-
Notifications
You must be signed in to change notification settings - Fork 33
180 lines (168 loc) · 6.25 KB
/
ci-static-site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
name: "CI - Deploy Static Site"
on:
# Unfortunately, there is no way to reduce duplication between inputs. They must be specified
# seperately for each trigger
workflow_call:
inputs:
bfd-env:
description: "The BFD environment to deploy the Static Site to"
required: true
type: string
aws-region:
description: >-
Override the AWS Region destination for uploaded artifacts.
Default to `us-east-1`.
default: us-east-1
type: string
required: true
bfd-release:
description: >-
Version string of the BFD release from which the data dictionaries will be pulled.
If omitted, the latest GitHub release version will be used
required: false
type: string
cw-log-group-override:
description: "Overrides the CloudWatch Log Group to submit Terraform logs to; must exist"
required: false
type: string
cw-log-stream-override:
description: >-
Overrides the the CloudWatch Log Stream to submit Terraform logs to; will be created if
necessary
required: false
type: string
workflow_dispatch:
inputs:
bfd-env:
description: "The BFD environment to deploy the Static Site to"
required: true
type: string
aws-region:
description: >-
Override the AWS Region destination for uploaded artifacts.
Default to `us-east-1`.
default: us-east-1
type: choice
options:
- us-east-1
- us-west-2
required: true
bfd-release:
description: >-
Version string of the BFD release from which the data dictionaries will be pulled.
If omitted, the latest GitHub release version will be used
required: false
type: string
branch:
description: >-
Override the branch on which the build is based.
Default to selected reference in the `Use workflow from` drop-down when empty.
required: false
cw-log-group-override:
description: "Overrides the CloudWatch Log Group to submit Terraform logs to; must exist"
required: false
type: string
cw-log-stream-override:
description: >-
Overrides the the CloudWatch Log Stream to submit Terraform logs to; will be created if
necessary
required: false
type: string
permissions:
id-token: write # This is required for requesting the AWS IAM OIDC JWT
contents: write # This is required for actions/checkout
defaults:
run:
shell: bash
env:
# AWS Code Artifact Repository
CA_REPOSITORY: bfd-mgmt
CA_DOMAIN: bfd-mgmt
AWS_REGION: ${{ inputs.aws-region }}
DEFAULT_LOG_GROUP: "/bfd/${{ inputs.bfd-env }}/gha/ci-static-site"
DEFAULT_LOG_STREAM: "deploy-terraservice_${{ github.run_number }}"
jobs:
deploy-static-site:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ inputs.branch || github.ref_name }}
- name: Determine latest release version
if: inputs.bfd-release == ''
id: determine-latest-release
uses: pozetroninc/[email protected]
with:
repository: ${{ github.repository }}
- name: Set environment variables
run: |
release_version="${{ inputs.bfd-release || steps.determine-latest-release.outputs.release }}"
if [[ -z $release_version ]]; then
echo "Release version unspecified or unable to be determined"
echo 1
fi
echo "BFD_RELEASE=$release_version" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }}
role-session-name: ci-static-site
aws-region: ${{ inputs.aws-region }}
- name: Mask sensitive AWS data
run: |
caller_id="$(aws sts get-caller-identity)"
account_num="$(jq -r '.Account' <<<$caller_id)"
role_arn="$(jq -r '.Arn' <<<$caller_id)"
user_id="$(jq -r '.UserId' <<<$caller_id)"
echo "::add-mask::$account_num"
echo "::add-mask::$role_arn"
echo "::add-mask::$user_id"
- name: Deploy static-site Terraservice
uses: ./.github/actions/deploy-terraservice
with:
bfd-env: ${{ inputs.bfd-env }}
service-path: ops/terraform/services/static-site
cw-log-group: ${{ inputs.cw-log-group-override || env.DEFAULT_LOG_GROUP }}
cw-log-stream: ${{ inputs.cw-log-stream-override || env.DEFAULT_LOG_STREAM }}
- name: Pull data dictionaries
run: |
mkdir -p "${{ github.workspace }}/dist"
cd "${{ github.workspace }}/dist"
readarray -t assets < <(echo "$CA_ASSETS" | jq -r -c '.[]')
for asset in "${assets[@]}"
do
aws codeartifact get-package-version-asset \
--domain-owner ${{ secrets.AWS_ACCOUNT_ID }} \
--domain "$CA_DOMAIN" \
--repository "$CA_REPOSITORY" \
--asset "$asset" \
--package-version "$BFD_RELEASE" \
--package "$CA_PACKAGE" \
--namespace "$CA_NAMESPACE" \
--format maven \
--region "$AWS_REGION" \
"${asset/$CA_PACKAGE-${BFD_RELEASE}-v/V}" 1>/dev/null
done
env:
CA_NAMESPACE: gov.cms.bfd
CA_PACKAGE: bfd-server-war
CA_ASSETS: |
[
"bfd-server-war-${{ env.BFD_RELEASE }}-v1-data-dictionary.json",
"bfd-server-war-${{ env.BFD_RELEASE }}-v2-data-dictionary.json"
]
- name: Setup Ruby and install dependencies
uses: ruby/setup-ruby@v1
with:
ruby-version: "3.3"
bundler-cache: true
working-directory: ${{ github.workspace }}/static-site
- name: Build Jekyll static site
run: |
cd "${{ github.workspace }}/static-site"
bundle exec jekyll build
- name: Sync static site to S3
run: |
aws s3 sync "${{ github.workspace }}/static-site/_site" s3://bfd-${{ inputs.bfd-env }}-static --delete