key: ${{ secrets.DATADOG_APP_KEY }}
gpg-passphrase: ${{ secrets.TFPLAN_SECRET }}
publish-tf-plan:
name: Publish Terraform Plan
permissions:
contents: read
pull-requests: write
if: always() && (needs.tf-plan.result != 'skipped' && needs.tf-plan.result != 'cancelled')
needs:
- tf-plan
uses: ./.github/workflows/publish-terraform-plan.yml
with:
write-summary: true
write-comment: true
pr-number: ${{ github.event.pull_request.number }}
tf-fmt-outcome: ${{ needs.tf-plan.outputs.fmt-outcome }}
tf-init-outcome: ${{ needs.tf-plan.outputs.init-outcome }}
tf-plan-outcome: ${{ needs.tf-plan.outputs.plan-outcome }}
tf-plan-summary: ${{ needs.tf-plan.outputs.plan-summary-markdown }}
tf-validate-outcome: ${{ needs.tf-plan.outputs.validate-outcome }}
tf-validate-output: ${{ needs.tf-plan.outputs.validate-output }}