Skip to content
PROD

PROD #13

Sign in to view logs

PROD

PROD #13

Workflow file for this run

.github/workflows/release.yml at 85686fa
name: PROD
on:
release:
types: [published]
workflow_dispatch:
inputs:
containers_tag:
description: 'The tag of the containers to deploy, if not provided, it will use the test tag'
required: false
default: 'test'
type: string
concurrency:
group: prod
cancel-in-progress: false
# This concurrency group ensures that only one workflow runs at a time for the main branch.
permissions:
id-token: write # This is required for requesting the JWT
contents: write # This is required for actions/checkout
packages: write
jobs:
vars:
name: Vars
runs-on: ubuntu-24.04
outputs:
tag: ${{ steps.release.outputs.tag }}
tags: ${{ steps.release.outputs.tags }}
clean_changelog: ${{ steps.changelog.outputs.clean_changelog || '' }}
steps:
- uses: actions/checkout@v4
- name: Conventional Changelog Update
if: (github.event_name != 'release')
uses: TriPSs/conventional-changelog-action@v6
id: changelog
continue-on-error: true
with:
github-token: ${{ github.token }}
output-file: "CHANGELOG.md"
skip-version-file: "true"
skip-on-empty: "false"
skip-commit: "true"
git-push: "true"
- name: GitHub Release
id: release
shell: bash
run: |
# Determine the tag based on the event type
tag=""
version=""
if [[ "${{ github.event_name }}" == "release" ]]; then
echo "getting tag from release which was done manually in github"
# remove all spaces and new lines from the tag name and make it lowercase.
tag=$(echo "${{ github.event.release.tag_name }}" | tr -d ' \n\r\t' | tr '[:upper:]' '[:lower:]')
version=$(echo "$tag" | sed 's/^v//') # Compute version as tag without the leading 'v'
elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
echo "generating tag from workflow dispatch"
# Generate tag from current timestamp or use a default
tag=$(echo "${{ steps.changelog.outputs.tag}}" | tr -d ' \n\r\t' | tr '[:upper:]' '[:lower:]')
version="${{ steps.changelog.outputs.version}}"
else
echo "unsupported event type: ${{ github.event_name }}"
exit 1
fi
echo "tag=$tag" >> $GITHUB_OUTPUT
echo "version=$version" >> $GITHUB_OUTPUT
# Generate multiline tags output for retag-images step
tags=$(printf "prod\n%s\n%s" "$version" "$tag")
# Trim and set multiline outputs
echo "tags<<EOF" >> $GITHUB_OUTPUT
echo "$tags" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
retag-images:
name: Retag Images
needs: [vars]
runs-on: ubuntu-24.04
strategy:
matrix:
package: [backend, frontend]
steps:
- name: retag
uses: shrink/actions-docker-registry-tag@f04afd0559f66b288586792eb150f45136a927fa # v4
with:
registry: ghcr.io
repository: ${{ github.repository }}/${{ matrix.package }}
target: ${{ inputs.containers_tag || 'test' }} # this is the tag of the containers to deploy, defaults to test
tags: |
${{ needs.vars.outputs.tags }}
push-to-ecr:
name: Push Images to ECR
needs: [vars, retag-images]
runs-on: ubuntu-24.04
strategy:
matrix:
package: [backend, migrations]
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
with:
role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
role-session-name: gha-ecr-push
aws-region: ca-central-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Pull, tag and push image to ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
GHCR_IMAGE: ghcr.io/${{ github.repository }}/${{ matrix.package }}:${{ needs.vars.outputs.tag }}
run: |
# Create ECR repository if it doesn't exist
aws ecr create-repository \
--repository-name ${{ github.repository.name }}-${{ matrix.package }}-prod \
--image-tag-mutability IMMUTABLE \
--image-scanning-configuration scanOnPush=true \
|| true
# Apply lifecycle policy separately
aws ecr put-lifecycle-policy \
--repository-name ${{ github.repository.name }}-${{ matrix.package }}-prod \
--lifecycle-policy '{"rules":[{"rulePriority":1,"description":"Keep only 5 tagged images","selection":{"tagStatus":"tagged","countType":"imageCountMoreThan","countNumber":5},"action":{"type":"expire"}},{"rulePriority":2,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"imageCountMoreThan","countNumber":1},"action":{"type":"expire"}}]}' \
|| true
# Pull image from GHCR
docker pull $GHCR_IMAGE || { echo "Error: Failed to pull image $GHCR_IMAGE"; exit 1; }
# Tag for ECR
ECR_IMAGE=$ECR_REGISTRY/${{ github.repository.name }}-${{ matrix.package }}-prod:${{ needs.vars.outputs.tag }}
docker tag $GHCR_IMAGE $ECR_IMAGE
# Push to ECR
docker push $ECR_IMAGE
resume-resources:
name: Resume Resources # This job resumes resources for the merged PR which is needed if the resources were paused.
needs: [vars]
uses: ./.github/workflows/resume-resources.yml
with:
app_env: prod
secrets: inherit
deploy:
name: Deploy Stack
needs: [vars, resume-resources, retag-images]
uses: ./.github/workflows/.deploy_stack.yml
secrets: inherit
with:
environment_name: dev # since we only have one namespace dev, update this to PROD
command: apply
tag: ${{ needs.vars.outputs.tag}} # this is the tag of the containers to deploy
app_env: prod
release:
name: Github Release
runs-on: ubuntu-24.04
needs: [vars, deploy]
if: (needs.vars.outputs.tag != '' && github.event_name != 'release')
steps:
- name: Create Release
uses: softprops/action-gh-release@v2
if: (needs.vars.outputs.tag != '')
continue-on-error: true
env:
GITHUB_TOKEN: ${{ github.token }}
with:
token: ${{ github.token }}
tag_name: ${{ needs.vars.outputs.tag }}
name: ${{ needs.vars.outputs.tag }}
body: ${{ needs.vars.outputs.clean_changelog }}
pause-resources:
name: Pause Resources # This job pauses resources for the merged PR which is needed if the resources were not paused, this is to save money, remove it after cloning.
needs: [release]
uses: ./.github/workflows/pause-resources.yml
with:
app_env: prod
secrets: inherit