fix: public envs #14886
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Config values | |
on: | |
push: | |
branches: | |
- 'main' | |
- 'release/**' | |
- 'pre-release/**' | |
paths: | |
- 'charts/**' | |
- 'infra/**' | |
- '**/infra/**' | |
workflow_dispatch: {} | |
pull_request: | |
paths: | |
- 'charts/**' | |
- 'infra/**' | |
- '**/infra/**' | |
defaults: | |
run: | |
shell: bash | |
env: | |
AWS_MAX_ATTEMPTS: 10 | |
GITHUB_ACTIONS_CACHE_URL: https://cache.dev01.devland.is/ | |
jobs: | |
prepare: | |
runs-on: ec2-runners | |
container: | |
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
outputs: | |
ENVS: ${{ steps.select_envs.outputs.ENVS }} | |
steps: | |
- name: Select secret envs to check | |
id: select_envs | |
run: | | |
set -euo pipefail | |
GIT_BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF/refs\/heads\//}}" | |
# ENVS=("dev" "staging") | |
ENVS=("dev" "staging") | |
if [[ "$GIT_BRANCH" =~ ^release\/ ]]; then | |
echo "Adding prod environments to test set" | |
ENVS+=("prod") | |
fi | |
ENVS_JSON="$(printf '%s\n' "${ENVS[@]}" | jq -R . | jq -s . | tr -d '[:space:]')" | |
echo "ENVS={\"env\":$ENVS_JSON}" >> "$GITHUB_OUTPUT" | |
helm-values-validation: | |
runs-on: ec2-runners | |
container: | |
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
if: ${{ github.event_name == 'pull_request' }} | |
with: | |
ref: ${{ github.event.pull_request.head.ref }} | |
token: ${{ secrets.DIRTY_FIX_BOT_TOKEN }} | |
- uses: actions/checkout@v4 | |
if: ${{ github.event_name != 'pull_request' }} | |
- uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
- name: Setup yarn | |
run: corepack enable | |
- name: Cache for NodeJS dependencies | |
id: node-modules | |
continue-on-error: true | |
uses: ./.github/actions/cache | |
with: | |
path: infra/node_modules | |
key: ${{ runner.os }}-${{ hashFiles('infra/yarn.lock') }}-infra-2 | |
- name: Check cache success | |
run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
- name: Building NodeJS dependencies | |
if: steps.node-modules.outputs.cache-hit != 'true' | |
working-directory: infra | |
run: yarn install --immutable | |
- name: Run unit tests | |
run: ./infra/scripts/ci/test-unit.sh | |
- name: Check chart values are up-to-date | |
if: ${{ github.ref == 'ref/heads/main' }} | |
run: ./infra/scripts/ci/diff-chart-values-all-charts.sh | |
- name: Commit any changes to charts | |
if: ${{ github.event_name == 'pull_request' }} | |
run: | | |
(cd infra && yarn charts) | |
./infra/scripts/ci/git-check-dirty.sh "charts/" "charts" "dirtybot" | |
check-secrets: | |
needs: | |
- prepare | |
- helm-values-validation # waiting on this job so the cache would be prepared | |
runs-on: ec2-runners | |
container: | |
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJson(needs.prepare.outputs.ENVS) }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
- name: Cache for NodeJS dependencies | |
id: node-modules | |
continue-on-error: true | |
uses: ./.github/actions/cache | |
with: | |
path: infra/node_modules | |
key: ${{ runner.os }}-${{ hashFiles('infra/yarn.lock') }}-infra | |
- name: Check cache success | |
run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
- name: Building NodeJS dependencies | |
if: steps.node-modules.outputs.cache-hit != 'true' | |
working-directory: infra | |
run: yarn install --immutable | |
- name: Select role | |
env: | |
prod: arn:aws:iam::251502586493:role/list-ssm-parameters | |
dev: arn:aws:iam::013313053092:role/list-ssm-parameters | |
staging: arn:aws:iam::261174024191:role/list-ssm-parameters | |
run: echo "ROLE=$${{ matrix.env }}" >> "$GITHUB_ENV" | |
- name: Get local secrets | |
working-directory: infra | |
run: node -r esbuild-register src/secrets.ts get-all-required-secrets --env=${{ matrix.env }} >> LOCAL_SECRETS | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.DESCRIBE_SSM_AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.DESCRIBE_SSM_AWS_SECRET_ACCESS_KEY }} | |
aws-region: eu-west-1 | |
role-to-assume: ${{ env.ROLE }} | |
role-duration-seconds: 900 | |
role-session-name: DescribeSSM | |
- name: Get secrets in AWS | |
env: | |
AWS_RETRY_MODE: standard | |
AWS_MAX_ATTEMPTS: '6' | |
run: aws ssm describe-parameters --query=Parameters[*].[Name] --output=text >> CLOUD_SECRETS | |
working-directory: infra | |
- name: Configure AWS Credentials for IDS Prod | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.DESCRIBE_SSM_AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.DESCRIBE_SSM_AWS_SECRET_ACCESS_KEY }} | |
aws-region: eu-west-1 | |
role-duration-seconds: 900 | |
role-to-assume: arn:aws:iam::567113216315:role/list-ssm-parameters | |
- name: Get secrets in IDS Prod AWS | |
env: | |
AWS_RETRY_MODE: standard | |
AWS_MAX_ATTEMPTS: '6' | |
run: aws ssm describe-parameters --query=Parameters[*].[Name] --output=text >> CLOUD_SECRETS | |
working-directory: infra | |
- name: Compare secrets | |
working-directory: infra | |
shell: /bin/bash {0} | |
run: | | |
set -euo pipefail | |
if missing="$(grep -vxFf CLOUD_SECRETS LOCAL_SECRETS)"; then | |
echo "Required secrets not available in environment ${{ matrix.env }}:" | |
while IFS= read -r secret ; do echo $secret; done <<< "$missing" | |
exit 1 | |
fi |