fix deploy falsely reports passing when it failed

If the webapp publish profile secret is empty, webapps-deploy v3 doesn’t deploy but reports the deploy as passing. See Azure/webapps-deploy [Issue #404](Azure/webapps-deploy#404). Configs were set before running the deploy. This means that the config values in Azure are updated even if the deploy fails. Also, as written, the action was runnable by anyone with write access. That is too broad for production. To avoid these known issues: * check that all required secrets are set before proceeding * only update configs if the deploy passes * call the reusable workflow that checks if the user has access to deploy
clearlydefined · Apr 12, 2024 · da9a32c · da9a32c
1 parent 8214149
commit da9a32c
Showing 1 changed file with 56 additions and 16 deletions.
diff --git a/.github/workflows/build_and_deploy_prod.yml b/.github/workflows/build_and_deploy_prod.yml
@@ -12,10 +12,14 @@ on:
 # There are secrets and environment variables that need to be set that control what is pushed to
 # ghcr and Azure.
 #
+# Org Secrets:
+#   DEPLOY_TOKEN:               token with permissions needed to determine if github.actor can deploy to production
+#   PRODUCTION_DEPLOYERS:       name of team identifying users that can deploy to production
+#   AZURE_CREDENTIALS:          service principal that has access to the Azure apps
+#
 # Secrets:
-#   AZURE_CREDENTIALS_PROD:          service principal that has access to the Azure prod WebApp
-#   AZURE_WEBAPP_PUBLISH_PROFILE:    publish profile for the Azure WebApp
-#   AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the Azure WebApp in Europe
+#   AZURE_WEBAPP_PUBLISH_PROFILE:    publish profile for the service production Azure WebApp
+#   AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the service production Azure WebApp in Europe
 #
 # Environment Variables:
 #   APPLICATION_TYPE:     type of application that is being deployed; used to add a label to the Docker image (values: api | web | worker)
@@ -34,10 +38,39 @@ env:
   DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/${{ github.repository }}
 
 jobs:
+  check-deployable:
+    uses: clearlydefined/operations/.github/workflows/deployable.yml@elr/deploy-limits
+    secrets: inherit
+
   build-and-deploy:
     name: Build and Deploy
     runs-on: ubuntu-latest
+    needs: check-deployable
     steps:
+      # verify required secrets are set
+      - name: Check secrets
+        run: |
+          if [[ -z "${{ secrets.AZURE_CREDENTIALS }}" ]]; then
+            echo "AZURE_CREDENTIALS is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}" ]]; then
+            echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}" ]]; then
+            echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.PRODUCTION_DEPLOYERS }}" ]]; then
+            echo "PRODUCTION_DEPLOYERS is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.DEPLOY_TOKEN }}" ]]; then
+            echo "DEPLOY_TOKEN is not set"
+            exit 1
+          fi
+  
       - name: Get version
         id: package
         run: |
@@ -75,8 +108,18 @@ jobs:
       - name: Login for Azure cli commands
         uses: azure/login@v2.0.0
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS_PROD }}
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
 
+      # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD isn't set, but should fail.
+      # Added secret check above to ensure it is set.
+      - name: Deploy to Azure WebApp
+        uses: azure/webapps-deploy@v3.0.1
+        with:
+          app-name: ${{ env.AZURE_WEBAPP_NAME }}
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}
+          images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
+
+      # set configs after deploy in case the deploy fails
       - name: Set DOCKER configs in Azure web app
         uses: azure/appservice-settings@v1.1.1
         with:
@@ -104,14 +147,17 @@ jobs:
                 "slotSetting": false
               }
             ]
-
-      - name: Deploy to Azure WebApp
-        uses: azure/webapps-deploy@v3.0.0
+  
+      # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU isn't set, but should fail.
+      # Added secret check to ensure it is set.
+      - name: Deploy to Azure EU WebApp
+        uses: azure/webapps-deploy@v3.0.1
         with:
-          app-name: ${{ env.AZURE_WEBAPP_NAME }}
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}
+          app-name: ${{ env.AZURE_EU_WEBAPP_NAME }}
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}
           images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
 
+      # set configs after deploy in case the deploy fails
       - name: Set DOCKER configs in Azure EU web app
         uses: azure/appservice-settings@v1.1.1
         with:
@@ -139,10 +185,4 @@ jobs:
                 "slotSetting": false
               }
             ]
-
-      - name: Deploy to Azure EU WebApp
-        uses: azure/webapps-deploy@v3.0.0
-        with:
-          app-name: ${{ env.AZURE_EU_WEBAPP_NAME }}
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}
-          images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
+