sds-data-manager/.github/workflows/deploy.yml at dev · IMAP-Science-Operations-Center/sds-data-manager · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Deploy

on:
  push:
    branches:
      - dev
  workflow_dispatch:
    inputs:
      environment:
        description: "Environment to deploy to"
        required: true
        type: choice
        options:
          - dev
          - prod
        default: prod
      ref:
        description: "Optional git ref (commit SHA, branch, or tag) to deploy (for rollback)"
        required: false
        default: ""
      skip_ialirt:
        description: "For manual prod deploys only: skip deploying IalirtStack"
        required: false
        type: boolean
        default: true

permissions:
  id-token: write
  contents: write # needed for tagging and release creation
  actions: read

jobs:
  cdk-deploy:
    runs-on: ubuntu-latest

    steps:
      # ----------------------------------------------------
      # 🧭 Determine environment + AWS role + tagging behavior
      # ----------------------------------------------------
      - name: Determine deployment target
        id: set_account
        run: |
          if [[ "${GITHUB_EVENT_NAME}" == "push" ]]; then
            if [[ "${GITHUB_REF##*/}" == "dev" ]]; then
              echo "account_name=dev" >> $GITHUB_ENV
              echo "role_arn=arn:aws:iam::449431850278:role/GitHubDeploy" >> $GITHUB_ENV
              echo "should_tag=false" >> $GITHUB_ENV
            else
              echo "Branch not configured for deployment." && exit 1
            fi
          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
            if [[ "${{ github.event.inputs.environment }}" == "dev" ]]; then
              echo "account_name=dev" >> $GITHUB_ENV
              echo "role_arn=arn:aws:iam::449431850278:role/GitHubDeploy" >> $GITHUB_ENV
              echo "should_tag=false" >> $GITHUB_ENV
            elif [[ "${{ github.event.inputs.environment }}" == "prod" ]]; then
              echo "account_name=prod" >> $GITHUB_ENV
              echo "role_arn=arn:aws:iam::593025701104:role/GitHubDeploy" >> $GITHUB_ENV
              echo "should_tag=true" >> $GITHUB_ENV
            else
              echo "Invalid environment specified." && exit 1
            fi
          else
            echo "Unsupported trigger type" && exit 1
          fi

      # ----------------------------------------------------
      # 🔄 Checkout code (use ref input if provided for rollback)
      # ----------------------------------------------------
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.ref || github.ref }}

      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - uses: Gr1N/setup-poetry@v8
        with:
          poetry-version: "2.3.4"

      - name: Install dependencies and app
        run: |
          poetry install --with layer-database --with layer-spice --with layer-processing

      - name: Install cdk
        run: |
          npm install -g aws-cdk

      # https://github.com/aws-actions/configure-aws-credentials
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ env.role_arn }}
          aws-region: us-west-2

      # ----------------------------------------------------
      # 🧱 CDK Synth + Deploy
      # ----------------------------------------------------
      - name: Synth
        env:
          ACCOUNT_NAME: ${{ env.account_name }}
        run: |
          echo "Synthesizing for environment: $ACCOUNT_NAME"
          # poetry run to get the environment we installed everything into
          poetry run cdk synth --context account_name=$ACCOUNT_NAME

      - name: Deploy
        env:
          ACCOUNT_NAME: ${{ env.account_name }}
          SKIP_IALIRT: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'prod' && github.event.inputs.skip_ialirt == 'true' }}
        run: |
          echo "Deploying to environment: $ACCOUNT_NAME"
          echo "SKIP_IALIRT=$SKIP_IALIRT"
          if [[ "$SKIP_IALIRT" == "true" ]]; then
            STACKS="NetworkingStack HostedZoneCertificateStack WebsiteStack SDCStack BackupStack"
          else
            STACKS="--all"
          fi
          # poetry run to get the environment we installed everything into
          poetry run cdk deploy $STACKS --context account_name=$ACCOUNT_NAME --require-approval never

      # ----------------------------------------------------
      # 🏷️ Tag Release (prod only)
      # ----------------------------------------------------
      - name: Create tag
        if: env.should_tag == 'true'
        run: |
          # Configure Git identity for tagging
          git config user.name "GitHub Actions"
          git config user.email "actions@github.com"

          # Create and push tag
          TAG_NAME="prod-$(date -u +'%Y-%m-%d-%H%M%S')"
          echo "TAG_NAME=$TAG_NAME" >> $GITHUB_ENV
          git tag -a "$TAG_NAME" -m "Production deployment on $(date -u)"
          git push origin "$TAG_NAME"
          echo "Created tag $TAG_NAME"