🔄 synced local '.github/workflows/' with remote 'next/staging/deploym…

…ent-workflows/'

.github/workflows/deploy-staging-api.yml

@@ -1,8 +1,10 @@
 ### !!!
 # This file is automatically generated using Terraform.
-# Do not update it manually. If changes need to be made,
-# please request help from a maintainer to generate the
-# updated version.
+# Do not update it manually. Changes must be made to
+# `next/modules/generic/service/deploy_workflow.yml` in
+# the `WordPress/openverse-infrastructure` repository.
+# If changes need to be made, please request help from
+# a maintainer to generate the updated version.
 ### !!!
 
 name: "Deployment: staging-api"
@@ -14,28 +16,15 @@ on:
         type: string
         required: true
         description: Image tag to deploy.
-  workflow_call:
-    inputs:
-      tag:
+      # When the workflow is called by the CI + CD pipeline, the actor appears
+      # as "github-actions[bot]". In those circumstances, this input, if
+      # provided must be the GitHub handle of the actual actor. When triggering
+      # this workflow manually, please leave this empty and it will fallback to
+      # the right actor.
+      actor:
         type: string
-        required: true
-        description: Image tag to deploy.
-    secrets:
-      ACCESS_TOKEN:
-        required: true
-        description: GitHub access token.
-      AWS_ACCESS_KEY_ID:
-        required: true
-        description: AWS access key ID.
-      AWS_SECRET_ACCESS_KEY:
-        required: true
-        description: AWS secret access key.
-      SLACK_WEBHOOK_URL:
-        required: true
-        description: Slack webhook URL.
-      GH_SLACK_USERNAME_MAP:
-        required: true
-        description: JSON mapping of GitHub usernames to Slack user IDs.
+        default: ""
+        description: The actual GitHub user that triggered this dispatch. Leave blank to use workflow dispatcher.
 
 # Only allow a single deployment workflow (service + environment) to happen at a time
 # If you need to stop an in-progress deployment of a service to force another for
@@ -60,7 +49,7 @@ jobs:
               org: 'WordPress',
               team_slug: 'openverse-maintainers',
             });
-            const isAllowed = members.some(m => m.login === "${{ github.actor }}")
+            const isAllowed = "${{ github.actor }}" === "github-actions[bot]" || members.some(m => m.login === "${{ github.actor }}")
             if (!isAllowed) {
               throw new Error(
                 "Only GitHub users in the @WordPress/openverse-maintainers "
@@ -77,7 +66,7 @@ jobs:
           import json
           import os
           mapping = json.loads('${{ env.GH_SLACK_USERNAME_MAP }}')
-          github_user = "${{ github.actor }}"
+          github_user = "${{ inputs.actor || github.actor }}"
           slack_id = mapping[github_user]
           with open(os.getenv('GITHUB_ENV'), "a") as env_file:
               env_file.write(f"SLACK_USER_ID={slack_id}")

.github/workflows/deploy-staging-nuxt.yml

@@ -1,8 +1,10 @@
 ### !!!
 # This file is automatically generated using Terraform.
-# Do not update it manually. If changes need to be made,
-# please request help from a maintainer to generate the
-# updated version.
+# Do not update it manually. Changes must be made to
+# `next/modules/generic/service/deploy_workflow.yml` in
+# the `WordPress/openverse-infrastructure` repository.
+# If changes need to be made, please request help from
+# a maintainer to generate the updated version.
 ### !!!
 
 name: "Deployment: staging-nuxt"
@@ -14,28 +16,15 @@ on:
         type: string
         required: true
         description: Image tag to deploy.
-  workflow_call:
-    inputs:
-      tag:
+      # When the workflow is called by the CI + CD pipeline, the actor appears
+      # as "github-actions[bot]". In those circumstances, this input, if
+      # provided must be the GitHub handle of the actual actor. When triggering
+      # this workflow manually, please leave this empty and it will fallback to
+      # the right actor.
+      actor:
         type: string
-        required: true
-        description: Image tag to deploy.
-    secrets:
-      ACCESS_TOKEN:
-        required: true
-        description: GitHub access token.
-      AWS_ACCESS_KEY_ID:
-        required: true
-        description: AWS access key ID.
-      AWS_SECRET_ACCESS_KEY:
-        required: true
-        description: AWS secret access key.
-      SLACK_WEBHOOK_URL:
-        required: true
-        description: Slack webhook URL.
-      GH_SLACK_USERNAME_MAP:
-        required: true
-        description: JSON mapping of GitHub usernames to Slack user IDs.
+        default: ""
+        description: The actual GitHub user that triggered this dispatch. Leave blank to use workflow dispatcher.
 
 # Only allow a single deployment workflow (service + environment) to happen at a time
 # If you need to stop an in-progress deployment of a service to force another for
@@ -60,7 +49,7 @@ jobs:
               org: 'WordPress',
               team_slug: 'openverse-maintainers',
             });
-            const isAllowed = members.some(m => m.login === "${{ github.actor }}")
+            const isAllowed = "${{ github.actor }}" === "github-actions[bot]" || members.some(m => m.login === "${{ github.actor }}")
             if (!isAllowed) {
               throw new Error(
                 "Only GitHub users in the @WordPress/openverse-maintainers "
@@ -77,7 +66,7 @@ jobs:
           import json
           import os
           mapping = json.loads('${{ env.GH_SLACK_USERNAME_MAP }}')
-          github_user = "${{ github.actor }}"
+          github_user = "${{ inputs.actor || github.actor }}"
           slack_id = mapping[github_user]
           with open(os.getenv('GITHUB_ENV'), "a") as env_file:
               env_file.write(f"SLACK_USER_ID={slack_id}")