fix deploy falsely reports passing when it failed

If the webapp publish profile secret is empty, webapps-deploy v3 doesn’t deploy but reports the deploy as passing. See Azure/webapps-deploy [Issue #404](Azure/webapps-deploy#404). Configs were set before running the deploy. This means that the config values in Azure are updated even if the deploy fails. Also, as written, the action was runnable by anyone with write access. That is too broad for production. To avoid these known issues: * check that all required secrets are set before proceeding * only update configs if the deploy passes * call the reusable workflow that checks if the user has access to deploy
clearlydefined · Apr 10, 2024 · 1d0d8ee · 1d0d8ee
1 parent 8214149
commit 1d0d8ee
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 24 deletions.
diff --git a/.github/workflows/build-and-deploy-dev.yml b/.github/workflows/build-and-deploy-dev.yml
@@ -12,8 +12,10 @@ on:
 # There are secrets and environment variables that need to be set that control what is pushed to
 # ghcr and Azure.
 #
+# Org Secrets:
+#   AZURE_CREDENTIALS:          service principal that has access to the Azure apps
+#
 # Secrets:
-#   AZURE_CREDENTIALS:                service principal that has access to the Azure WebApp
 #   AZURE_WEBAPP_PUBLISH_PROFILE_DEV: publish profile for the Azure WebApp  NOTE: The name of the secret changes.  For dev, it ends in `_DEV`.  Production does not have an extension.
 #
 # Environment Variables:
@@ -36,6 +38,18 @@ jobs:
     name: Build and Deploy
     runs-on: ubuntu-latest
     steps:
+      # need to verify required secrets are set
+      - name: Check secrets
+        run: |
+          if [[ -z "${{ secrets.AZURE_CREDENTIALS }}" ]]; then
+            echo "AZURE_CREDENTIALS is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }}" ]]; then
+            echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD is not set"
+            exit 1
+          fi
+  
       - uses: actions/checkout@v4
 
       - name: Log into ghcr registry
@@ -64,6 +78,16 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
 
+      # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_DEV isn't set, but should fail.
+      # Added secret check above to ensure it is set.
+      - name: Deploy to Azure WebApp
+        uses: azure/[email protected]
+        with:
+          app-name: ${{ env.AZURE_WEBAPP_NAME }}
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }}
+          images: '${{ env.DOCKER_IMAGE_NAME }}:${{ env.DEPLOY_DOCKER_TAG }}'
+
+      # set configs after deploy in case the deploy fails
       - name: Set DOCKER configs in Azure web app
         uses: azure/[email protected]
         with:
@@ -86,10 +110,3 @@ jobs:
                   "slotSetting": false
               }
             ]
-
-      - name: Deploy to Azure WebApp
-        uses: azure/[email protected]
-        with:
-          app-name: ${{ env.AZURE_WEBAPP_NAME }}
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }}
-          images: '${{ env.DOCKER_IMAGE_NAME }}:${{ env.DEPLOY_DOCKER_TAG }}'
diff --git a/.github/workflows/build_and_deploy_prod.yml b/.github/workflows/build_and_deploy_prod.yml
@@ -12,10 +12,14 @@ on:
 # There are secrets and environment variables that need to be set that control what is pushed to
 # ghcr and Azure.
 #
+# Org Secrets:
+#   DEPLOY_TOKEN:               token with permissions needed to determine if github.actor can deploy to production
+#   PRODUCTION_DEPLOYERS:       name of team identifying users that can deploy to production
+#   AZURE_CREDENTIALS:          service principal that has access to the Azure apps
+#
 # Secrets:
-#   AZURE_CREDENTIALS_PROD:          service principal that has access to the Azure prod WebApp
-#   AZURE_WEBAPP_PUBLISH_PROFILE:    publish profile for the Azure WebApp
-#   AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the Azure WebApp in Europe
+#   AZURE_WEBAPP_PUBLISH_PROFILE:    publish profile for the service production Azure WebApp
+#   AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the service production Azure WebApp in Europe
 #
 # Environment Variables:
 #   APPLICATION_TYPE:     type of application that is being deployed; used to add a label to the Docker image (values: api | web | worker)
@@ -38,6 +42,34 @@ jobs:
     name: Build and Deploy
     runs-on: ubuntu-latest
     steps:
+      # verify required secrets are set
+      - name: Check secrets
+        run: |
+          if [[ -z "${{ secrets.AZURE_CREDENTIALS }}" ]]; then
+            echo "AZURE_CREDENTIALS is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}" ]]; then
+            echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}" ]]; then
+            echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.PRODUCTION_DEPLOYERS }}" ]]; then
+            echo "PRODUCTION_DEPLOYERS is not set"
+            exit 1
+          fi
+          if [[ -z "${{ secrets.DEPLOY_TOKEN }}" ]]; then
+            echo "DEPLOY_TOKEN is not set"
+            exit 1
+          fi
+  
+      - name: Check if deployable
+        uses: clearlydefined/operations/.github/workflows/deployable.yml@main
+        secrets: inherit
+
       - name: Get version
         id: package
         run: |
@@ -75,8 +107,18 @@ jobs:
       - name: Login for Azure cli commands
         uses: azure/[email protected]
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS_PROD }}
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
 
+      # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD isn't set, but should fail.
+      # Added secret check above to ensure it is set.
+      - name: Deploy to Azure WebApp
+        uses: azure/[email protected]
+        with:
+          app-name: ${{ env.AZURE_WEBAPP_NAME }}
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}
+          images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
+
+      # set configs after deploy in case the deploy fails
       - name: Set DOCKER configs in Azure web app
         uses: azure/[email protected]
         with:
@@ -104,14 +146,17 @@ jobs:
                 "slotSetting": false
               }
             ]
-
-      - name: Deploy to Azure WebApp
-        uses: azure/[email protected]
+  
+      # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU isn't set, but should fail.
+      # Added secret check to ensure it is set.
+      - name: Deploy to Azure EU WebApp
+        uses: azure/[email protected]
         with:
-          app-name: ${{ env.AZURE_WEBAPP_NAME }}
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}
+          app-name: ${{ env.AZURE_EU_WEBAPP_NAME }}
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}
           images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
 
+      # set configs after deploy in case the deploy fails
       - name: Set DOCKER configs in Azure EU web app
         uses: azure/[email protected]
         with:
@@ -139,10 +184,4 @@ jobs:
                 "slotSetting": false
               }
             ]
-
-      - name: Deploy to Azure EU WebApp
-        uses: azure/[email protected]
-        with:
-          app-name: ${{ env.AZURE_EU_WEBAPP_NAME }}
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}
-          images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}'
+