massively overhaul the CI/CD #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Main | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - 'main' | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Set extra GitHub environment variables | |
| id: github-env-vars | |
| uses: rlespinasse/github-slug-action@v4 | |
| - name: Checkout source | |
| id: checkout-source | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| id: install-python | |
| uses: actions/setup-python@v3 | |
| with: | |
| python-version: 3.12 | |
| cache: pipenv | |
| - name: Install pipenv | |
| id: install-pipenv | |
| shell: bash | |
| run: python -m pip install --upgrade pipenv | |
| - name: Install dependencies | |
| id: install-python-deps | |
| shell: bash | |
| run: pipenv install --dev | |
| - name: Assume AWS Credentials | |
| uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 | |
| with: | |
| build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }} | |
| - name: Install AWS SAM | |
| uses: aws-actions/setup-sam@v2 | |
| - name: Validate artifact (deploy) | |
| run: sam validate --lint -t stackset-deploy-template.yaml | |
| - name: Validate artifact (build) | |
| run: sam validate --lint -t stackset-build-template.yaml | |
| - name: Validate artifact (SAM artifact) | |
| run: sam validate --lint -t stacksets/gha-build/sam-deployment.yaml | |
| - name: Validate artifact (build stackset) | |
| run: sam validate --lint -t stacksets/gha-build/stackset.yaml | |
| - name: Validate artifact (deploy stackset) | |
| run: sam validate --lint -t stacksets/gha-deploy/stackset.yaml | |
| - name: Synethsize StackSet templates | |
| run: | | |
| for _f in $(find . -type f -name 'stackset-*-template.yaml'); do | |
| _dir="$(dirname $_f)/" \ | |
| yq \ | |
| -i \ | |
| '(.. | select(has("localTemplateFile")) | .localTemplateFile) |= load_str(strenv(_dir) + .)' \ | |
| $_f; | |
| done | |
| - name: Upload SAM artifact (Management Account) | |
| id: upload-sam-template | |
| shell: bash | |
| run: | | |
| sam package \ | |
| --template stacksets/gha-deploy/stackset.yaml \ | |
| --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1 \ | |
| --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ | |
| --region us-east-1 \ | |
| --output-template-file packaged-template.yaml | |
| - name: Upload SAM artifact (Build Account) | |
| id: upload-sam-stackset-build-template | |
| shell: bash | |
| run: | | |
| sam package \ | |
| --template stackset-build-template.yaml \ | |
| --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1 \ | |
| --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ | |
| --region us-east-1 \ | |
| --output-template-file packaged-stackset-build-template.yaml | |
| - name: Upload SAM artifact (Deploy Account) | |
| id: upload-sam-stackset-deploy-template | |
| shell: bash | |
| run: | | |
| sam package \ | |
| --template stackset-deploy-template.yaml \ | |
| --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1 \ | |
| --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ | |
| --region us-east-1 \ | |
| --output-template-file packaged-stackset-deploy-template.yaml | |
| - name: Store Artifacts | |
| uses: ServerlessOpsIO/gha-store-artifacts@v1 | |
| deploy_build_stacksets: | |
| needs: | |
| - build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Set extra GitHub environment variables | |
| id: github-env-vars | |
| uses: rlespinasse/github-slug-action@v4 | |
| - name: Download artifact | |
| id: download-artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }} | |
| - name: Setup Python | |
| id: install-python | |
| uses: actions/setup-python@v3 | |
| with: | |
| python-version: 3.12 | |
| cache: pipenv | |
| - name: Install pipenv | |
| id: install-pipenv | |
| shell: bash | |
| run: python -m pip install --upgrade pipenv | |
| - name: Install dependencies | |
| id: install-python-deps | |
| shell: bash | |
| run: pipenv install --dev | |
| - name: Assume AWS Credentials | |
| uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 | |
| with: | |
| build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }} | |
| gha_build_role_name: ${{ secrets.AWS_CICD_BUILD_ROLE_NAME }} | |
| deploy_aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }} | |
| gha_deploy_role_name: ${{ secrets.AWS_CICD_DEPLOY_ROLE_NAME }} | |
| - name: Deploy via AWS SAM | |
| uses: ServerlessOpsIO/gha-deploy-aws-sam@v1 | |
| with: | |
| aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }} | |
| template_file: packaged-stackset-build-template.yaml | |
| stack_name: "${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }}-stackset-build" | |
| cfn_capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND | |
| env_json: ${{ toJson(env) }} | |
| secrets_json: ${{ toJson(secrets) }} | |
| deploy_deploy_stacksets: | |
| needs: | |
| - build | |
| - deploy_build_stacksets | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Set extra GitHub environment variables | |
| id: github-env-vars | |
| uses: rlespinasse/github-slug-action@v4 | |
| - name: Download artifact | |
| id: download-artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }} | |
| - name: Setup Python | |
| id: install-python | |
| uses: actions/setup-python@v3 | |
| with: | |
| python-version: 3.12 | |
| cache: pipenv | |
| - name: Install pipenv | |
| id: install-pipenv | |
| shell: bash | |
| run: python -m pip install --upgrade pipenv | |
| - name: Install dependencies | |
| id: install-python-deps | |
| shell: bash | |
| run: pipenv install --dev | |
| - name: Assume AWS Credentials | |
| uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 | |
| with: | |
| build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }} | |
| gha_build_role_name: ${{ secrets.AWS_CICD_BUILD_ROLE_NAME }} | |
| deploy_aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }} | |
| gha_deploy_role_name: ${{ secrets.AWS_CICD_DEPLOY_ROLE_NAME }} | |
| - name: Deploy via AWS SAM | |
| uses: ServerlessOpsIO/gha-deploy-aws-sam@v1 | |
| with: | |
| aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }} | |
| stack_name: "${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }}-stackset-deploy" | |
| template_file: packaged-stacksets-deploy-template.yaml | |
| cfn_capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND | |
| env_json: ${{ toJson(env) }} | |
| secrets_json: ${{ toJson(secrets) }} | |
| deploy_management: | |
| needs: | |
| - build | |
| - deploy_build_stacksets | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Set extra GitHub environment variables | |
| id: github-env-vars | |
| uses: rlespinasse/github-slug-action@v4 | |
| - name: Download artifact | |
| id: download-artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }} | |
| - name: Setup Python | |
| id: install-python | |
| uses: actions/setup-python@v3 | |
| with: | |
| python-version: 3.12 | |
| cache: pipenv | |
| - name: Install pipenv | |
| id: install-pipenv | |
| shell: bash | |
| run: python -m pip install --upgrade pipenv | |
| - name: Install dependencies | |
| id: install-python-deps | |
| shell: bash | |
| run: pipenv install --dev | |
| - name: Assume AWS Credentials | |
| uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 | |
| with: | |
| build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }} | |
| gha_build_role_name: ${{ secrets.AWS_CICD_BUILD_ROLE_NAME }} | |
| deploy_aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }} | |
| gha_deploy_role_name: ${{ secrets.AWS_CICD_DEPLOY_ROLE_NAME }} | |
| - name: Deploy via AWS SAM | |
| uses: ServerlessOpsIO/gha-deploy-aws-sam@v1 | |
| with: | |
| aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }} | |
| template_file: packaged-template.yaml | |
| cfn_capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND | |
| env_json: ${{ toJson(env) }} | |
| secrets_json: ${{ toJson(secrets) }} |