reusable github workflows, fixes for permissions and dependabot issues (

#38)
khaledez · Sep 4, 2023 · 2719517 · 2719517
1 parent fa2216b
commit 2719517
Show file tree

Hide file tree

Showing 12 changed files with 734 additions and 208 deletions.
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -0,0 +1,90 @@
+name: Build and deploy
+on:
+  workflow_call:
+    inputs:
+      environment:
+        type: string
+        required: true
+      domain_name:
+        required: true
+        type: string
+      cert_domain:
+        required: true
+        type: string
+      domain_aliases:
+        type: string
+        required: false
+        default: "[]"
+      cache_ttl:
+        required: false
+        type: number
+        default: 0
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build-deploy:
+    name: build and publish
+    runs-on: ubuntu-20.04
+    env:
+      terraform_dir: "terraform/static-website"
+    steps:
+      - uses: actions/checkout@v1
+        with:
+          fetch-depth: 1
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.5.x
+
+      - name: Terraform format check
+        run: |
+          terraform fmt -check ${{ env.terraform_dir }}
+          terraform fmt -check terraform/infrastructure
+
+      - name: setup node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18.x
+
+      - name: npm install
+        run: |
+          npm install
+        env:
+          CI: true
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          audience: sts.amazonaws.com
+          role-to-assume: arn:aws:iam::427368570714:role/net.khaledez.www-github-actions
+          aws-region: eu-west-2 # London
+
+      - name: Setup configuration
+        run: |
+          echo 'env_name=${{ inputs.environment }}' > please.env
+          echo 'domain_name=${{ inputs.domain_name }}' >> please.env
+
+      - name: Terraform init
+        run: sh ./please init
+
+      - name: Terraform Validate
+        run: |
+          pushd ${{ env.terraform_dir }}
+          terraform validate 
+          popd
+
+      - name: Terraform apply
+        run: sh ./please sync
+        env:
+          TF_VAR_cert_domain: ${{ inputs.cert_domain }}
+          TF_VAR_domain_aliases: ${{ inputs.domain_aliases }}
+          TF_VAR_cache_ttl: ${{ inputs.cache_ttl }}
+
+      - name: Build website
+        run: sh ./please build
+
+      - name: Deploy website
+        run: sh ./please deploy
diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml
@@ -8,22 +8,22 @@ jobs:
     name: delete created website
     runs-on: ubuntu-20.04
     env:
-      domain_name: ${{ format('pr-{0}.dev.khaledez.net', github.event.pull_request.number) }}
-      cert_domain: "*.dev.khaledez.net"
+      domain_name: ${{ format('pr-{0}.preview.khaledez.net', github.event.pull_request.number) }}
+      cert_domain: "*.preview.khaledez.net"
     steps:
       - uses: actions/checkout@v1
         with:
           fetch-depth: 1
 
-      - uses: aws-actions/configure-aws-credentials@v1
+      - uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          audience: sts.amazonaws.com
+          role-to-assume: arn:aws:iam::427368570714:role/net.khaledez.www-github-actions
           aws-region: eu-west-2 # London
 
-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: 1.1.x
+          terraform_version: 1.5.x
 
       - name: Setup configuration
         run: |

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -2,67 +2,15 @@ name: PR website
 on:
   - pull_request
 
-jobs:
-  build:
-    name: build and deploy
-    runs-on: ubuntu-20.04
-    env:
-      domain_name: ${{ format('pr-{0}.dev.khaledez.net', github.event.pull_request.number) }}
-      cert_domain: "*.dev.khaledez.net"
-      terraform_dir: "terraform/static-website"
-    steps:
-      - uses: actions/checkout@v1
-        with:
-          fetch-depth: 1
-
-      - uses: hashicorp/setup-terraform@v1
-        with:
-          terraform_version: 1.1.x
-
-      - name: Terraform Format
-        run: |
-          terraform fmt -check ${{ env.terraform_dir }}
-          terraform fmt -check terraform/infrastructure
-
-      - name: setup node
-        uses: actions/setup-node@v1
-        with:
-          node-version: 18.x
-
-      - name: npm install
-        run: |
-          npm install
-        env:
-          CI: true
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: eu-west-2 # London
-
-      - name: Setup configuration
-        run: |
-          echo 'env_name=dev' > please.env
-          echo 'domain_name=${{ env.domain_name }}' >> please.env
+concurrency: 
+  cancel-in-progress: true
+  group: ${{github.event.pull_request.number}}
 
-      - name: Terraform init
-        run: sh ./please init
-
-      - name: Terraform Validate
-        run: |
-          pushd ${{ env.terraform_dir }}
-          terraform validate 
-          popd
-
-      - name: Terraform apply
-        run: sh ./please sync
-        env:
-          TF_VAR_cert_domain: ${{ env.cert_domain }}
-
-      - name: Build website
-        run: sh ./please build
-
-      - name: Deploy website
-        run: sh ./please deploy
+jobs:
+  check-and-preview:
+    uses: ./.github/workflows/build-and-deploy.yml
+    with:
+      environment: dev
+      domain_name: ${{ format('pr-{0}.preview.khaledez.net', github.event.pull_request.number) }}
+      cert_domain: "*.preview.khaledez.net"
+
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,74 +4,12 @@ on:
     branches:
       - main
 
-permissions:
-  id-token: write
-  contents: read
-
 jobs:
   release:
-    name: build and publish
-    runs-on: ubuntu-20.04
-    env:
+    uses: ./.github/workflows/build-and-deploy.yml
+    with:
+      environment: prod
       domain_name: khaledez.net
-      aliases: '["www.khaledez.net"]'
       cert_domain: "khaledez.net"
-      terraform_dir: "terraform/static-website"
-    steps:
-      - uses: actions/checkout@v1
-        with:
-          fetch-depth: 1
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.5.x
-
-      - name: Terraform format check
-        run: |
-          terraform fmt -check ${{ env.terraform_dir }}
-          terraform fmt -check terraform/infrastructure
-
-      - name: setup node
-        uses: actions/setup-node@v1
-        with:
-          node-version: 18.x
-
-      - name: npm install
-        run: |
-          npm install
-        env:
-          CI: true
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v3
-        with:
-          audience: sts.amazonaws.com
-          role-to-assume: arn:aws:iam::427368570714:role/net.khaledez.www-github-actions
-          aws-region: eu-west-2 # London
-
-      - name: Setup configuration
-        run: |
-          echo 'env_name=prod' > please.env
-          echo 'domain_name=${{ env.domain_name }}' >> please.env
-
-      - name: Terraform init
-        run: sh ./please init
-
-      - name: Terraform Validate
-        run: |
-          pushd ${{ env.terraform_dir }}
-          terraform validate 
-          popd
-
-      - name: Terraform apply
-        run: sh ./please sync
-        env:
-          TF_VAR_cert_domain: ${{ env.cert_domain }}
-          TF_VAR_domain_aliases: ${{ env.aliases }}
-          TF_VAR_cache_ttl: 3600
-
-      - name: Build website
-        run: sh ./please build
-
-      - name: Deploy website
-        run: sh ./please deploy
+      domain_aliases: '["www.khaledez.net"]'
+      cache_ttl: 3600