-
Notifications
You must be signed in to change notification settings - Fork 0
/
github.go
82 lines (76 loc) · 2.94 KB
/
github.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
package main
import (
"fmt"
"github.com/pulumi/pulumi-github/sdk/v5/go/github"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func (pr *projectResources) exportDeployEnvDataToGitHubRepo() (err error) {
// Validate repo
githubConfig := config.New(pr.pulumiCtx, "github")
repoPath := fmt.Sprintf("%s/%s", githubConfig.Require("owner"), pr.cfgKeys.ghAppSrcRepo)
repo, err := github.LookupRepository(pr.pulumiCtx, &github.LookupRepositoryArgs{
FullName: &repoPath,
})
if err != nil {
return err
}
// Create deployment environment using stack name (env)
env := pr.cfgKeys.envKey
repoEnv, err := github.NewRepositoryEnvironment(pr.pulumiCtx, env, &github.RepositoryEnvironmentArgs{
Repository: pulumi.String(repo.Name),
Environment: pulumi.String(env),
})
if err != nil {
return err
}
// Create Actions Deployment Environment Secret for Azure SP that will be deploying via Actions workflows
// https://github.com/Azure/login#configure-a-service-principal-with-a-secret
secretsVars := map[string]pulumi.StringInput{
"CLIENT_SECRET": pr.svcPrincipals.cicd.ServicePrincipalPass.Value,
}
for k, v := range secretsVars {
_, err = github.NewActionsEnvironmentSecret(pr.pulumiCtx, k, &github.ActionsEnvironmentSecretArgs{
Repository: pulumi.String(repo.Name),
SecretName: pulumi.String(k),
Environment: repoEnv.Environment,
PlaintextValue: v,
})
if err != nil {
return err
}
// This permits PRs submitted by Dependabot (e.g. when bumping project dependencies to newer versions)
// to have access to the dev stack environment's Azure SP client secret token.
// This allows the Dependabot PR to be treated just like a user-submitted (chore-like) PR to bump the dependency
// The outcome here is that the Dependabot submitted PR gets built and deployed just like any other.
if pr.cfgKeys.envKey == DEV {
_, err = github.NewDependabotSecret(pr.pulumiCtx, k, &github.DependabotSecretArgs{
Repository: pulumi.String(repo.Name),
SecretName: pulumi.String(k),
PlaintextValue: v,
})
}
}
// Create Actions Deployment Environment Variables to be used in Actions CI/CD workflows
actionsVars := map[string]pulumi.StringInput{
"AZ_CDN_ENDPOINT": pr.webCdnEp.Name,
"AZ_CDN_PROFILE_NAME": pr.webCdnProfile.Name,
"AZ_RESOURCE_GROUP": pr.webResourceGrp.Name,
"AZ_STORAGE_ACCT": pr.webStorageAccount.Name,
"CLIENT_ID": pr.svcPrincipals.cicd.ServicePrincipal.ClientId,
"SUBSCRIPTION_ID": pulumi.String(pr.thisAzureSubscription.SubscriptionId),
"TENANT_ID": pulumi.String(pr.cfgKeys.thisAzureTenantId),
}
for k, v := range actionsVars {
_, err = github.NewActionsEnvironmentVariable(pr.pulumiCtx, k, &github.ActionsEnvironmentVariableArgs{
Environment: repoEnv.Environment,
Repository: pulumi.String(repo.Name),
VariableName: pulumi.String(k),
Value: v,
})
if err != nil {
return err
}
}
return
}