diff --git a/.github/workflows/deploy-production-api.yml b/.github/workflows/deploy-production-api.yml index b404013c8e1..65263a12733 100644 --- a/.github/workflows/deploy-production-api.yml +++ b/.github/workflows/deploy-production-api.yml @@ -1,8 +1,10 @@ ### !!! # This file is automatically generated using Terraform. -# Do not update it manually. If changes need to be made, -# please request help from a maintainer to generate the -# updated version. +# Do not update it manually. Changes must be made to +# `next/modules/generic/service/deploy_workflow.yml` in +# the `WordPress/openverse-infrastructure` repository. +# If changes need to be made, please request help from +# a maintainer to generate the updated version. ### !!! name: "Deployment: production-api" @@ -14,28 +16,15 @@ on: type: string required: true description: Image tag to deploy. - workflow_call: - inputs: - tag: + # When the workflow is called by the CI + CD pipeline, the actor appears + # as "github-actions[bot]". In those circumstances, this input, if + # provided must be the GitHub handle of the actual actor. When triggering + # this workflow manually, please leave this empty and it will fallback to + # the right actor. + actor: type: string - required: true - description: Image tag to deploy. - secrets: - ACCESS_TOKEN: - required: true - description: GitHub access token. - AWS_ACCESS_KEY_ID: - required: true - description: AWS access key ID. - AWS_SECRET_ACCESS_KEY: - required: true - description: AWS secret access key. - SLACK_WEBHOOK_URL: - required: true - description: Slack webhook URL. - GH_SLACK_USERNAME_MAP: - required: true - description: JSON mapping of GitHub usernames to Slack user IDs. + default: "" + description: The actual GitHub user that triggered this dispatch. Leave blank to use workflow dispatcher. # Only allow a single deployment workflow (service + environment) to happen at a time # If you need to stop an in-progress deployment of a service to force another for @@ -60,7 +49,7 @@ jobs: org: 'WordPress', team_slug: 'openverse-maintainers', }); - const isAllowed = members.some(m => m.login === "${{ github.actor }}") + const isAllowed = "${{ github.actor }}" === "github-actions[bot]" || members.some(m => m.login === "${{ github.actor }}") if (!isAllowed) { throw new Error( "Only GitHub users in the @WordPress/openverse-maintainers " @@ -77,7 +66,7 @@ jobs: import json import os mapping = json.loads('${{ env.GH_SLACK_USERNAME_MAP }}') - github_user = "${{ github.actor }}" + github_user = "${{ inputs.actor || github.actor }}" slack_id = mapping[github_user] with open(os.getenv('GITHUB_ENV'), "a") as env_file: env_file.write(f"SLACK_USER_ID={slack_id}") diff --git a/.github/workflows/deploy-production-nuxt.yml b/.github/workflows/deploy-production-nuxt.yml index a535bbd4c5a..3c8862f834b 100644 --- a/.github/workflows/deploy-production-nuxt.yml +++ b/.github/workflows/deploy-production-nuxt.yml @@ -1,8 +1,10 @@ ### !!! # This file is automatically generated using Terraform. -# Do not update it manually. If changes need to be made, -# please request help from a maintainer to generate the -# updated version. +# Do not update it manually. Changes must be made to +# `next/modules/generic/service/deploy_workflow.yml` in +# the `WordPress/openverse-infrastructure` repository. +# If changes need to be made, please request help from +# a maintainer to generate the updated version. ### !!! name: "Deployment: production-nuxt" @@ -14,28 +16,15 @@ on: type: string required: true description: Image tag to deploy. - workflow_call: - inputs: - tag: + # When the workflow is called by the CI + CD pipeline, the actor appears + # as "github-actions[bot]". In those circumstances, this input, if + # provided must be the GitHub handle of the actual actor. When triggering + # this workflow manually, please leave this empty and it will fallback to + # the right actor. + actor: type: string - required: true - description: Image tag to deploy. - secrets: - ACCESS_TOKEN: - required: true - description: GitHub access token. - AWS_ACCESS_KEY_ID: - required: true - description: AWS access key ID. - AWS_SECRET_ACCESS_KEY: - required: true - description: AWS secret access key. - SLACK_WEBHOOK_URL: - required: true - description: Slack webhook URL. - GH_SLACK_USERNAME_MAP: - required: true - description: JSON mapping of GitHub usernames to Slack user IDs. + default: "" + description: The actual GitHub user that triggered this dispatch. Leave blank to use workflow dispatcher. # Only allow a single deployment workflow (service + environment) to happen at a time # If you need to stop an in-progress deployment of a service to force another for @@ -60,7 +49,7 @@ jobs: org: 'WordPress', team_slug: 'openverse-maintainers', }); - const isAllowed = members.some(m => m.login === "${{ github.actor }}") + const isAllowed = "${{ github.actor }}" === "github-actions[bot]" || members.some(m => m.login === "${{ github.actor }}") if (!isAllowed) { throw new Error( "Only GitHub users in the @WordPress/openverse-maintainers " @@ -77,7 +66,7 @@ jobs: import json import os mapping = json.loads('${{ env.GH_SLACK_USERNAME_MAP }}') - github_user = "${{ github.actor }}" + github_user = "${{ inputs.actor || github.actor }}" slack_id = mapping[github_user] with open(os.getenv('GITHUB_ENV'), "a") as env_file: env_file.write(f"SLACK_USER_ID={slack_id}") diff --git a/.github/workflows/deploy-staging-api.yml b/.github/workflows/deploy-staging-api.yml index d00297faad1..39f1fe0566e 100644 --- a/.github/workflows/deploy-staging-api.yml +++ b/.github/workflows/deploy-staging-api.yml @@ -1,8 +1,10 @@ ### !!! # This file is automatically generated using Terraform. -# Do not update it manually. If changes need to be made, -# please request help from a maintainer to generate the -# updated version. +# Do not update it manually. Changes must be made to +# `next/modules/generic/service/deploy_workflow.yml` in +# the `WordPress/openverse-infrastructure` repository. +# If changes need to be made, please request help from +# a maintainer to generate the updated version. ### !!! name: "Deployment: staging-api" @@ -14,28 +16,15 @@ on: type: string required: true description: Image tag to deploy. - workflow_call: - inputs: - tag: + # When the workflow is called by the CI + CD pipeline, the actor appears + # as "github-actions[bot]". In those circumstances, this input, if + # provided must be the GitHub handle of the actual actor. When triggering + # this workflow manually, please leave this empty and it will fallback to + # the right actor. + actor: type: string - required: true - description: Image tag to deploy. - secrets: - ACCESS_TOKEN: - required: true - description: GitHub access token. - AWS_ACCESS_KEY_ID: - required: true - description: AWS access key ID. - AWS_SECRET_ACCESS_KEY: - required: true - description: AWS secret access key. - SLACK_WEBHOOK_URL: - required: true - description: Slack webhook URL. - GH_SLACK_USERNAME_MAP: - required: true - description: JSON mapping of GitHub usernames to Slack user IDs. + default: "" + description: The actual GitHub user that triggered this dispatch. Leave blank to use workflow dispatcher. # Only allow a single deployment workflow (service + environment) to happen at a time # If you need to stop an in-progress deployment of a service to force another for @@ -60,7 +49,7 @@ jobs: org: 'WordPress', team_slug: 'openverse-maintainers', }); - const isAllowed = members.some(m => m.login === "${{ github.actor }}") + const isAllowed = "${{ github.actor }}" === "github-actions[bot]" || members.some(m => m.login === "${{ github.actor }}") if (!isAllowed) { throw new Error( "Only GitHub users in the @WordPress/openverse-maintainers " @@ -77,7 +66,7 @@ jobs: import json import os mapping = json.loads('${{ env.GH_SLACK_USERNAME_MAP }}') - github_user = "${{ github.actor }}" + github_user = "${{ inputs.actor || github.actor }}" slack_id = mapping[github_user] with open(os.getenv('GITHUB_ENV'), "a") as env_file: env_file.write(f"SLACK_USER_ID={slack_id}") diff --git a/.github/workflows/deploy-staging-nuxt.yml b/.github/workflows/deploy-staging-nuxt.yml index 6714627cc51..2f24354dcf6 100644 --- a/.github/workflows/deploy-staging-nuxt.yml +++ b/.github/workflows/deploy-staging-nuxt.yml @@ -1,8 +1,10 @@ ### !!! # This file is automatically generated using Terraform. -# Do not update it manually. If changes need to be made, -# please request help from a maintainer to generate the -# updated version. +# Do not update it manually. Changes must be made to +# `next/modules/generic/service/deploy_workflow.yml` in +# the `WordPress/openverse-infrastructure` repository. +# If changes need to be made, please request help from +# a maintainer to generate the updated version. ### !!! name: "Deployment: staging-nuxt" @@ -14,28 +16,15 @@ on: type: string required: true description: Image tag to deploy. - workflow_call: - inputs: - tag: + # When the workflow is called by the CI + CD pipeline, the actor appears + # as "github-actions[bot]". In those circumstances, this input, if + # provided must be the GitHub handle of the actual actor. When triggering + # this workflow manually, please leave this empty and it will fallback to + # the right actor. + actor: type: string - required: true - description: Image tag to deploy. - secrets: - ACCESS_TOKEN: - required: true - description: GitHub access token. - AWS_ACCESS_KEY_ID: - required: true - description: AWS access key ID. - AWS_SECRET_ACCESS_KEY: - required: true - description: AWS secret access key. - SLACK_WEBHOOK_URL: - required: true - description: Slack webhook URL. - GH_SLACK_USERNAME_MAP: - required: true - description: JSON mapping of GitHub usernames to Slack user IDs. + default: "" + description: The actual GitHub user that triggered this dispatch. Leave blank to use workflow dispatcher. # Only allow a single deployment workflow (service + environment) to happen at a time # If you need to stop an in-progress deployment of a service to force another for @@ -60,7 +49,7 @@ jobs: org: 'WordPress', team_slug: 'openverse-maintainers', }); - const isAllowed = members.some(m => m.login === "${{ github.actor }}") + const isAllowed = "${{ github.actor }}" === "github-actions[bot]" || members.some(m => m.login === "${{ github.actor }}") if (!isAllowed) { throw new Error( "Only GitHub users in the @WordPress/openverse-maintainers " @@ -77,7 +66,7 @@ jobs: import json import os mapping = json.loads('${{ env.GH_SLACK_USERNAME_MAP }}') - github_user = "${{ github.actor }}" + github_user = "${{ inputs.actor || github.actor }}" slack_id = mapping[github_user] with open(os.getenv('GITHUB_ENV'), "a") as env_file: env_file.write(f"SLACK_USER_ID={slack_id}")