New release: v0.73.14 -> v0.73.16 #715

Workflow file for this run

.github/workflows/merge_to_main_production.yaml at 19539e3

	name: "Merge to main (Production)"

	on:
	push:
	branches:
	- main
	paths:
	- "VERSION"

	env:
	PRIVATE_ECR: ${{ secrets.PRODUCTION_AWS_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify
	API_LAMBDA_IMAGE: api-lambda:56da4f9
	HEARTBEAT_IMAGE: heartbeat:5c8da95
	SYSTEM_STATUS_IMAGE: system_status:078cf82
	OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PRODUCTION_OP_SERVICE_ACCOUNT_TOKEN }}


	defaults:
	run:
	shell: bash

	jobs:
	kubectl-apply:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

	- name: Set Prod Version
	run: \|
	TARGET_VERSION=`cat VERSION`
	echo "TARGET_VERSION=$TARGET_VERSION" >> $GITHUB_ENV

	- name: Checkout target Prod version
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	with:
	ref: ${{ env.TARGET_VERSION }}

	- name: Inject token authentication
	run: \|
	git config --global url."https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
	with:
	aws-access-key-id: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
	aws-region: ca-central-1

	- name: Install OpenVPN
	run: \|
	sudo apt update
	sudo apt install -y openvpn openvpn-systemd-resolved

	- name: Setup Terraform tools
	uses: cds-snc/terraform-tools-setup@v1
	env: # In case you want to override default versions
	CONFTEST_VERSION: 0.30.0
	TERRAFORM_VERSION: 1.9.5
	TERRAGRUNT_VERSION: 0.66.9
	TF_SUMMARIZE_VERSION: 0.2.3

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb

	- name: Retrieve VPN Config
	run: \|
	scripts/createVPNConfig.sh production 2> /dev/null

	- name: Connect to VPN
	uses: "kota65535/github-openvpn-connect-action@cd2ed8a90cc7b060dc4e001143e811b5f7ea0af5" # v3.1.0
	with:
	config_file: /var/tmp/production.ovpn
	echo_config: false

	# We are using this to install kubectl in this case
	- name: Setup helmfile
	uses: mamezou-tech/setup-helmfile@03233e1cd9b19b2ba320e431f7bcc0618db4248d # v2.0.0
	with:
	install-kubectl: yes
	install-helm: yes

	- name: Run manifest build
	run: \|
	cp env.example env/production/.env
	make production-debug > /dev/null 2>&1

	- name: Decrypt production env
	run: \|
	make decrypt-production

	- name: Configure kubeconfig
	run: \|
	aws eks update-kubeconfig --name notification-canada-ca-production-eks-cluster

	- name: Apply changes
	run: \|
	./scripts/applyKube.sh env/production --kubeconfig=/home/runner/.kube/config

	- name: Check for env changes
	working-directory: env/production
	run: \|
	aws ssm get-parameters --region ca-central-1 --with-decryption --names ENVIRONMENT_VARIABLES --query 'Parameters[*].Value' --output text > .previous.env
	DIFF="$(set +o pipefail && diff -B .env .previous.env \| wc -l)"
	echo "::add-mask::$DIFF"
	echo "ENV_DIFF=$DIFF" >> $GITHUB_ENV

	- name: Update parameter store environment variable
	if: env.ENV_DIFF != '0' # Only update secrets when changes detected
	working-directory: env/production
	run: \|
	aws ssm put-parameter --region ca-central-1 --name ENVIRONMENT_VARIABLES --type SecureString --key-id alias/aws/ssm --value file://.env --tier "Intelligent-Tiering" --overwrite

	- name: Deploy lambda
	uses: ./.github/actions/update-lambda-function
	with:
	alias-name: latest
	function-name: api-lambda
	image-uri: $PRIVATE_ECR/$API_LAMBDA_IMAGE

	- name: Deploy Heartbeat lambda
	uses: ./.github/actions/update-lambda-function
	with:
	alias-name: latest
	function-name: heartbeat
	image-uri: $PRIVATE_ECR/$HEARTBEAT_IMAGE

	- name: Deploy System Status lambda
	uses: ./.github/actions/update-lambda-function
	with:
	alias-name: latest
	function-name: system_status
	image-uri: $PRIVATE_ECR/$SYSTEM_STATUS_IMAGE

	- name: Add deployment to New Relic
	run: \|
	for application_id in 283469061 283468826 283468685; do
	curl -X POST "https://api.newrelic.com/v2/applications/$application_id/deployments.json" \
	-H "X-Api-Key:$NEW_RELIC_API_KEY" -i \
	-H 'Content-Type: application/json' \
	-d \
	'{
	"deployment": {
	"revision": "'$GITHUB_SHA'"
	}
	}'
	done
	env:
	NEW_RELIC_API_KEY: ${{ secrets.PRODUCTION_NEW_RELIC_API_KEY }}

	- name: Report deployment to Sentinel
	uses: cds-snc/sentinel-forward-data-action@main
	with:
	input_data: '{"product": "notify", "sha": "${{ github.sha }}", "version": "${{ env.TARGET_VERSION }}", "repository": "${{ github.repository }}", "environment": "production"}'
	log_type: CDS_Product_Deployment_Data
	log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
	log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}


	- name: Notify Slack channel if this job failed
	if: ${{ failure() }}
	run: \|
	json="{'text':'<!here> CI is failing in <https://github.com/cds-snc/notification-manifests/\|notification-manifests> !'}"
	curl -X POST -H 'Content-type: application/json' --data "$json" ${{ secrets.SLACK_WEBHOOK }}

	clear-cache:
	needs: kubectl-apply
	uses: ./.github/workflows/clear-notify-cache.yaml
	with:
	environment: production
	secrets:
	CACHE_CLEAR_USER_NAME: ${{ secrets.PRODUCTION_CACHE_CLEAR_USER_NAME }}
	CACHE_CLEAR_CLIENT_SECRET: ${{ secrets.PRODUCTION_CACHE_CLEAR_CLIENT_SECRET }}
	API_URL: ${{ secrets.PRODUCTION_API_URL }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New release: v0.73.14 -> v0.73.16 #715

Workflow file

New release: v0.73.14 -> v0.73.16 #715

Jobs

Run details

Workflow file for this run