-
Notifications
You must be signed in to change notification settings - Fork 2
138 lines (115 loc) · 5 KB
/
merge_to_main_production.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: "Merge to main (Production)"
on:
push:
branches:
- main
paths:
- "VERSION"
env:
PRIVATE_ECR: ${{ secrets.PRODUCTION_AWS_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify
API_LAMBDA_IMAGE: api-lambda:d62edec
HEARTBEAT_LAMBDA_IMAGE: heartbeat:fb6dcdfda3c8e21ef997e75d1cb872bb08916cf3
SYSTEM_STATUS_LAMBDA_IMAGE: system_status:fb6dcdfda3c8e21ef997e75d1cb872bb08916cf3
KUBECTL_VERSION: 1.23.6
defaults:
run:
shell: bash
jobs:
kubectl-apply:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Set Prod Version
run: |
TARGET_VERSION=`cat VERSION`
echo "TARGET_VERSION=$TARGET_VERSION" >> $GITHUB_ENV
- name: Checkout target Prod version
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ env.TARGET_VERSION }}
- name: Inject token authentication
run: |
git config --global url."https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1
- name: Install kubectl
run: |
curl -LO https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl
chmod +x kubectl
mv kubectl /usr/local/bin/
kubectl version --client
- name: Run manifest build
run: |
cp env.example env/production/.env
make production-debug > /dev/null 2>&1
- name: Decrypt production env
run: |
make decrypt-production
- name: Configure kubeconfig
run: |
aws eks update-kubeconfig --name notification-canada-ca-production-eks-cluster
- name: Apply changes
run: |
./scripts/applyKube.sh env/production --kubeconfig=/home/runner/.kube/config
- name: Check for env changes
working-directory: env/production
run: |
aws ssm get-parameters --region ca-central-1 --with-decryption --names ENVIRONMENT_VARIABLES --query 'Parameters[*].Value' --output text > .previous.env
DIFF="$(set +o pipefail && diff -B .env .previous.env | wc -l)"
echo "::add-mask::$DIFF"
echo "ENV_DIFF=$DIFF" >> $GITHUB_ENV
- name: Update parameter store environment variable
if: env.ENV_DIFF != '0' # Only update secrets when changes detected
working-directory: env/production
run: |
aws ssm put-parameter --region ca-central-1 --name ENVIRONMENT_VARIABLES --type SecureString --key-id alias/aws/ssm --value file://.env --tier "Intelligent-Tiering" --overwrite
- name: Deploy lambda
uses: ./.github/actions/update-lambda-function
with:
alias-name: latest
function-name: api-lambda
image-uri: $PRIVATE_ECR/$API_LAMBDA_IMAGE
- name: Deploy Heartbeat lambda
uses: ./.github/actions/update-lambda-function
with:
alias-name: latest
function-name: heartbeat
image-uri: $PRIVATE_ECR/$HEARTBEAT_LAMBDA_IMAGE
- name: Deploy System Status lambda
uses: ./.github/actions/update-lambda-function
with:
alias-name: latest
function-name: system_status
image-uri: $PRIVATE_ECR/$SYSTEM_STATUS_LAMBDA_IMAGE
- name: Add deployment to New Relic
run: |
for application_id in 283469061 283468826 283468685; do
curl -X POST "https://api.newrelic.com/v2/applications/$application_id/deployments.json" \
-H "X-Api-Key:$NEW_RELIC_API_KEY" -i \
-H 'Content-Type: application/json' \
-d \
'{
"deployment": {
"revision": "'$GITHUB_SHA'"
}
}'
done
env:
NEW_RELIC_API_KEY: ${{ secrets.PRODUCTION_NEW_RELIC_API_KEY }}
- name: Report deployment to Sentinel
uses: cds-snc/sentinel-forward-data-action@main
with:
input_data: '{"product": "notify", "sha": "${{ github.sha }}", "version": "${{ env.TARGET_VERSION }}", "repository": "${{ github.repository }}", "environment": "production"}'
log_type: CDS_Product_Deployment_Data
log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
- name: Notify Slack channel if this job failed
if: ${{ failure() }}
run: |
json="{'text':'<!here> CI is failing in <https://github.com/cds-snc/notification-manifests/|notification-manifests> !'}"
curl -X POST -H 'Content-type: application/json' --data "$json" ${{ secrets.SLACK_WEBHOOK }}