|
| 1 | +name: ci-deploy-ec2 |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + branches: [ gopi-dev ] |
| 6 | + |
| 7 | +permissions: |
| 8 | + id-token: write # required for OIDC |
| 9 | + contents: read |
| 10 | + |
| 11 | +env: |
| 12 | + AWS_REGION: ${{ vars.AWS_REGION || 'us-east-1' }} |
| 13 | + ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY || 'careerforge' }} |
| 14 | + EC2_INSTANCE_ID: ${{ vars.EC2_INSTANCE_ID }} |
| 15 | + APP_PORT: "8080" |
| 16 | + SERVICE_NAME: "careerforge" |
| 17 | + |
| 18 | +jobs: |
| 19 | + build-push-deploy: |
| 20 | + runs-on: ubuntu-latest |
| 21 | + steps: |
| 22 | + - uses: actions/checkout@v4 |
| 23 | + |
| 24 | + - name: Set up JDK 21 |
| 25 | + uses: actions/setup-java@v4 |
| 26 | + with: |
| 27 | + distribution: temurin |
| 28 | + java-version: '21' |
| 29 | + cache: maven |
| 30 | + |
| 31 | + - name: Unit tests |
| 32 | + working-directory: code/backend |
| 33 | + run: mvn -B -ntp test |
| 34 | + |
| 35 | + - name: Configure AWS credentials (OIDC) |
| 36 | + uses: aws-actions/configure-aws-credentials@v4 |
| 37 | + with: |
| 38 | + role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }} |
| 39 | + aws-region: ${{ env.AWS_REGION }} |
| 40 | + |
| 41 | + - name: Ensure ECR repo exists |
| 42 | + run: | |
| 43 | + aws ecr describe-repositories --repository-names "${{ env.ECR_REPOSITORY }}" >/dev/null 2>&1 || \ |
| 44 | + aws ecr create-repository --repository-name "${{ env.ECR_REPOSITORY }}" |
| 45 | +
|
| 46 | + - name: Login to ECR |
| 47 | + id: login-ecr |
| 48 | + uses: aws-actions/amazon-ecr-login@v2 |
| 49 | + |
| 50 | + - name: Compute image tag |
| 51 | + id: vars |
| 52 | + run: | |
| 53 | + echo "image=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}" >> $GITHUB_OUTPUT |
| 54 | +
|
| 55 | + - name: Set up Docker Buildx |
| 56 | + uses: docker/setup-buildx-action@v3 |
| 57 | + |
| 58 | + - name: Build and push image |
| 59 | + uses: docker/build-push-action@v6 |
| 60 | + with: |
| 61 | + context: code/backend |
| 62 | + file: code/backend/Dockerfile |
| 63 | + push: true |
| 64 | + tags: ${{ steps.vars.outputs.image }} |
| 65 | + cache-from: type=gha |
| 66 | + cache-to: type=gha,mode=max |
| 67 | + |
| 68 | + - name: Deploy on EC2 via SSM |
| 69 | + env: |
| 70 | + IMAGE: ${{ steps.vars.outputs.image }} |
| 71 | + run: | |
| 72 | + set -euo pipefail |
| 73 | + # SSM document executes a bash script on the instance to install Docker (if needed), login to ECR, pull, and run. |
| 74 | + aws ssm send-command \ |
| 75 | + --instance-ids "$EC2_INSTANCE_ID" \ |
| 76 | + --document-name "AWS-RunShellScript" \ |
| 77 | + --comment "Deploy $SERVICE_NAME" \ |
| 78 | + --parameters 'commands=[ |
| 79 | + "set -euxo pipefail", |
| 80 | + "sudo yum -y update || sudo dnf -y update || true", |
| 81 | + "sudo yum -y install docker awscli || sudo dnf -y install docker awscli", |
| 82 | + "sudo systemctl enable --now docker", |
| 83 | + "ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)", |
| 84 | + "REGION='${AWS_REGION}'", |
| 85 | + "REGISTRY=${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com", |
| 86 | + "aws ecr get-login-password --region ${REGION} | sudo docker login --username AWS --password-stdin ${REGISTRY}", |
| 87 | + "sudo docker rm -f ${SERVICE_NAME} || true", |
| 88 | + "sudo docker pull ${IMAGE}", |
| 89 | + "sudo docker run -d --restart unless-stopped --name ${SERVICE_NAME} -p 80:${APP_PORT} ${IMAGE}", |
| 90 | + "sudo docker image prune -f || true" |
| 91 | + ]' \ |
| 92 | + --output text |
0 commit comments