From 1d0d8eefb44f54a8358d9ad0b05f632e003a9483 Mon Sep 17 00:00:00 2001 From: "E. Lynette Rayle" Date: Wed, 10 Apr 2024 17:26:02 -0400 Subject: [PATCH] fix deploy falsely reports passing when it failed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the webapp publish profile secret is empty, webapps-deploy v3 doesn’t deploy but reports the deploy as passing. See Azure/webapps-deploy [Issue #404](https://github.com/Azure/webapps-deploy/issues/404). Configs were set before running the deploy. This means that the config values in Azure are updated even if the deploy fails. Also, as written, the action was runnable by anyone with write access. That is too broad for production. To avoid these known issues: * check that all required secrets are set before proceeding * only update configs if the deploy passes * call the reusable workflow that checks if the user has access to deploy --- .github/workflows/build-and-deploy-dev.yml | 33 +++++++--- .github/workflows/build_and_deploy_prod.yml | 71 ++++++++++++++++----- 2 files changed, 80 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build-and-deploy-dev.yml b/.github/workflows/build-and-deploy-dev.yml index f80d171b6..6d4e869ce 100644 --- a/.github/workflows/build-and-deploy-dev.yml +++ b/.github/workflows/build-and-deploy-dev.yml @@ -12,8 +12,10 @@ on: # There are secrets and environment variables that need to be set that control what is pushed to # ghcr and Azure. # +# Org Secrets: +# AZURE_CREDENTIALS: service principal that has access to the Azure apps +# # Secrets: -# AZURE_CREDENTIALS: service principal that has access to the Azure WebApp # AZURE_WEBAPP_PUBLISH_PROFILE_DEV: publish profile for the Azure WebApp NOTE: The name of the secret changes. For dev, it ends in `_DEV`. Production does not have an extension. # # Environment Variables: @@ -36,6 +38,18 @@ jobs: name: Build and Deploy runs-on: ubuntu-latest steps: + # need to verify required secrets are set + - name: Check secrets + run: | + if [[ -z "${{ secrets.AZURE_CREDENTIALS }}" ]]; then + echo "AZURE_CREDENTIALS is not set" + exit 1 + fi + if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }}" ]]; then + echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD is not set" + exit 1 + fi + - uses: actions/checkout@v4 - name: Log into ghcr registry @@ -64,6 +78,16 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} + # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_DEV isn't set, but should fail. + # Added secret check above to ensure it is set. + - name: Deploy to Azure WebApp + uses: azure/webapps-deploy@v3.0.1 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }} + images: '${{ env.DOCKER_IMAGE_NAME }}:${{ env.DEPLOY_DOCKER_TAG }}' + + # set configs after deploy in case the deploy fails - name: Set DOCKER configs in Azure web app uses: azure/appservice-settings@v1.1.1 with: @@ -86,10 +110,3 @@ jobs: "slotSetting": false } ] - - - name: Deploy to Azure WebApp - uses: azure/webapps-deploy@v3.0.0 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_DEV }} - images: '${{ env.DOCKER_IMAGE_NAME }}:${{ env.DEPLOY_DOCKER_TAG }}' diff --git a/.github/workflows/build_and_deploy_prod.yml b/.github/workflows/build_and_deploy_prod.yml index c4469dff3..6257c0ef6 100644 --- a/.github/workflows/build_and_deploy_prod.yml +++ b/.github/workflows/build_and_deploy_prod.yml @@ -12,10 +12,14 @@ on: # There are secrets and environment variables that need to be set that control what is pushed to # ghcr and Azure. # +# Org Secrets: +# DEPLOY_TOKEN: token with permissions needed to determine if github.actor can deploy to production +# PRODUCTION_DEPLOYERS: name of team identifying users that can deploy to production +# AZURE_CREDENTIALS: service principal that has access to the Azure apps +# # Secrets: -# AZURE_CREDENTIALS_PROD: service principal that has access to the Azure prod WebApp -# AZURE_WEBAPP_PUBLISH_PROFILE: publish profile for the Azure WebApp -# AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the Azure WebApp in Europe +# AZURE_WEBAPP_PUBLISH_PROFILE: publish profile for the service production Azure WebApp +# AZURE_WEBAPP_PUBLISH_PROFILE_EU: publish profile for the service production Azure WebApp in Europe # # Environment Variables: # APPLICATION_TYPE: type of application that is being deployed; used to add a label to the Docker image (values: api | web | worker) @@ -38,6 +42,34 @@ jobs: name: Build and Deploy runs-on: ubuntu-latest steps: + # verify required secrets are set + - name: Check secrets + run: | + if [[ -z "${{ secrets.AZURE_CREDENTIALS }}" ]]; then + echo "AZURE_CREDENTIALS is not set" + exit 1 + fi + if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }}" ]]; then + echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD is not set" + exit 1 + fi + if [[ -z "${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }}" ]]; then + echo "AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU is not set" + exit 1 + fi + if [[ -z "${{ secrets.PRODUCTION_DEPLOYERS }}" ]]; then + echo "PRODUCTION_DEPLOYERS is not set" + exit 1 + fi + if [[ -z "${{ secrets.DEPLOY_TOKEN }}" ]]; then + echo "DEPLOY_TOKEN is not set" + exit 1 + fi + + - name: Check if deployable + uses: clearlydefined/operations/.github/workflows/deployable.yml@main + secrets: inherit + - name: Get version id: package run: | @@ -75,8 +107,18 @@ jobs: - name: Login for Azure cli commands uses: azure/login@v2.0.0 with: - creds: ${{ secrets.AZURE_CREDENTIALS_PROD }} + creds: ${{ secrets.AZURE_CREDENTIALS }} + # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD isn't set, but should fail. + # Added secret check above to ensure it is set. + - name: Deploy to Azure WebApp + uses: azure/webapps-deploy@v3.0.1 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }} + images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}' + + # set configs after deploy in case the deploy fails - name: Set DOCKER configs in Azure web app uses: azure/appservice-settings@v1.1.1 with: @@ -104,14 +146,17 @@ jobs: "slotSetting": false } ] - - - name: Deploy to Azure WebApp - uses: azure/webapps-deploy@v3.0.0 + + # v3.0.1 passes when AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU isn't set, but should fail. + # Added secret check to ensure it is set. + - name: Deploy to Azure EU WebApp + uses: azure/webapps-deploy@v3.0.1 with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD }} + app-name: ${{ env.AZURE_EU_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }} images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}' + # set configs after deploy in case the deploy fails - name: Set DOCKER configs in Azure EU web app uses: azure/appservice-settings@v1.1.1 with: @@ -139,10 +184,4 @@ jobs: "slotSetting": false } ] - - - name: Deploy to Azure EU WebApp - uses: azure/webapps-deploy@v3.0.0 - with: - app-name: ${{ env.AZURE_EU_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PROD_EU }} - images: '${{ env.DOCKER_IMAGE_NAME }}:${{ steps.package.outputs.version }}' + \ No newline at end of file