Build and push to AWS ECR Staging on schedule #38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and push to AWS ECR Staging on schedule | |
| on: | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: "0 12 * * 3" | |
| workflow_dispatch: | |
| env: | |
| DOCKER_ORG: public.ecr.aws/cds-snc | |
| DOCKER_SLUG: public.ecr.aws/cds-snc/notify-ipv4-geolocate-webservice | |
| KUBECTL_VERSION: '1.25.4' | |
| OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.STAGING_OP_SERVICE_ACCOUNT_TOKEN }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| deploy: | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| runs-on: ubuntu-latest | |
| name: Build and push | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Set RELEASE_TAG environment variable | |
| run: echo "RELEASE_TAG=$(date '+%Y-%m-%d')" >> $GITHUB_ENV | |
| - name: Install AWS CLI | |
| run: | | |
| curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" | |
| unzip -q awscliv2.zip | |
| sudo ./aws/install --update | |
| aws --version | |
| - name: Configure credentials to CDS public ECR using OIDC | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: arn:aws:iam::283582579564:role/ipv4-geolocate-webservice-apply | |
| role-session-name: Ipv4GeolocateWebserviceGitHubActions | |
| aws-region: "us-east-1" | |
| - name: Login to ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registry-type: public | |
| - name: Build | |
| run: | | |
| docker build --build-arg LICENSE_KEY=${{ secrets.MAXMIND_LICENSE_KEY }} -t $DOCKER_SLUG:$RELEASE_TAG -t $DOCKER_SLUG:latest . | |
| - name: Publish | |
| run: | | |
| docker push $DOCKER_SLUG:latest && docker push $DOCKER_SLUG:`date '+%Y-%m-%d'` | |
| - name: Configure credentials to Notify staging EKS using OIDC | |
| uses: aws-actions/configure-aws-credentials@master | |
| with: | |
| role-to-assume: arn:aws:iam::239043911459:role/ipv4-geolocate-webservice-apply | |
| role-session-name: Ipv4GeolocateWebserviceGitHubActions | |
| aws-region: "ca-central-1" | |
| - name: Install OpenVPN | |
| run: | | |
| sudo apt update | |
| sudo apt install -y openvpn openvpn-systemd-resolved | |
| - name: Install 1Pass CLI | |
| run: | | |
| curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb | |
| sudo dpkg -i 1pass.deb | |
| - name: Setup Terraform tools | |
| uses: cds-snc/terraform-tools-setup@v1 | |
| env: # In case you want to override default versions | |
| CONFTEST_VERSION: 0.30.0 | |
| TERRAFORM_VERSION: 1.9.5 | |
| TERRAGRUNT_VERSION: 0.66.9 | |
| TF_SUMMARIZE_VERSION: 0.2.3 | |
| - name: Fetch VPN | |
| run: | | |
| curl https://raw.githubusercontent.com/cds-snc/notification-manifests/refs/heads/main/scripts/createVPNConfig.sh | bash -s staging | |
| - name: Connect to VPN | |
| uses: "kota65535/github-openvpn-connect-action@cd2ed8a90cc7b060dc4e001143e811b5f7ea0af5" | |
| with: | |
| config_file: /var/tmp/staging.ovpn | |
| echo_config: false | |
| - name: Get Kubernetes configuration | |
| run: | | |
| aws eks --region $AWS_REGION update-kubeconfig --name notification-canada-ca-staging-eks-cluster --kubeconfig $HOME/.kube/config | |
| - name: Update image in staging | |
| run: | | |
| kubectl set image deployment.apps/ipv4 ipv4=$DOCKER_SLUG:$RELEASE_TAG -n=notification-canada-ca --kubeconfig=$HOME/.kube/config |