chore: prepares oauth-scheme for dependency injetion in FastAPI with … #714

Workflow file for this run

.github/workflows/backendAPI.yml at 218a16d

	name: BackendAPI

	on:
	workflow_dispatch:
	workflow_run:
	workflows: [Infrastructure]
	types: completed
	branches:
	- dev
	- stage
	- main
	push:
	paths:
	- 'backendAPI/**'
	- '.github/workflows/backendAPI.yml'


	env:
	REGISTRY: ghcr.io
	# COMMIT_SHA: ${{ github.event.after }}
	COMMIT_SHA: ${{ github.sha }}
	FILESHARE_APPDATA_MIGRATIONS_PATH: migrations/stage_prod

	jobs:
	test:
	runs-on: ubuntu-24.04
	environment: test
	env:
	KEYVAULT_HEALTH: ${{ vars.KEYVAULT_HEALTH }}
	FRONTEND_SVELTE_ORIGIN: ${{ vars.FRONTEND_SVELTE_ORIGIN }}
	FRONTEND_SVELTE_FQDN: ${{ vars.FRONTEND_SVELTE_FQDN }}
	APP_REG_CLIENT_ID: ${{ secrets.APP_REG_CLIENT_ID }}
	APP_CLIENT_SECRET: ${{ secrets.APP_CLIENT_SECRET }}
	POSTGRES_DB: ${{ vars.POSTGRES_DB }}
	POSTGRES_HOST: ${{ vars.POSTGRES_HOST }}
	POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
	POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
	REDIS_ARGS: ${{ secrets.REDIS_ARGS }}
	REDIS_HOST: ${{ vars.REDIS_HOST }}
	REDIS_PORT: ${{ vars.REDIS_PORT }}
	REDIS_SESSION_DB: ${{ vars.REDIS_SESSION_DB }}
	REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
	MONGODB_HOST: ${{ vars.MONGODB_HOST }}
	MONGODB_PORT: ${{ vars.MONGODB_PORT }}
	BACK_CLIENT_SECRET: ${{ secrets.BACK_CLIENT_SECRET }}
	AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
	steps:
	- name: echos different variables
	env:
	GITHUB_EVENT: ${{ toJSON(github.event) }}
	run: \|
	echo "=== Is this the correct tag: github.event.after? ==="
	echo ${{ github.event.after }}
	echo "=== github.event.ref ==="
	echo ${{ github.event.ref }}
	echo "=== github.ref ==="
	echo ${{ github.ref }}
	echo "=== github.event.pull_request.head.sha ==="
	echo ${{ github.event.pull_request.head.sha }}
	echo "=== github.event.workflow_run.head_sha ==="
	echo ${{ github.event.workflow_run.head_sha }}
	echo "=== github.event.workflow_run.head_branch ==="
	echo ${{ github.event.workflow_run.head_branch }}
	echo "=== github.event.workflow_run.name ==="
	echo ${{ github.event.workflow_run.name }}
	echo "=== github.event.workflow_run.path ==="
	echo ${{ github.event.workflow_run.path }}
	echo "=== github.event.workflow_run.conclusion ==="
	echo ${{ github.event.workflow_run.conclusion }}
	echo "=== github.event.workflow_run ==="
	echo ${{ github.event.workflow_run }}
	echo "=== GITHUB_SHA ==="
	echo $GITHUB_SHA
	echo "=== GITHUB_WORKFLOW_SHA ==="
	echo $GITHUB_WORKFLOW_SHA
	echo "=== github.sha ==="
	echo ${{ github.sha }}
	echo "=== COMMIT_SHA ==="
	echo $COMMIT_SHA
	# echo "=== github.event.workflow_run.referenced_workflows ==="
	# echo ${{ github.event.workflow_run.referenced_workflows }}
	# echo "=== github.event.workflow_run.referenced_workflows.path ==="
	# echo ${{ github.event.workflow_run.referenced_workflows.path }}
	# echo "=== github.event.workflow_run.referenced_workflows.ref ==="
	# echo ${{ github.event.workflow_run.referenced_workflows.ref }}
	# echo "=== github.event.workflow_run.referenced_workflows.sha ==="
	# echo ${{ github.event.workflow_run.referenced_workflows.sha }}
	# echo "=== github.event.workflow_run.workflow.name ==="
	# echo ${{ github.event.workflow_run.workflow.name }}
	# echo "=== github.event.workflow_run.workflow.path ==="
	# echo ${{ github.event.workflow_run.workflow.path }}
	# echo "=== REDIS_HOST ==="
	# echo $REDIS_HOST
	# echo "=== REDIS_PORT ==="
	# echo $REDIS_PORT
	# echo "=== REDIS_SESSION_DB ==="
	# echo $REDIS_SESSION_DB
	- uses: actions/checkout@v4
	# - name: Build
	# run: \|
	# docker compose \
	# -f compose.yml \
	# -f compose.override.test.yml \
	# build backend_api
	- name: Build
	run: \|
	docker compose \
	-f compose.yml \
	-f compose.override.test.yml \
	build
	- name: Spin up containers
	run: \|
	docker compose \
	-f compose.yml \
	-f compose.override.test.yml \
	up -d
	# - name: Code Formating
	# run: \|
	# docker compose \
	# -f compose.yml \
	# -f compose.override.test.yml \
	# run --rm backend_api \
	# sh -c "black --check ."
	- name: Code Formating
	run: \|
	docker compose \
	-f compose.yml \
	-f compose.override.test.yml \
	exec -T backend_api \
	sh -c "black --check ."
	# - name: Linting
	# run: \|
	# docker compose \
	# -f compose.yml \
	# -f compose.override.test.yml \
	# run --rm backend_api \
	# sh -c "ruff check ."
	- name: Linting
	run: \|
	docker compose \
	-f compose.yml \
	-f compose.override.test.yml \
	exec -T backend_api \
	sh -c "ruff check ."
	# - name: Unit testing
	# run: \|
	# docker compose \
	# -f compose.yml \
	# -f compose.override.test.yml \
	# up -d
	# docker compose \
	# -f compose.yml \
	# -f compose.override.test.yml \
	# exec -T backend_api \
	# sh -c "pytest -v"
	# docker compose \
	# -f compose.yml \
	# -f compose.override.test.yml \
	# down
	- name: Unit testing
	run: \|
	docker compose \
	-f compose.yml \
	-f compose.override.test.yml \
	exec -T backend_api \
	sh -c "pytest -v"
	- name: Stop containers
	run: \|
	docker compose \
	-f compose.yml \
	-f compose.override.test.yml \
	down
	# docker compose \
	# -f compose.yml \
	# -f compose.override.test.yml \
	# exec -T backend_api \
	# sh -c "cd /app/src && alembic revision --autogenerate && alembic upgrade head"
	# docker compose \
	# -f compose.yml \
	# -f compose.override.test.yml \
	# run --rm backend_api \
	# sh -c "pytest -v"

	check_for_infrastructure_change:
	runs-on: ubuntu-24.04
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 2
	- name: Check for infrastructure changes
	id: check_for_infrastructure_change
	# replace --exit-code with --quite for less output on console if necessary!
	run: \|
	if git diff --exit-code HEAD^ HEAD -- infrastructure/ .github/workflows/infrastructure.yml; then
	echo "No infrastructure changes detected."
	echo "infrastructure_changed=FALSE" >> $GITHUB_OUTPUT
	else
	echo "Infrastructure changes detected."
	echo "infrastructure_changed=TRUE" >> $GITHUB_OUTPUT
	fi
	echo "=== Contents of $GITHUB_OUTPUT ==="
	cat $GITHUB_OUTPUT
	outputs:
	infrastructure_changed: ${{ steps.check_for_infrastructure_change.outputs.infrastructure_changed }}

	containerize:
	# if: ${{ github.event.ref == 'refs/heads/main' \|\| github.event.ref == 'refs/heads/stage' }}
	# only run on stage and main branch
	# only run if no infrastructure changes were detected, but do run, if the workflow was triggered by a workflow_run event (then the github.event.workflow_run.head_sha is not null)
	# TBD: split into multiline if statement:
	if: ${{((github.event.ref == 'refs/heads/main' \|\| github.event.ref == 'refs/heads/stage') && needs.check_for_infrastructure_change.outputs.infrastructure_changed == 'FALSE' ) \|\| ( ( github.event.workflow_run.head_branch == 'main' \|\| github.event.workflow_run.head_branch == 'stage' ) && github.event.workflow_run.name == 'Infrastructure' && github.event.workflow_run.conclusion == 'success') }}
	needs: [test, check_for_infrastructure_change]
	runs-on: ubuntu-24.04
	permissions:
	id-token: write
	contents: read
	packages: write
	environment: stage
	steps:
	# - name: echos github.event.after variable
	# run: \|
	# echo "=== Is this the correct tag: github.event.after? ==="
	# echo ${{ github.event.after }}
	# echo $CONTAINER_TAG
	- uses: actions/checkout@v4
	with:
	ref: ${{ github.event.workflow_run.head_sha }}
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Build for production
	run: \|
	docker compose -f compose.yml -f compose.prod.yml build --build-arg COMMIT_SHA=${{env.COMMIT_SHA}} backend_api
	- name: Show images
	run: docker image list
	- name: Tag and push with latest and commit hash
	run: \|
	docker tag \
	${{github.event.repository.name}}-backend_api:latest \
	${{env.REGISTRY}}/${{github.repository}}-backend_api:latest
	docker tag \
	${{github.event.repository.name}}-backend_api:latest \
	${{env.REGISTRY}}/${{github.repository}}-backend_api:$COMMIT_SHA
	docker push \
	${{env.REGISTRY}}/${{github.repository}}-backend_api:latest
	docker push \
	${{env.REGISTRY}}/${{github.repository}}-backend_api:$COMMIT_SHA

	deploy_stage:
	needs: containerize
	# if: ${{ github.event.ref == 'refs/heads/main' \|\| github.event.ref == 'refs/heads/stage' }}
	# if: ${{ github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/stage' }}
	if: ${{((github.event.ref == 'refs/heads/main' \|\| github.event.ref == 'refs/heads/stage') && needs.check_for_infrastructure_change.outputs.infrastructure_changed == 'FALSE' ) \|\| ( ( github.event.workflow_run.head_branch == 'main' \|\| github.event.workflow_run.head_branch == 'stage' ) && github.event.workflow_run.name == 'Infrastructure' && github.event.workflow_run.conclusion == 'success') }}
	runs-on: ubuntu-24.04
	permissions:
	id-token: write
	packages: read
	environment: stage
	steps:
	# - name: echos github.event.after variable
	# run: \|
	# echo "=== Is this the correct tag: github.event.after? ==="
	# echo ${{ github.event.after }}
	# echo $CONTAINER_TAG
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Login to Azure
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_GITHUBACTIONSMANAGEDIDENTITY_CLIENT_ID }}
	tenant-id: ${{ vars.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	- name: Deploy to staging
	# TBD: changing mode to single here, as there is a terraform bug with the time-out, when setting containerapp to single!
	env:
	IDENTITY_REF: "/subscriptions/${{secrets.AZURE_SUBSCRIPTION_ID}}/resourcegroups/${{vars.AZURE_RESOURCE_GROUP}}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${{vars.AZURE_BACKENDIDENTITY_NAME}}"
	run: \|
	az containerapp revision set-mode \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--mode single
	az containerapp secret set \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--secrets \
	"postgres-user=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}secrets/postgres-user,identityref:$IDENTITY_REF" \
	"postgres-password=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}secrets/postgres-password,identityref:$IDENTITY_REF"
	sleep 10
	az containerapp update \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--image ${{env.REGISTRY}}/${{github.repository}}-backend_api:$COMMIT_SHA \
	--set-env-vars \
	"POSTGRES_DB=${{ vars.POSTGRES_DB }}" \
	"POSTGRES_USER=secretref:postgres-user" \
	"POSTGRES_PASSWORD=secretref:postgres-password"
	# TBD: remove AZ_KEYVAULT_HOST here - coming from terraform now!
	# REMOVED NOW:
	# "AZ_KEYVAULT_HOST=${{ vars.AZURE_KEYVAULT_HOST }}" \
	# TBD: remove KEYVAULT_HEALTH here: the point is to read it in the application!
	# REMOVED NOW HERE: from secret set & set-env-vars respectively:
	# "keyvault-health=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}secrets/keyvault-health,identityref:$IDENTITY_REF" \
	# "KEYVAULT_HEALTH=secretref:keyvault-health" \
	# TBD: double check with POSTGRES USER & PSASSWORD - should be coming from Terraform now - but not as environment variable!
	# TBD: double check with POSTGRES HOST - should be coming from Terraform now!
	# REMOVED NOW HERE: from secret set & set-env-vars respectively:
	# "postgres-host=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}secrets/postgres-host,identityref:$IDENTITY_REF" \
	# "POSTGRES_HOST=secretref:postgres-host" \
	# TBD: this is weird: here the variable is named AZ_KEYVAULT_HOST, but in the container it is named AZURE_KEYVAULT_HOST
	# when renaming it here - conatinerapp fails to start with managed identity error - cannot get to keyvault!
	# TBD: this should be ready to go. Remember to put into prod as well!
	- name: Upgrade database
	run: \|
	mkdir -p postgres_migration
	script -q -e -c "az containerapp exec \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--command \"scripts/stage_prod/postgres_migration_upgrade.sh\"" > postgres_migration/upgrade_stage_${{ env.COMMIT_SHA }}.log
	echo "=== Contents of postgres_migration/upgrade_stage_${{ env.COMMIT_SHA }}.log ==="
	cat postgres_migration/upgrade_stage_${{ env.COMMIT_SHA }}.log
	- name: Upload migration upgrade artifacts
	uses: actions/upload-artifact@v4
	with:
	name: postgres_migration_upgrade_stage_results_${{ env.COMMIT_SHA }}
	path: postgres_migration/upgrade_stage_${{ env.COMMIT_SHA }}.log
	#
	# TBD: consider deleting all existing environment variables before setting the new ones?
	# implemented as in https://learn.microsoft.com/en-us/azure/container-apps/manage-secrets?tabs=azure-cli
	# TBD: consider putting all of this into a deploymentscript and reuse it and in deploy_prod!
	- name: Logout from Azure
	uses: azure/CLI@v2
	with:
	inlineScript: \|
	az logout
	az cache purge
	az account clear


	# DEBUG: manually fix migrations on the servers: az containerapp exec -g <resource_group> -n <backendAPI_containerapp_name> --command "/bin/sh"
	# Make sure to persist the changes to mounted volume and commit them to the repo afterwards!
	check_postgres_migrations:
	needs: deploy_stage
	runs-on: ubuntu-24.04
	permissions:
	id-token: write
	# packages: read
	environment: stage
	steps:
	- name: Login to Azure
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_GITHUBACTIONSMANAGEDIDENTITY_CLIENT_ID }}
	tenant-id: ${{ vars.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	- name: Check for migrations
	id: check_run
	run: \|
	mkdir -p postgres_migration
	script -q -e -c "az containerapp exec \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--command \"scripts/stage_prod/postgres_migration_check.sh\"" > postgres_migration/check_connection_${{ env.COMMIT_SHA }}.log
	az storage file download -s ${{ vars.AZURE_FILESHARE_APPDATA }} --account-name ${{ vars.AZURE_STORAGE_ACCOUNT }} -p ${{env.FILESHARE_APPDATA_MIGRATIONS_PATH}}/logs/check_${{ env.COMMIT_SHA }}.log --dest postgres_migration/check_${{ env.COMMIT_SHA }}.log
	az storage file download -s ${{ vars.AZURE_FILESHARE_APPDATA }} --account-name ${{ vars.AZURE_STORAGE_ACCOUNT }} -p ${{env.FILESHARE_APPDATA_MIGRATIONS_PATH}}/logs/check_exit_code_${{ env.COMMIT_SHA }}.log --dest postgres_migration/check_exit_code_${{ env.COMMIT_SHA }}.log
	ALEMBIC_EXIT_CODE=$(cat postgres_migration/check_exit_code_${{ env.COMMIT_SHA }}.log)
	echo "Alembic exit code: $ALEMBIC_EXIT_CODE"
	echo "alembic_check_exit_code=$ALEMBIC_EXIT_CODE" >> $GITHUB_OUTPUT
	- name: Upload migration check artifacts
	uses: actions/upload-artifact@v4
	with:
	name: postgres_migration_check_results_${{ env.COMMIT_SHA }}
	path: \|
	postgres_migration/check_${{ env.COMMIT_SHA }}.log
	postgres_migration/check_connection_${{ env.COMMIT_SHA }}.log
	postgres_migration/check_exit_code_${{ env.COMMIT_SHA }}.log
	# - name: Display migration check output
	# run: \|
	# echo ${{ steps.check_run.outputs.script_output }}
	# echo ${{ steps.check_run.outputs.script_exit_code }}
	- name: Logout from Azure
	uses: azure/CLI@v2
	with:
	inlineScript: \|
	az logout
	az cache purge
	az account clear
	outputs:
	alembic_check: ${{ steps.check_run.outputs.alembic_check_exit_code }}


	create_postgres_migration_scripts:
	needs: check_postgres_migrations
	if: ${{ needs.check_postgres_migrations.outputs.alembic_check != 0 }}
	runs-on: ubuntu-24.04
	permissions:
	id-token: write
	contents: write
	pull-requests: write
	environment: stage
	env:
	MIGRATION_FILES_PATH: backendAPI/src/migrations/stage_prod/versions
	steps:
	- uses: actions/checkout@v4
	- name: Check what directory we are in
	# maybe we need a checkout repo step?
	run: \|
	pwd
	ls -la
	- name: Echo COMMIT_SHA
	run: \|
	echo ${{ env.COMMIT_SHA }}
	echo $COMMIT_SHA
	- name: Login to Azure
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_GITHUBACTIONSMANAGEDIDENTITY_CLIENT_ID }}
	tenant-id: ${{ vars.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	- name: Create migration scripts
	id: migration_scripts
	# OUTPUT=$(script -q -e -c "pwd")
	# OUTPUT=$(script -q -e -c "az containerapp exec \
	# --name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	# --resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	# --command \"scripts/stage_prod/postgres_migration_check.sh\""
	run: \|
	mkdir -p postgres_migration
	script -q -e -c "az containerapp exec \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--command \"scripts/stage_prod/postgres_migration_revision.sh\"" > postgres_migration/revision_connection_${{ env.COMMIT_SHA }}.log
	az storage file download -s ${{ vars.AZURE_FILESHARE_APPDATA }} --account-name ${{ vars.AZURE_STORAGE_ACCOUNT }} -p ${{env.FILESHARE_APPDATA_MIGRATIONS_PATH}}/logs/revision_${{ env.COMMIT_SHA }}.log --dest postgres_migration/revision_${{ env.COMMIT_SHA }}.log
	az storage file download -s ${{ vars.AZURE_FILESHARE_APPDATA }} --account-name ${{ vars.AZURE_STORAGE_ACCOUNT }} -p ${{env.FILESHARE_APPDATA_MIGRATIONS_PATH}}/logs/revision_filename_${{ env.COMMIT_SHA }}.log --dest postgres_migration/revision_filename_${{ env.COMMIT_SHA }}.log
	cat postgres_migration/revision_connection_${{ env.COMMIT_SHA }}.log
	cat postgres_migration/revision_${{ env.COMMIT_SHA }}.log
	cat postgres_migration/revision_filename_${{ env.COMMIT_SHA }}.log
	MIGRATION_SCRIPT_PATH_REMOTE=$(cat postgres_migration/revision_filename_${{ env.COMMIT_SHA }}.log)
	MIGRATION_SCRIPT_PATH_REMOTE=${MIGRATION_SCRIPT_PATH_REMOTE#/}
	MIGRATION_SCRIPT_FILENAME=$(basename $MIGRATION_SCRIPT_PATH_REMOTE)
	echo "MIGRATION_SCRIPT_FILENAME=$MIGRATION_SCRIPT_FILENAME" >> $GITHUB_ENV
	az storage file download -s ${{ vars.AZURE_FILESHARE_APPDATA }} --account-name ${{ vars.AZURE_STORAGE_ACCOUNT }} -p migrations/stage_prod/versions/$MIGRATION_SCRIPT_FILENAME --dest $MIGRATION_FILES_PATH/$MIGRATION_SCRIPT_FILENAME
	cat $MIGRATION_FILES_PATH/$MIGRATION_SCRIPT_FILENAME
	# For debugging enter container with:
	# az containerapp exec -n <resource_name> -g <resource_group> --command "/bin/sh"
	- name: Upload migration check artifacts
	uses: actions/upload-artifact@v4
	with:
	name: postgres_migration_revision_results_${{ env.COMMIT_SHA }}
	path: \|
	postgres_migration/revision_connection_${{ env.COMMIT_SHA }}.log
	postgres_migration/revision_${{ env.COMMIT_SHA }}.log
	$MIGRATION_FILES_PATH/${{ env.MIGRATION_SCRIPT_FILENAME }}
	- name: Echo the migration script
	run: \|
	cat $MIGRATION_FILES_PATH/${{ env.MIGRATION_SCRIPT_FILENAME }}
	# - name: Commit migration script
	# uses: EndBug/add-and-commit@v9
	# with:
	# add: '${{ env.MIGRATION_FILES_PATH}}/${{ env.MIGRATION_SCRIPT_FILENAME }}'
	# message: '[migrations] Add migration script for commit ${{ env.COMMIT_SHA }}'
	# - name: Echo git status
	# run: \|
	# git status
	- name: Create a pull request
	uses: peter-evans/create-pull-request@v5
	with:
	title: "[migrations] for postgres for commit ${{ env.COMMIT_SHA }}"
	add-paths: '${{ env.MIGRATION_FILES_PATH}}/*'
	commit-message: "[migrations] for commit ${{ env.COMMIT_SHA }}"
	branch: "migrations/${{ env.COMMIT_SHA }}"
	base: stage
	delete-branch: true
	labels: "postgres"
	# or branch: "migrations/${{ env.COMMIT_SHA }}"


	# deploy_prod:
	# needs: [deploy-stage, check_postgres_migrations, migration-workflow]
	# if: \|
	# github.event.ref == 'refs/heads/main' &&
	# (needs.check_postgres_migrations.outputs.alembic_check == '0' \|\| needs.migration-workflow.result == 'success')
	# # ...

	# No: the whole piepline is rerun on pull request from migrating database:
	# deploy_prod:
	# needs: [deploy-stage, check_postgres_migrations
	# if: \|
	# github.event.ref == 'refs/heads/main' &&
	# needs.check_postgres_migrations.outputs.alembic_check == '0'
	# if the migration workflow was not successful, the pull request did not get created!

	deploy_prod:
	needs: [ deploy_stage, check_postgres_migrations ]
	# if: ${{ github.event.ref == 'refs/heads/main' && needs.check_postgres_migrations.outputs.alembic_check == 0 }}
	if: ${{ (github.event.ref == 'refs/heads/main' \|\| github.event.workflow_run.head_branch == 'main') && needs.check_postgres_migrations.outputs.alembic_check == 0 }}
	# as this environmnet requires a manual review:
	# also wait on the pull request from postgres migrations to be merged
	# if check migrations detected changes.
	runs-on: ubuntu-24.04
	permissions:
	id-token: write
	packages: read
	environment: prod
	steps:
	# - name: echos github.event.after variable
	# run: \|
	# echo "=== Is this the correct tag: github.event.after? ==="
	# echo ${{ github.event.after }}
	# echo $CONTAINER_TAG
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Login to Azure
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_GITHUBACTIONSMANAGEDIDENTITY_CLIENT_ID }}
	tenant-id: ${{ vars.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	- name: Deploy to production
	# TBD: changing mode to single here, as there is a terraform bug with the time-out, when setting containerapp to single!
	env:
	IDENTITY_REF: "/subscriptions/${{secrets.AZURE_SUBSCRIPTION_ID}}/resourcegroups/${{vars.AZURE_RESOURCE_GROUP}}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${{vars.AZURE_BACKENDIDENTITY_NAME}}"
	# TBD: consider putting all of this into adeploymentscript and reuse her and in deploy_stage!
	run: \|
	az containerapp revision set-mode \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--mode single
	az containerapp secret set \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--secrets \
	"postgres-user=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}secrets/postgres-user,identityref:$IDENTITY_REF" \
	"postgres-password=keyvaultref:${{ vars.AZURE_KEYVAULT_HOST }}secrets/postgres-password,identityref:$IDENTITY_REF"
	sleep 10
	az containerapp update \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--image ${{env.REGISTRY}}/${{github.repository}}-backend_api:$COMMIT_SHA \
	--set-env-vars \
	"POSTGRES_DB=${{ vars.POSTGRES_DB }}" \
	"POSTGRES_USER=secretref:postgres-user" \
	"POSTGRES_PASSWORD=secretref:postgres-password"
	- name: Upgrade database
	run: \|
	mkdir -p postgres_migration
	script -q -e -c "az containerapp exec \
	--name ${{ vars.AZURE_CONTAINERAPP_BACKEND }} \
	--resource-group ${{vars.AZURE_RESOURCE_GROUP}} \
	--command \"scripts/stage_prod/postgres_migration_upgrade.sh\"" > postgres_migration/upgrade_prod_${{ env.COMMIT_SHA }}.log
	- name: Upload migration upgrade artifacts
	uses: actions/upload-artifact@v4
	with:
	name: postgres_migration_upgrade_prod_results_${{ env.COMMIT_SHA }}
	path: postgres_migration/upgrade_prod_${{ env.COMMIT_SHA }}.log
	# TBD: consider deleting all existing environment variables before setting the new ones?
	# implemented as in https://learn.microsoft.com/en-us/azure/container-apps/manage-secrets?tabs=azure-cli
	# TBD: consider displaying a "maintanance" page while the migrations are running - but more likely, the new container hasn't activated anyways yet.
	# TBD: or consider creating separate migration scripts for stage and prod? => another pull request? 2 different directories?
	- name: Logout from Azure
	uses: azure/CLI@v2
	with:
	inlineScript: \|
	az logout
	az cache purge
	az account clear

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: prepares oauth-scheme for dependency injetion in FastAPI with … #714

Workflow file

chore: prepares oauth-scheme for dependency injetion in FastAPI with … #714

Jobs

Run details

Workflow file for this run