This repository has been archived by the owner on Jul 24, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
164 lines (163 loc) · 6.35 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: ci
on:
push:
pull_request:
types: [opened, reopened]
env:
PRODUCTION_BRANCH: refs/heads/release
STAGING_BRANCH: refs/heads/staging
jobs:
ci:
name: Lint
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@v2
- name: Use Node.js
uses: actions/setup-node@v1
with:
node-version: '16.x'
- name: Cache Node.js modules
uses: actions/cache@v2
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.OS }}-node-askgov-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.OS }}-node-askgov-
- run: npm ci
- run: npx lockfile-lint --type npm --path client/package-lock.json --validate-https --allowed-hosts npm
- run: npx lockfile-lint --type npm --path server/package-lock.json --validate-https --allowed-hosts npm
- run: npx lockfile-lint --type npm --path shared/package-lock.json --validate-https --allowed-hosts npm
- run: npm run lint-ci
- run: npm run --prefix server build
- run: npm run --prefix client build
test:
name: Test
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@v2
- name: Use Node.js
uses: actions/setup-node@v1
with:
node-version: '16.x'
- name: Cache Node.js modules
uses: actions/cache@v2
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: ~/.npm
key: ${{ runner.OS }}-node-askgov-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.OS }}-node-askgov-
- run: npm ci
- run: npm test
gatekeep:
name: Determine if Build & Deploy is needed
outputs:
proceed: ${{ steps.determine_proceed.outputs.proceed }}
runs-on: ubuntu-18.04
if: github.event_name == 'push'
steps:
- id: determine_proceed
run: |
if [[ -z "${AWS_ACCESS_KEY_ID}" || -z "${AWS_SECRET_ACCESS_KEY}" ]]; then
echo '::set-output name=proceed::false';
elif [[ -z "${ECR_REPO}" || -z "${ECR_URL}" ]]; then
echo '::set-output name=proceed::false';
elif [[ $GITHUB_REF == $STAGING_BRANCH ]]; then
echo '::set-output name=proceed::true';
elif [[ $GITHUB_REF == $PRODUCTION_BRANCH ]]; then
echo '::set-output name=proceed::true';
else
echo '::set-output name=proceed::false';
fi
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
ECR_REPO: ${{ secrets.ECR_REPO }}
ECR_URL: ${{ secrets.ECR_URL }}
build:
name: Build and push
runs-on: ubuntu-18.04
needs: [gatekeep]
if: needs.gatekeep.outputs.proceed == 'true'
outputs:
branch: ${{ steps.extract_branch.outputs.branch }}
tag: ${{steps.extract_tag.outputs.tag}}
steps:
- uses: actions/checkout@v2
- name: Extract branch name
shell: bash
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
id: extract_branch
- name: Extract ECR tag
shell: bash
run: echo "##[set-output name=tag;]$(echo ghactions-${BRANCH}-${SHA})"
id: extract_tag
env:
BRANCH: ${{ steps.extract_branch.outputs.branch }}
SHA: ${{ github.sha }}
- name: Select reCAPTCHA site key
run: |
if [[ $GITHUB_REF == $STAGING_BRANCH ]]; then
echo REACT_APP_RECAPTCHA_SITE_KEY=${{ secrets.REACT_APP_RECAPTCHA_SITE_KEY_STAGING }} >> $GITHUB_ENV;
elif [[ $GITHUB_REF == $PRODUCTION_BRANCH ]]; then
echo REACT_APP_RECAPTCHA_SITE_KEY=${{ secrets.REACT_APP_RECAPTCHA_SITE_KEY_PRODUCTION }} >> $GITHUB_ENV;
fi
- run: docker build -t ${{ steps.extract_tag.outputs.tag }} -f Dockerfile --build-arg REACT_APP_RECAPTCHA_SITE_KEY=$REACT_APP_RECAPTCHA_SITE_KEY .
- name: Push to ECR
if: needs.gatekeep.outputs.proceed == 'true'
uses: jwalton/gh-ecr-push@v1
with:
access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
region: ap-southeast-1
local-image: ${{ steps.extract_tag.outputs.tag }}
image: ${{ secrets.ECR_REPO }}:${{ steps.extract_tag.outputs.tag }}
deploy:
name: Deploy to Elastic Beanstalk
runs-on: ubuntu-18.04
needs: [ci, test, gatekeep, build]
if: needs.gatekeep.outputs.proceed == 'true'
steps:
- uses: actions/checkout@v2
- name: Package Dockerrun.aws.json
run: |
sed -i -e "s|@REPO|$REPO|g" Dockerrun.aws.json
sed -i -e "s|@TAG|$TAG|g" Dockerrun.aws.json
zip -r "deploy.zip" Dockerrun.aws.json .ebextensions
env:
REPO: ${{secrets.ECR_URL}}/${{secrets.ECR_REPO}}
TAG: ${{ needs.build.outputs.tag }}
- name: Get timestamp
shell: bash
run: echo "##[set-output name=timestamp;]$(env TZ=Asia/Singapore date '+%Y%m%d%H%M%S')"
id: get_timestamp
- name: Get Elastic Beanstalk label
shell: bash
run: echo "##[set-output name=label;]$(echo ${TAG}-${TIMESTAMP})"
id: get_label
env:
TAG: ${{ needs.build.outputs.tag }}
TIMESTAMP: ${{ steps.get_timestamp.outputs.timestamp }}
- name: Select Elastic Beanstalk variables
run: |
if [[ $GITHUB_REF == $STAGING_BRANCH ]]; then
echo EB_APP=${{ secrets.EB_APP_STAGING }} >> $GITHUB_ENV;
echo EB_ENV=${{ secrets.EB_ENV_STAGING }} >> $GITHUB_ENV;
elif [[ $GITHUB_REF == $PRODUCTION_BRANCH ]]; then
echo EB_APP=${{ secrets.EB_APP_PRODUCTION }} >> $GITHUB_ENV;
echo EB_ENV=${{ secrets.EB_ENV_PRODUCTION }} >> $GITHUB_ENV;
fi
id: select_eb_vars
- name: Deploy to EB
uses: opengovsg/beanstalk-deploy@v11
with:
aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
application_name: ${{ env.EB_APP }}
environment_name: ${{ env.EB_ENV }}
version_label: ${{ steps.get_label.outputs.label }}
region: ap-southeast-1
deployment_package: deploy.zip
wait_for_deployment: false
wait_for_environment_recovery: false