-
Notifications
You must be signed in to change notification settings - Fork 61
183 lines (161 loc) · 5.96 KB
/
config-values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
name: Config values
on:
push:
branches:
- 'main'
- 'release/**'
- 'pre-release/**'
paths:
- 'charts/**'
- 'infra/**'
- '**/infra/**'
workflow_dispatch: {}
pull_request:
paths:
- 'charts/**'
- 'infra/**'
- '**/infra/**'
defaults:
run:
shell: bash
env:
AWS_MAX_ATTEMPTS: 10
GITHUB_ACTIONS_CACHE_URL: https://cache.dev01.devland.is/
jobs:
prepare:
runs-on: ec2-runners
container:
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest
outputs:
ENVS: ${{ steps.select_envs.outputs.ENVS }}
steps:
- name: Select secret envs to check
id: select_envs
run: |
set -euo pipefail
GIT_BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF/refs\/heads\//}}"
# ENVS=("dev" "staging")
ENVS=("dev" "staging")
if [[ "$GIT_BRANCH" =~ ^release\/ ]]; then
echo "Adding prod environments to test set"
ENVS+=("prod")
fi
ENVS_JSON="$(printf '%s\n' "${ENVS[@]}" | jq -R . | jq -s . | tr -d '[:space:]')"
echo "ENVS={\"env\":$ENVS_JSON}" >> "$GITHUB_OUTPUT"
helm-values-validation:
runs-on: ec2-runners
container:
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
if: ${{ github.event_name == 'pull_request' }}
with:
ref: ${{ github.event.pull_request.head.ref }}
token: ${{ secrets.DIRTY_FIX_BOT_TOKEN }}
- uses: actions/checkout@v4
if: ${{ github.event_name != 'pull_request' }}
- uses: actions/setup-node@v4
with:
node-version-file: 'package.json'
- name: Setup yarn
run: corepack enable
- name: Cache for NodeJS dependencies
id: node-modules
continue-on-error: true
uses: ./.github/actions/cache
with:
path: infra/node_modules
key: ${{ runner.os }}-${{ hashFiles('infra/yarn.lock') }}-infra-2
- name: Check cache success
run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1'
- name: Building NodeJS dependencies
if: steps.node-modules.outputs.cache-hit != 'true'
working-directory: infra
run: yarn install --immutable
- name: Run unit tests
run: ./infra/scripts/ci/test-unit.sh
- name: Check chart values are up-to-date
if: ${{ github.ref == 'ref/heads/main' }}
run: ./infra/scripts/ci/diff-chart-values-all-charts.sh
- name: Commit any changes to charts
if: ${{ github.event_name == 'pull_request' }}
run: |
(cd infra && yarn charts)
./infra/scripts/ci/git-check-dirty.sh "charts/" "charts" "dirtybot"
check-secrets:
needs:
- prepare
- helm-values-validation # waiting on this job so the cache would be prepared
runs-on: ec2-runners
container:
image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.prepare.outputs.ENVS) }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version-file: 'package.json'
- name: Cache for NodeJS dependencies
id: node-modules
continue-on-error: true
uses: ./.github/actions/cache
with:
path: infra/node_modules
key: ${{ runner.os }}-${{ hashFiles('infra/yarn.lock') }}-infra
- name: Check cache success
run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1'
- name: Building NodeJS dependencies
if: steps.node-modules.outputs.cache-hit != 'true'
working-directory: infra
run: yarn install --immutable
- name: Select role
env:
prod: arn:aws:iam::251502586493:role/list-ssm-parameters
dev: arn:aws:iam::013313053092:role/list-ssm-parameters
staging: arn:aws:iam::261174024191:role/list-ssm-parameters
run: echo "ROLE=$${{ matrix.env }}" >> "$GITHUB_ENV"
- name: Get local secrets
working-directory: infra
run: node -r esbuild-register src/secrets.ts get-all-required-secrets --env=${{ matrix.env }} >> LOCAL_SECRETS
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.DESCRIBE_SSM_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.DESCRIBE_SSM_AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
role-to-assume: ${{ env.ROLE }}
role-duration-seconds: 900
role-session-name: DescribeSSM
- name: Get secrets in AWS
env:
AWS_RETRY_MODE: standard
AWS_MAX_ATTEMPTS: '6'
run: aws ssm describe-parameters --query=Parameters[*].[Name] --output=text >> CLOUD_SECRETS
working-directory: infra
- name: Configure AWS Credentials for IDS Prod
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.DESCRIBE_SSM_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.DESCRIBE_SSM_AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
role-duration-seconds: 900
role-to-assume: arn:aws:iam::567113216315:role/list-ssm-parameters
- name: Get secrets in IDS Prod AWS
env:
AWS_RETRY_MODE: standard
AWS_MAX_ATTEMPTS: '6'
run: aws ssm describe-parameters --query=Parameters[*].[Name] --output=text >> CLOUD_SECRETS
working-directory: infra
- name: Compare secrets
working-directory: infra
shell: /bin/bash {0}
run: |
set -euo pipefail
if missing="$(grep -vxFf CLOUD_SECRETS LOCAL_SECRETS)"; then
echo "Required secrets not available in environment ${{ matrix.env }}:"
while IFS= read -r secret ; do echo $secret; done <<< "$missing"
exit 1
fi