Skip to content

fix: public envs #14886

fix: public envs

fix: public envs #14886

Workflow file for this run

name: Config values
on:
push:
branches:
- 'main'
- 'release/**'
- 'pre-release/**'
paths:
- 'charts/**'
- 'infra/**'
- '**/infra/**'
workflow_dispatch: {}
pull_request:
paths:
- 'charts/**'
- 'infra/**'
- '**/infra/**'
defaults:
run:
shell: bash
env:
AWS_MAX_ATTEMPTS: 10
GITHUB_ACTIONS_CACHE_URL: https://cache.dev01.devland.is/
jobs:
prepare:
runs-on: ec2-runners
container:
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest
outputs:
ENVS: ${{ steps.select_envs.outputs.ENVS }}
steps:
- name: Select secret envs to check
id: select_envs
run: |
set -euo pipefail
GIT_BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF/refs\/heads\//}}"
# ENVS=("dev" "staging")
ENVS=("dev" "staging")
if [[ "$GIT_BRANCH" =~ ^release\/ ]]; then
echo "Adding prod environments to test set"
ENVS+=("prod")
fi
ENVS_JSON="$(printf '%s\n' "${ENVS[@]}" | jq -R . | jq -s . | tr -d '[:space:]')"
echo "ENVS={\"env\":$ENVS_JSON}" >> "$GITHUB_OUTPUT"
helm-values-validation:
runs-on: ec2-runners
container:
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
if: ${{ github.event_name == 'pull_request' }}
with:
ref: ${{ github.event.pull_request.head.ref }}
token: ${{ secrets.DIRTY_FIX_BOT_TOKEN }}
- uses: actions/checkout@v4
if: ${{ github.event_name != 'pull_request' }}
- uses: actions/setup-node@v4
with:
node-version-file: 'package.json'
- name: Setup yarn
run: corepack enable
- name: Cache for NodeJS dependencies
id: node-modules
continue-on-error: true
uses: ./.github/actions/cache
with:
path: infra/node_modules
key: ${{ runner.os }}-${{ hashFiles('infra/yarn.lock') }}-infra-2
- name: Check cache success
run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1'
- name: Building NodeJS dependencies
if: steps.node-modules.outputs.cache-hit != 'true'
working-directory: infra
run: yarn install --immutable
- name: Run unit tests
run: ./infra/scripts/ci/test-unit.sh
- name: Check chart values are up-to-date
if: ${{ github.ref == 'ref/heads/main' }}
run: ./infra/scripts/ci/diff-chart-values-all-charts.sh
- name: Commit any changes to charts
if: ${{ github.event_name == 'pull_request' }}
run: |
(cd infra && yarn charts)
./infra/scripts/ci/git-check-dirty.sh "charts/" "charts" "dirtybot"
check-secrets:
needs:
- prepare
- helm-values-validation # waiting on this job so the cache would be prepared
runs-on: ec2-runners
container:
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.prepare.outputs.ENVS) }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version-file: 'package.json'
- name: Cache for NodeJS dependencies
id: node-modules
continue-on-error: true
uses: ./.github/actions/cache
with:
path: infra/node_modules
key: ${{ runner.os }}-${{ hashFiles('infra/yarn.lock') }}-infra
- name: Check cache success
run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1'
- name: Building NodeJS dependencies
if: steps.node-modules.outputs.cache-hit != 'true'
working-directory: infra
run: yarn install --immutable
- name: Select role
env:
prod: arn:aws:iam::251502586493:role/list-ssm-parameters
dev: arn:aws:iam::013313053092:role/list-ssm-parameters
staging: arn:aws:iam::261174024191:role/list-ssm-parameters
run: echo "ROLE=$${{ matrix.env }}" >> "$GITHUB_ENV"
- name: Get local secrets
working-directory: infra
run: node -r esbuild-register src/secrets.ts get-all-required-secrets --env=${{ matrix.env }} >> LOCAL_SECRETS
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.DESCRIBE_SSM_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.DESCRIBE_SSM_AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
role-to-assume: ${{ env.ROLE }}
role-duration-seconds: 900
role-session-name: DescribeSSM
- name: Get secrets in AWS
env:
AWS_RETRY_MODE: standard
AWS_MAX_ATTEMPTS: '6'
run: aws ssm describe-parameters --query=Parameters[*].[Name] --output=text >> CLOUD_SECRETS
working-directory: infra
- name: Configure AWS Credentials for IDS Prod
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.DESCRIBE_SSM_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.DESCRIBE_SSM_AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
role-duration-seconds: 900
role-to-assume: arn:aws:iam::567113216315:role/list-ssm-parameters
- name: Get secrets in IDS Prod AWS
env:
AWS_RETRY_MODE: standard
AWS_MAX_ATTEMPTS: '6'
run: aws ssm describe-parameters --query=Parameters[*].[Name] --output=text >> CLOUD_SECRETS
working-directory: infra
- name: Compare secrets
working-directory: infra
shell: /bin/bash {0}
run: |
set -euo pipefail
if missing="$(grep -vxFf CLOUD_SECRETS LOCAL_SECRETS)"; then
echo "Required secrets not available in environment ${{ matrix.env }}:"
while IFS= read -r secret ; do echo $secret; done <<< "$missing"
exit 1
fi