Merge pull request #151 from arnoldknott/dev #480
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Frontend | |
| on: | |
| workflow_dispatch: | |
| workflow_run: | |
| workflows: [Infrastructure] | |
| types: completed | |
| branches: | |
| - dev | |
| - stage | |
| - main | |
| push: | |
| paths: | |
| - 'frontend_svelte/**' | |
| - '.github/workflows/frontend_svelte.yml' | |
| # pull_request: | |
| # paths: | |
| # - 'frontend/**' | |
| env: | |
| REGISTRY: ghcr.io | |
| # COMMIT_SHA: ${{ github.event.after }} | |
| COMMIT_SHA: ${{ github.sha }} | |
| jobs: | |
| test: | |
| runs-on: ubuntu-24.04 | |
| environment: test | |
| env: | |
| KEYVAULT_HEALTH: ${{ vars.KEYVAULT_HEALTH }} | |
| POSTGRES_DB: ${{ vars.POSTGRES_DB }} | |
| POSTGRES_HOST: ${{ vars.POSTGRES_HOST }} | |
| POSTGRES_USER: ${{ secrets.POSTGRES_USER }} | |
| POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }} | |
| REDIS_HOST: ${{ vars.REDIS_HOST }} | |
| REDIS_PORT: ${{ vars.REDIS_PORT }} | |
| MONGODB_HOST: ${{ vars.MONGODB_HOST }} | |
| MONGODB_PORT: ${{ vars.MONGODB_PORT }} | |
| APP_REG_CLIENT_ID: ${{ secrets.APP_REG_CLIENT_ID }} | |
| APP_CLIENT_SECRET: ${{ secrets.APP_CLIENT_SECRET }} | |
| AZ_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
| API_SCOPE: ${{ secrets.API_SCOPE }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build | |
| run: | | |
| docker compose \ | |
| -f compose.yml \ | |
| -f compose.override.test.yml \ | |
| build | |
| - name: Spin up containers | |
| run: | | |
| docker compose \ | |
| -f compose.yml \ | |
| -f compose.override.test.yml \ | |
| up -d | |
| # - name: run inside the container and show content | |
| # run: | | |
| # docker compose \ | |
| # -f compose.yml \ | |
| # -f compose.override.test.yml \ | |
| # run --rm frontend_svelte \ | |
| # sh -c "ls -la node_modules" | |
| # - name: show image contents | |
| # run: | | |
| # docker compose \ | |
| # -f compose.yml \ | |
| # -f compose.override.test.yml \ | |
| # exec -T frontend_svelte \ | |
| # sh -c "ls -la node_modules" | |
| # TBD change all commands to docker compose run - as the container is up and runnig already! | |
| - name: Code Formating | |
| run: | | |
| docker compose \ | |
| -f compose.yml \ | |
| -f compose.override.test.yml \ | |
| exec -T frontend_svelte \ | |
| sh -c "npm run format" | |
| - name: Linting | |
| run: | | |
| docker compose \ | |
| -f compose.yml \ | |
| -f compose.override.test.yml \ | |
| exec -T frontend_svelte \ | |
| sh -c "npm run lint" | |
| - name: Unit testing | |
| run: | | |
| docker compose \ | |
| -f compose.yml \ | |
| -f compose.override.test.yml \ | |
| exec -T frontend_svelte \ | |
| sh -c "npm run test:unit" | |
| - name: Stop containers | |
| run: | | |
| docker compose \ | |
| -f compose.yml \ | |
| -f compose.override.test.yml \ | |
| down | |
| check_for_infrastructure_change: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 2 | |
| - name: Check for infrastructure changes | |
| id: check_for_infrastructure_change | |
| # replace --exit-code with --quite for less output on console if necessary! | |
| run: | | |
| if git diff --exit-code HEAD^ HEAD -- infrastructure/ .github/workflows/infrastructure.yml; then | |
| echo "No infrastructure changes detected." | |
| echo "infrastructure_changed=FALSE" >> $GITHUB_OUTPUT | |
| else | |
| echo "Infrastructure changes detected." | |
| echo "infrastructure_changed=TRUE" >> $GITHUB_OUTPUT | |
| fi | |
| echo "=== Contents of $GITHUB_OUTPUT ===" | |
| cat $GITHUB_OUTPUT | |
| outputs: | |
| infrastructure_changed: ${{ steps.check_for_infrastructure_change.outputs.infrastructure_changed }} | |
| containerize: | |
| # if: ${{ github.event.ref == 'refs/heads/main' || github.event.ref == 'refs/heads/stage' }} | |
| # only run on stage and main branch | |
| # only run if no infrastructure changes were detected, but do run, if the workflow was triggered by a workflow_run event (then the github.event.workflow_run.head_sha is not null) | |
| # TBD: split into multiline if statement: | |
| if: ${{((github.event.ref == 'refs/heads/main' || github.event.ref == 'refs/heads/stage') && needs.check_for_infrastructure_change.outputs.infrastructure_changed == 'FALSE' ) || ( ( github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'stage' ) && github.event.workflow_run.name == 'Infrastructure' && github.event.workflow_run.conclusion == 'success') }} | |
| needs: [test, check_for_infrastructure_change] | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| packages: write | |
| environment: stage | |
| steps: | |
| # - name: echos github.event.after variable | |
| # run: | | |
| # echo "=== Is this the correct tag: github.event.after? ===" | |
| # echo ${{ github.event.after }} | |
| # echo $CONTAINER_TAG | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.workflow_run.head_sha }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build for production | |
| run: | | |
| docker compose -f compose.yml -f compose.prod.yml build --build-arg COMMIT_SHA=${{env.COMMIT_SHA}} frontend_svelte | |
| - name: Show images | |
| run: docker image list | |
| - name: Tag and push with latest and commit hash | |
| run: | | |
| docker tag \ | |
| ${{github.event.repository.name}}-frontend_svelte:latest \ | |
| ${{env.REGISTRY}}/${{github.repository}}-frontend_svelte:latest | |
| docker tag \ | |
| ${{github.event.repository.name}}-frontend_svelte:latest \ | |
| ${{env.REGISTRY}}/${{github.repository}}-frontend_svelte:$COMMIT_SHA | |
| docker push \ | |
| ${{env.REGISTRY}}/${{github.repository}}-frontend_svelte:latest | |
| docker push \ | |
| ${{env.REGISTRY}}/${{github.repository}}-frontend_svelte:$COMMIT_SHA | |
| deploy_stage: | |
| needs: containerize | |
| # if: ${{ github.event.ref == 'refs/heads/main' || github.event.ref == 'refs/heads/stage' }} | |
| # if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/stage' }} | |
| if: ${{((github.event.ref == 'refs/heads/main' || github.event.ref == 'refs/heads/stage') && needs.check_for_infrastructure_change.outputs.infrastructure_changed == 'FALSE' ) || ( ( github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'stage' ) && github.event.workflow_run.name == 'Infrastructure' && github.event.workflow_run.conclusion == 'success') }} | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| id-token: write | |
| packages: read | |
| environment: stage | |
| # env: | |
| # AZURE_AUTHORITY: https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }} | |
| steps: | |
| # - name: echos github.event.after variable | |
| # run: | | |
| # echo "=== Is this the correct tag: github.event.after? ===" | |
| # echo ${{ github.event.after }} | |
| # echo $CONTAINER_TAG | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_GITHUBACTIONSMANAGEDIDENTITY_CLIENT_ID }} | |
| tenant-id: ${{ vars.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Deploy to staging | |
| # TBD: changing mode to single here, as there is a terraform bug with the time-out, when setting containerapp to single! | |
| # env no longer necessary: all variables coming from terraform now! | |
| # env: | |
| # IDENTITY_REF: "/subscriptions/${{secrets.AZURE_SUBSCRIPTION_ID}}/resourcegroups/${{vars.AZURE_RESOURCE_GROUP}}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${{vars.AZURE_FRONTENDIDENTITY_NAME}}" | |
| run: | | |
| az containerapp revision set-mode \ | |
| --name ${{ vars.AZURE_CONTAINERAPP_FRONTEND }} \ | |
| --resource-group ${{vars.AZURE_RESOURCE_GROUP}} \ | |
| --mode single | |
| az containerapp update \ | |
| --name ${{ vars.AZURE_CONTAINERAPP_FRONTEND }} \ | |
| --resource-group ${{vars.AZURE_RESOURCE_GROUP}} \ | |
| --image ${{env.REGISTRY}}/${{github.repository}}-frontend_svelte:$COMMIT_SHA | |
| # TBD: remove AZ_KEYVAULT_HOST here - coming from terraform now! | |
| # REMOVED NOW: all env variables coming from terraform now! | |
| # --set-env-vars \ | |
| # "AZ_KEYVAULT_HOST=${{ vars.AZURE_KEYVAULT_HOST }}" | |
| # remember also to remove from Github environment! | |
| # az containerapp revision set-mode \ | |
| # --name ${{ vars.AZURE_CONTAINERAPP_FRONTEND }} \ | |
| # --resource-group ${{vars.AZURE_RESOURCE_GROUP}} \ | |
| # --mode single | |
| # az containerapp secret set \ | |
| # --name ${{ vars.AZURE_CONTAINERAPP_FRONTEND }} \ | |
| # --resource-group ${{vars.AZURE_RESOURCE_GROUP}} \ | |
| # --secrets \ | |
| # "keyvault-health=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}/secrets/keyvault-health,identityref:$IDENTITY_REF" \ | |
| # "app-reg-client-id"=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}/secrets/app-reg-client-id,identityref:$IDENTITY_REF \ | |
| # "azure-authority=${{ env.AZURE_AUTHORITY }}" | |
| # sleep 10 | |
| # az containerapp update \ | |
| # --name ${{ vars.AZURE_CONTAINERAPP_FRONTEND }} \ | |
| # --resource-group ${{vars.AZURE_RESOURCE_GROUP}} \ | |
| # --image ${{env.REGISTRY}}/${{github.repository}}-frontend_svelte:$COMMIT_SHA \ | |
| # --set-env-vars \ | |
| # "AZURE_KEYVAULT_HOST=${{ vars.AZURE_KEYVAULT_HOST }}" \ | |
| # "KEYVAULT_HEALTH=secretref:keyvault-health" \ | |
| # "BACKEND_HOST=${{ vars.AZURE_CONTAINERAPP_BACKEND }}" \ | |
| # "APP_REG_CLIENT_ID=secretref:app-reg-client-id" \ | |
| # "AZURE_AUTHORITY=secretref:azure-authority" | |
| # TBD: this is weird: here the variable is named AZ_KEYVAULT_HOST, but in the container it is named AZURE_KEYVAULT_HOST | |
| # when renaming it here - conatinerapp fails to start with managed identity error - cannot get to keyvault! | |
| # Set by terraform already in container: "app-reg-client-id=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}/secrets/app-reg-client-id,identityref:$IDENTITY_REF" \ | |
| # TBD: consider deleting all existing environment variables before setting the new ones? | |
| # No: don't otherwise the ones set from Terraform get deleted! | |
| # implemented as in https://learn.microsoft.com/en-us/azure/container-apps/manage-secrets?tabs=azure-cli | |
| # TBD: consider putting all of this into a deploymentscript and reuse it and in deploy_prod! | |
| - name: Logout from Azure | |
| uses: azure/CLI@v2 | |
| with: | |
| inlineScript: | | |
| az logout | |
| az cache purge | |
| az account clear | |
| deploy_prod: | |
| needs: [ deploy_stage ] | |
| # if: ${{ github.event.ref == 'refs/heads/main' }} | |
| if: ${{ github.event.ref == 'refs/heads/main' || github.event.workflow_run.head_branch == 'main' }} | |
| # as this environmnet requires a manual review: | |
| # also wait on the pull request from postgres migrations to be merged | |
| # if check migrations detected changes. | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| id-token: write | |
| packages: read | |
| environment: prod | |
| # env: | |
| # AZURE_AUTHORITY: https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }} | |
| steps: | |
| # - name: echos github.event.after variable | |
| # run: | | |
| # echo "=== Is this the correct tag: github.event.after? ===" | |
| # echo ${{ github.event.after }} | |
| # echo $CONTAINER_TAG | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_GITHUBACTIONSMANAGEDIDENTITY_CLIENT_ID }} | |
| tenant-id: ${{ vars.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Deploy to production | |
| # TBD: changing mode to single here, as there is a terraform bug with the time-out, when setting containerapp to single! | |
| # env no longer necessary: all variables coming from terraform now! | |
| # env: | |
| # IDENTITY_REF: "/subscriptions/${{secrets.AZURE_SUBSCRIPTION_ID}}/resourcegroups/${{vars.AZURE_RESOURCE_GROUP}}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${{vars.AZURE_FRONTENDIDENTITY_NAME}}" | |
| run: | | |
| az containerapp revision set-mode \ | |
| --name ${{ vars.AZURE_CONTAINERAPP_FRONTEND }} \ | |
| --resource-group ${{vars.AZURE_RESOURCE_GROUP}} \ | |
| --mode single | |
| az containerapp update \ | |
| --name ${{ vars.AZURE_CONTAINERAPP_FRONTEND }} \ | |
| --resource-group ${{vars.AZURE_RESOURCE_GROUP}} \ | |
| --image ${{env.REGISTRY}}/${{github.repository}}-frontend_svelte:$COMMIT_SHA | |
| # TBD: remove AZ_KEYVAULT_HOST here - coming from terraform now! | |
| # REMOVED NOW: all env variables coming from terraform now! | |
| # --set-env-vars \ | |
| # "AZ_KEYVAULT_HOST=${{ vars.AZURE_KEYVAULT_HOST }}" | |
| # remember also to remove from Github environment! | |
| # Set by terraform already in container: "app-reg-client-id=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}/secrets/app-reg-client-id,identityref:$IDENTITY_REF" \ | |
| # TBD: consider deleting all existing environment variables before setting the new ones? | |
| # No: don't otherwise the ones set from Terraform get deleted! | |
| # implemented as in https://learn.microsoft.com/en-us/azure/container-apps/manage-secrets?tabs=azure-cli | |
| # TBD: consider putting all of this into a deploymentscript and reuse it and in deploy_prod! | |
| - name: Logout from Azure | |
| uses: azure/CLI@v2 | |
| with: | |
| inlineScript: | | |
| az logout | |
| az cache purge | |
| az account clear |