diff --git a/.github/workflows/build-and-deploy-dev.yml b/.github/workflows/build-and-deploy-dev.yml index f80d171b6..6d4e869ce 100644 --- a/.github/workflows/build-and-deploy-dev.yml +++ b/.github/workflows/build-and-deploy-dev.yml @@ -12,8 +12,10 @@ on: # There are secrets and environment variables that need to be set that control what is pushed to # ghcr and Azure. # +# Org Secrets: +# AZURE_CREDENTIALS: service principal that has access to the Azure apps +# # Secrets: -# AZURE_CREDENTIALS: service principal that has access to the Azure WebApp # AZURE_WEBAPP_PUBLISH_PROFILE_DEV: publish profile for the Azure WebApp NOTE: The name of the secret changes. For dev, it ends in `_DEV`. Production does not have an extension. # # Environment Variables: @@ -36,6 +38,18 @@ jobs: name: Build and Deploy runs-on: ubuntu-latest steps: + # need to verify required secrets are set + - name: Check secrets + run: | + if [[ -z "${{ secrets.AZURE_CREDENTIALS }}" ]]; then + echo "AZURE_CREDENTIALS is not set" + exit 1 + fi + if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }}" ]]; then + echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD is not set" + exit 1 + fi + - uses: actions/checkout@v4 - name: Log into ghcr registry @@ -64,6 +78,16 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} + # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_DEV isn't set, but should fail. + # Added secret check above to ensure it is set. + - name: Deploy to Azure WebApp + uses: azure/webapps-deploy@v3.0.1 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }} + images: '${{ env.DOCKER_IMAGE_NAME }}:${{ env.DEPLOY_DOCKER_TAG }}' + + # set configs after deploy in case the deploy fails - name: Set DOCKER configs in Azure web app uses: azure/appservice-settings@v1.1.1 with: @@ -86,10 +110,3 @@ jobs: "slotSetting": false } ] - - - name: Deploy to Azure WebApp - uses: azure/webapps-deploy@v3.0.0 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }} - images: '${{ env.DOCKER_IMAGE_NAME }}:${{ env.DEPLOY_DOCKER_TAG }}' diff --git a/.github/workflows/build_and_deploy_prod.yml b/.github/workflows/build_and_deploy_prod.yml index c4469dff3..6257c0ef6 100644 --- a/.github/workflows/build_and_deploy_prod.yml +++ b/.github/workflows/build_and_deploy_prod.yml @@ -12,10 +12,14 @@ on: # There are secrets and environment variables that need to be set that control what is pushed to # ghcr and Azure. # +# Org Secrets: +# DEPLOY_TOKEN: token with permissions needed to determine if github.actor can deploy to production +# PRODUCTION_DEPLOYERS: name of team identifying users that can deploy to production +# AZURE_CREDENTIALS: service principal that has access to the Azure apps +# # Secrets: -# AZURE_CREDENTIALS_PROD: service principal that has access to the Azure prod WebApp -# AZURE_WEBAPP_PUBLISH_PROFILE: publish profile for the Azure WebApp -# AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the Azure WebApp in Europe +# AZURE_WEBAPP_PUBLISH_PROFILE: publish profile for the service production Azure WebApp +# AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the service production Azure WebApp in Europe # # Environment Variables: # APPLICATION_TYPE: type of application that is being deployed; used to add a label to the Docker image (values: api | web | worker) @@ -38,6 +42,34 @@ jobs: name: Build and Deploy runs-on: ubuntu-latest steps: + # verify required secrets are set + - name: Check secrets + run: | + if [[ -z "${{ secrets.AZURE_CREDENTIALS }}" ]]; then + echo "AZURE_CREDENTIALS is not set" + exit 1 + fi + if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}" ]]; then + echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD is not set" + exit 1 + fi + if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}" ]]; then + echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU is not set" + exit 1 + fi + if [[ -z "${{ secrets.PRODUCTION_DEPLOYERS }}" ]]; then + echo "PRODUCTION_DEPLOYERS is not set" + exit 1 + fi + if [[ -z "${{ secrets.DEPLOY_TOKEN }}" ]]; then + echo "DEPLOY_TOKEN is not set" + exit 1 + fi + + - name: Check if deployable + uses: clearlydefined/operations/.github/workflows/deployable.yml@main + secrets: inherit + - name: Get version id: package run: | @@ -75,8 +107,18 @@ jobs: - name: Login for Azure cli commands uses: azure/login@v2.0.0 with: - creds: ${{ secrets.AZURE_CREDENTIALS_PROD }} + creds: ${{ secrets.AZURE_CREDENTIALS }} + # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD isn't set, but should fail. + # Added secret check above to ensure it is set. + - name: Deploy to Azure WebApp + uses: azure/webapps-deploy@v3.0.1 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }} + images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}' + + # set configs after deploy in case the deploy fails - name: Set DOCKER configs in Azure web app uses: azure/appservice-settings@v1.1.1 with: @@ -104,14 +146,17 @@ jobs: "slotSetting": false } ] - - - name: Deploy to Azure WebApp - uses: azure/webapps-deploy@v3.0.0 + + # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU isn't set, but should fail. + # Added secret check to ensure it is set. + - name: Deploy to Azure EU WebApp + uses: azure/webapps-deploy@v3.0.1 with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }} + app-name: ${{ env.AZURE_EU_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }} images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}' + # set configs after deploy in case the deploy fails - name: Set DOCKER configs in Azure EU web app uses: azure/appservice-settings@v1.1.1 with: @@ -139,10 +184,4 @@ jobs: "slotSetting": false } ] - - - name: Deploy to Azure EU WebApp - uses: azure/webapps-deploy@v3.0.0 - with: - app-name: ${{ env.AZURE_EU_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }} - images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}' + \ No newline at end of file