From bd05975250da5cc436eeb28fe64209e6e568b49f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Janin?= Date: Mon, 25 May 2026 09:46:09 -0400 Subject: [PATCH] chore: rework Github actions to transition to AWS CodePipeline --- .github/workflows/staging-deploy.yml | 75 ------------------- .../workflows/staging-docker-build-push.yml | 69 ----------------- .github/workflows/staging-post-deployment.yml | 47 ++++++++++++ .github/workflows/workflow-failure.yml | 3 +- 4 files changed, 48 insertions(+), 146 deletions(-) delete mode 100644 .github/workflows/staging-deploy.yml delete mode 100644 .github/workflows/staging-docker-build-push.yml create mode 100644 .github/workflows/staging-post-deployment.yml diff --git a/.github/workflows/staging-deploy.yml b/.github/workflows/staging-deploy.yml deleted file mode 100644 index 4c54ee8c..00000000 --- a/.github/workflows/staging-deploy.yml +++ /dev/null @@ -1,75 +0,0 @@ -name: Staging - Deploy - -on: - workflow_run: - workflows: - - Staging — Docker build and push - types: - - completed - -env: - AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }} - AWS_REGION: ca-central-1 - CLUSTER_NAME: Forms - SERVICE_NAME: forms-api - TASK_DEFINITION_NAME: forms-api - REGISTRY: ${{ vars.STAGING_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com/forms/api - -permissions: - id-token: write - contents: read - -jobs: - deploy-forms-api-service: - if: ${{ github.event.workflow_run.conclusion == 'success' }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - - name: Configure AWS credentials using OIDC - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-api-apply - role-session-name: ECSDeploy - aws-region: ${{ env.AWS_REGION }} - - - name: Download ECS task definition - run: | - aws ecs describe-task-definition \ - --task-definition ${{ env.SERVICE_NAME }} \ - --query taskDefinition > task-definition.json - - - name: Update ECS task image - id: task-def - uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1.8.5 - with: - task-definition: task-definition.json - container-name: ${{ env.SERVICE_NAME }} - image: "${{ env.REGISTRY }}:${{ github.sha }}" - - - name: Create the new ECS task definition - uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2.6.2 - with: - task-definition: ${{ steps.task-def.outputs.task-definition }} - cluster: ${{ env.CLUSTER_NAME }} - - - name: Deploy the new ECS task definition - run: | - aws ecs update-service \ - --cluster ${{ env.CLUSTER_NAME }} \ - --service ${{ env.SERVICE_NAME }} \ - --task-definition ${{ env.TASK_DEFINITION_NAME }} \ - --force-new-deployment > /dev/null 2>&1 - aws ecs wait services-stable \ - --cluster ${{ env.CLUSTER_NAME }} \ - --services ${{ env.SERVICE_NAME }} - - - name: Report deployment to Sentinel - if: always() - uses: cds-snc/sentinel-forward-data-action@52ea856d686360100a680e38c40134d4e010b94d # main - with: - input_data: '{"product": "forms", "sha": "${{ github.sha }}", "version": "${{ github.sha }}", "repository": "${{ github.repository }}", "environment": "staging", "status": "${{ job.status }}"}' - log_type: CDS_Product_Deployment_Data - log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} - log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} diff --git a/.github/workflows/staging-docker-build-push.yml b/.github/workflows/staging-docker-build-push.yml deleted file mode 100644 index d4ac4917..00000000 --- a/.github/workflows/staging-docker-build-push.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: "Staging — Docker build and push" - -on: - push: - branches: - - main - paths-ignore: - - "tests/**" - -env: - AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }} - AWS_REGION: ca-central-1 - ECR_REPOSITORY: forms/api - GITHUB_SHA: ${{ github.sha }} - -permissions: - id-token: write - contents: write - security-events: write - -jobs: - push-staging: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - - name: Build Docker image - run: docker build --platform=linux/amd64 --provenance false -t forms/api . - - - name: Configure AWS credentials using OIDC - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-api-apply - role-session-name: ECRPush - aws-region: ${{ env.AWS_REGION }} - - - name: Login to Staging Amazon ECR - id: login-ecr-staging - uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 - - - name: Tag Images for Staging - env: - ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }} - run: | - docker tag forms/api $ECR_REGISTRY/$ECR_REPOSITORY:$GITHUB_SHA - docker tag forms/api $ECR_REGISTRY/$ECR_REPOSITORY:latest - - - name: Push containers to Staging Amazon ECR - env: - ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }} - run: | - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$GITHUB_SHA - docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest - - - name: Docker generate SBOM - uses: cds-snc/security-tools/.github/actions/generate-sbom@837a88b6337d4842543184c8eac97a8adac8f302 # v4.0.3 - env: - TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }} - ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }} - with: - docker_image: "${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.GITHUB_SHA }}" - dockerfile_path: "Dockerfile" - sbom_name: "forms-api" - token: "${{ secrets.GITHUB_TOKEN }}" - - - name: Logout of Staging Amazon ECR - if: always() - run: docker logout ${{ steps.login-ecr-staging.outputs.registry }} diff --git a/.github/workflows/staging-post-deployment.yml b/.github/workflows/staging-post-deployment.yml new file mode 100644 index 00000000..36d8cc46 --- /dev/null +++ b/.github/workflows/staging-post-deployment.yml @@ -0,0 +1,47 @@ +name: "Staging — Post deployment" + +on: + push: + branches: + - main + paths-ignore: + - "tests/**" + +# Limit execution to 1 and also makes new trigger events cancel currently running workflow +concurrency: + group: staging-post-deployment + cancel-in-progress: true + +permissions: + contents: write + security-events: write + +jobs: + generate-sbom: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Build Docker image + run: docker build --platform=linux/amd64 --provenance false -t forms-api . + + - name: Docker generate SBOM + uses: cds-snc/security-tools/.github/actions/generate-sbom@837a88b6337d4842543184c8eac97a8adac8f302 # v4.0.3 + env: + TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }} + with: + docker_image: "forms-api" + dockerfile_path: "Dockerfile" + token: "${{ secrets.GITHUB_TOKEN }}" + + report-to-sentinel: + runs-on: ubuntu-latest + steps: + - name: Report deployment to Sentinel + uses: cds-snc/sentinel-forward-data-action@343498df663a056249bd96f260265aa80691b747 # main + with: + input_data: '{"product": "forms", "sha": "${{ github.sha }}", "version": "${{ github.sha }}", "repository": "${{ github.repository }}", "environment": "staging", "status": "${{ job.status }}"}' + log_type: CDS_Product_Deployment_Data + log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} + log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} diff --git a/.github/workflows/workflow-failure.yml b/.github/workflows/workflow-failure.yml index 274204c1..64fea81e 100644 --- a/.github/workflows/workflow-failure.yml +++ b/.github/workflows/workflow-failure.yml @@ -3,8 +3,7 @@ name: Workflow failure on: workflow_run: workflows: - - "Staging - Deploy" - - "Staging — Docker build and push" + - "Staging — Post deployment" - "Production - Deploy" - "Production — Docker build and push" types: