Trigger workflow #3
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: deploy | |
| on: | |
| push: | |
| branches: ["main", "feature/*"] | |
| env: | |
| AWS_DEFAULT_REGION: us-east-1 | |
| AWS_DEFAULT_OUTPUT: json | |
| jobs: | |
| code-quality: | |
| name: Check Coding Standards | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Runner Details | |
| run: | | |
| echo "Job triggered by ${{ github.event_name }} event." | |
| echo "Job running on a ${{ runner.os }} server hosted by GitHub." | |
| echo "Pipeline's branch name is ${{ github.ref }} and repository is ${{ github.repository }}." | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| virtualenvs-create: true | |
| virtualenvs-in-project: true | |
| installer-parallel: true | |
| - name: Install Poetry dependencies | |
| run: poetry install --no-interaction | |
| - name: Check code formatting | |
| run: poetry run poe black-check | |
| unit-tests: | |
| name: Run Unit Tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| virtualenvs-create: true | |
| virtualenvs-in-project: true | |
| installer-parallel: true | |
| - name: Install Poetry dependencies | |
| run: poetry install --no-interaction | |
| - name: Run Unit Tests | |
| run: poetry run poe test-unit | |
| - name: Archive code coverage results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: code-coverage-report | |
| path: htmlcov | |
| cdk-synth-diff: | |
| name: CDK Synth & Diff | |
| runs-on: ubuntu-latest | |
| needs: ["code-quality", "unit-tests"] | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| virtualenvs-create: true | |
| virtualenvs-in-project: true | |
| installer-parallel: true | |
| - name: Install Poetry dependencies | |
| run: poetry install --no-interaction | |
| - name: Set up NodeJs | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "20" | |
| - name: Install CDK | |
| run: npm install -g aws-cdk | |
| # Same task with different secrets depending on the branch ref (dev vs prod deployments) | |
| # Note: there might be better alternatives, but this is a way to deploy to both envs | |
| - name: Configure AWS Credentials (DEV) | |
| if: github.ref != 'refs/heads/main' | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ secrets.DEV_AWS_DEPLOY_ROLE }} | |
| role-session-name: GitHubActionsCICD | |
| - name: Configure AWS Credentials (PROD) | |
| if: github.ref == 'refs/heads/main' | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.PROD_AWS_ACCOUNT_ID }}:role/${{ secrets.PROD_AWS_DEPLOY_ROLE }} | |
| role-session-name: GitHubActionsCICD | |
| # Not 100% optimal, but does the work for setting deployment environments from branch | |
| - name: Setup Deployment Environment from Branch | |
| run: | | |
| # To update the deployment environment based on the git branch | |
| if [[ $GITHUB_REF == 'refs/heads/main' ]]; then | |
| echo "DEPLOYMENT_ENVIRONMENT=prod" >> "$GITHUB_ENV" | |
| echo "Deployment environment is PROD" | |
| else | |
| echo "DEPLOYMENT_ENVIRONMENT=dev" >> "$GITHUB_ENV" | |
| echo "Deployment environment is DEV" | |
| fi | |
| - name: CDK Synth | |
| run: | | |
| source .venv/bin/activate | |
| cdk synth | |
| - name: CDK Diff | |
| run: | | |
| source .venv/bin/activate | |
| cdk diff | |
| - name: Archive CDK Synth results (no assets) | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: cdk-synth-folder | |
| path: | | |
| ./cdk.out | |
| !./cdk.out/asset.* | |
| retention-days: 1 | |
| iac-checkov: | |
| name: IaC Checkov Validations | |
| runs-on: ubuntu-latest | |
| needs: cdk-synth-diff | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Dowload CDK Synth results | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk-synth-folder | |
| path: ./cdk-synth-output-folder | |
| - name: Display files in the output folder | |
| run: tree | |
| working-directory: ./cdk-synth-output-folder | |
| - name: Run Checkov action | |
| id: checkov | |
| uses: bridgecrewio/checkov-action@v12 | |
| with: | |
| directory: cdk-synth-output-folder/ | |
| framework: cloudformation | |
| soft_fail: true # optional: do not return an error code if there are failed checks | |
| skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list | |
| quiet: true # optional: display only failed checks | |
| cdk-deploy: | |
| name: CDK Deploy | |
| runs-on: ubuntu-latest | |
| needs: "cdk-synth-diff" | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| virtualenvs-create: true | |
| virtualenvs-in-project: true | |
| installer-parallel: true | |
| - name: Install Poetry dependencies | |
| run: poetry install --no-interaction | |
| - name: Set up NodeJs | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: "20" | |
| - name: Install CDK | |
| run: npm install -g aws-cdk | |
| # Same task with different secrets depending on the branch ref (dev vs prod deployments) | |
| # Note: there might be better alternatives, but this is a way to deploy to both envs | |
| - name: Configure AWS Credentials (DEV) | |
| if: github.ref != 'refs/heads/main' | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/${{ secrets.DEV_AWS_DEPLOY_ROLE }} | |
| role-session-name: GitHubActionsCICD | |
| - name: Configure AWS Credentials (PROD) | |
| if: github.ref == 'refs/heads/main' | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.PROD_AWS_ACCOUNT_ID }}:role/${{ secrets.PROD_AWS_DEPLOY_ROLE }} | |
| role-session-name: GitHubActionsCICD | |
| # Not 100% optimal, but does the work for setting deployment environments from branch | |
| - name: Setup Deployment Environment from Branch | |
| run: | | |
| # To update the deployment environment based on the git branch | |
| if [[ $GITHUB_REF == 'refs/heads/main' ]]; then | |
| echo "DEPLOYMENT_ENVIRONMENT=prod" >> "$GITHUB_ENV" | |
| echo "Deployment environment is PROD" | |
| else | |
| echo "DEPLOYMENT_ENVIRONMENT=dev" >> "$GITHUB_ENV" | |
| echo "Deployment environment is DEV" | |
| fi | |
| - name: CDK Deploy | |
| run: | | |
| source .venv/bin/activate | |
| cdk deploy --require-approval never |