Skip to content

v0.5.25

v0.5.25 #69

Workflow file for this run

---
name: release
on:
release:
types: [released]
env:
AWS_DEFAULT_REGION: us-east-1
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# COPY_REGIONS_KMS_MAP: "us-east-2:alias/cool-amis,
# us-west-1:alias/cool-amis,
# us-west-2:alias/cool-amis"
CURL_CACHE_DIR: ~/.cache/curl
PIP_CACHE_DIR: ~/.cache/pip
RUN_TMATE: ${{ secrets.RUN_TMATE }}
jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v3
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
release:
needs:
- diagnostics
runs-on: ubuntu-latest
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
with:
python-version: "3.10"
- uses: actions/cache@v3
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
packer${{ steps.setup-env.outputs.packer-version }}-\
tf-${{ steps.setup-env.outputs.terraform-version }}-"
with:
path: |
${{ env.PIP_CACHE_DIR }}
${{ env.CURL_CACHE_DIR }}
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements.txt') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Setup curl cache
run: mkdir -p ${{ env.CURL_CACHE_DIR }}
- name: Install Packer
env:
PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
run: |
PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
--time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
--location \
"https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}"
sudo unzip -d /opt/packer \
${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install --upgrade \
--requirement requirements.txt
- name: Install ansible roles
run: ansible-galaxy install --force --role-file src/requirements.yml
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# - name: Add copy regions to packer configuration
# run: |
# echo $COPY_REGIONS_KMS_MAP | \
# ./patch_packer_config.py src/packer.pkr.hcl
- name: Assume AWS build role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME_PRODUCTION }}
role-duration-seconds: 7200 # 2 hours
# When called by Packer, Ansible will find /usr/bin/python3 and
# use it; therefore, we must ensure that /usr/bin/python3 points
# to the version of Python that we installed in the
# actions/setup-python step above. This can hose other tasks
# that are expecting to find the system Python at that location,
# though, so we undo this change after running Packer.
- name: Create a /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3 /usr/bin/python3-default
sudo ln -s ${{ env.pythonLocation }}/bin/python3 \
/usr/bin/python3
- name: Install Packer plugins
run: packer init src
- name: Create machine image
env:
# Since we are using the default value of 15 seconds for
# AWS_POLL_DELAY_SECONDS, this corresponds to a timeout of
# two hours. We need such a long timeout because it can
# take well over an hour to copy this AMI from one region to
# another.
AWS_MAX_ATTEMPTS: 480
run: |
packer build -timestamp-ui \
-var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \
-var is_prerelease=${{ github.event.release.prerelease }} \
-var release_tag=${{ github.event.release.tag_name }} \
-var release_url=${{ github.event.release.html_url }} \
src/packer.pkr.hcl
- name: Remove /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3-default /usr/bin/python3
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE