.github/workflows/release.yaml

name: Release

on:
  workflow_dispatch:
  push:
    branches: ['main']

jobs:
  test:
    name: Test and build node
    runs-on: ubuntu-latest
    outputs:
      environments: ${{ steps.environments.outputs.ENVIRONMENTS }}
    steps:
       - uses: actions/checkout@v3
       - name: Use Node.js 18.x
         uses: actions/setup-node@v3
         with:
           node-version: 18.x

       - name: Cache dependencies
         uses: actions/cache@v3
         with:
           path: ~/.npm
           key: npm-${{ hashFiles('package-lock.json') }}
           restore-keys: npm-

       - name: Install node packages
         run: npm ci --no-audit

       - name: Run tests
         run: npm test

       - uses: codecov/codecov-action@v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

       - id: environments
         name: Get environments list
         run: echo "ENVIRONMENTS=$(./get-environments.js)" >> $GITHUB_OUTPUT

       - id: zone_name
         name: Get Cloudflare zone name
         run: echo "CLOUDFLARE_ZONE_NAME=$(./get-cloudflare-zone-name.js)" >> $GITHUB_OUTPUT

  deploy-assets:
    name: Deploy assets to Cloudflare pages
    runs-on: ubuntu-latest
    needs: test
    outputs:
      capture-public-urls: ${{ steps.capture-public-urls.outputs }}
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js 18.x
        uses: actions/setup-node@v3
        with:
          node-version: 18.x

      - name: Cache dependencies
        uses: actions/cache@v3
        with:
          path: ~/.npm
          key: npm-${{ hashFiles('package-lock.json') }}
          restore-keys: npm-

      - name: Install node packages
        run: npm ci --no-audit

      - name: Build public
        run: ./build-public.js

      - name: Remove .gitkeep files
        run: rm -rf public/*/.gitkeep && rm -rf public/.gitkeep && rm -rf public-urls/.gitkeep

      - name: Deploy assets to cloudflare
        run: |
          npx wrangler pages deploy public/ --project-name=${{ vars.CLOUDFLARE_ASSETS_PROJECT}} --commit-dirty=true
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }}

      - name: Purge Cloudflare Pages Cache
        uses: jakejarvis/cloudflare-purge-action@master
        env:
          CLOUDFLARE_TOKEN: ${{ secrets.CF_API_TOKEN }}
          CLOUDFLARE_ZONE: ${{ vars.CLOUDFLARE_ZONE }}

      - name: Save public urls as artifacts
        uses: actions/upload-artifact@v3
        with:
          name: public-urls
          path: public-urls

  deploy-cloudflare-worker:
    name: Deploy to AWS and Cloudflare workers
    runs-on: ubuntu-latest
    needs: test
    strategy:
      matrix:
        env: ${{fromJson(needs.test.outputs.environments)}}
    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js 18.x
        uses: actions/setup-node@v3
        with:
          node-version: 18.x

      - name: Cache dependencies
        uses: actions/cache@v3
        with:
          path: ~/.npm
          key: npm-${{ hashFiles('package-lock.json') }}
          restore-keys: npm-

      - name: Install node packages
        run: npm ci --omit=dev --no-audit

      - name: serverless deploy
        run: npx serverless deploy --stage ${{ matrix.env }}
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}

      - name: Put AWS credentials as Cloudflare Workers vars in wrangler.toml
        run: |
          echo -e "\n[env.${{ matrix.env }}.vars]" >> wrangler.toml
          grep -v ServerlessDeploymentBucketName vars-${{ matrix.env }}.toml >> wrangler.toml
          rm vars-${{ matrix.env }}.toml

      - name: Get AWS Secret for put into wrangler
        id: aws_secret
        run: |
          PRODUCER=$(aws ssm get-parameter --name /realtime-changes-${{ matrix.env }}-producer-user/secret --output text --query Parameter.Value)
          echo "::add-mask::$PRODUCER"
          echo "PRODUCER=$PRODUCER" >> $GITHUB_OUTPUT
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}

      - name: Deploy cloudflare workers
        run: |
          echo ${{ steps.aws_secret.outputs.PRODUCER }} | npx wrangler secret put AwsSecretAccessKey --env ${{ matrix.env }}
          npx wrangler deploy  --env ${{ matrix.env }}
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }}


  put-secrets-into-infisical:
    name: Put secrets into Infisical
    needs:
      - test
      - deploy-cloudflare-worker
      - deploy-assets
    runs-on: ubuntu-latest
    strategy:
      matrix:
        env: ${{fromJson(needs.test.outputs.environments)}}
    steps:
      - name: Download public urls from artifacts
        uses: actions/download-artifact@v3
        with:
          name: public-urls
          path: public-urls

      - name: Put secrets into Infisical
        run: |
          curl --fail -s -o "$GET_VARS_SH" \
          "https://${{ github.token }}@raw.githubusercontent.com/${{ github.repository }}/${{ github.ref_name }}/$GET_VARS_SH"
          chmod +x "$GET_VARS_SH"

          VARS=$("./$GET_VARS_SH" ${{ matrix.env }})
          while IFS=  read -r LINE; do
            IFS="=" read -r NAME VALUE <<< "$LINE"
            VALUE=$(echo "$VALUE" | sed "s/^'//; s/'$//")

            echo "Put secret: $NAME - $VALUE..."

            ENDPOINT="https://app.infisical.com/api/v3/secrets/raw/$NAME"
            CURRENT_VALUE=$( \
              curl --location --silent \
              "$ENDPOINT?workspaceId=${{ vars.INFISICAL_WORKSPACE_ID}}&environment=${{ matrix.env }}&secretPath=${{ vars.INFISICAL_PATH }}" \
              --header 'Authorization: Bearer ${{ secrets.INFISICAL_TOKEN }}' | jq -r .secret.secretValue \
            )

            if [ $? -ne 0 ]; then
              echo "Failed to check does variable exists"
              exit 3
            fi
            
            if [ "$CURRENT_VALUE" == "$VALUE" ]; then
              echo "Secret $NAME already exists with value $VALUE"
              continue
          
            elif [ "$CURRENT_VALUE" == "null" ]; then
                echo "Secret $NAME not exists, create"
                METHOD=POST
            else
                echo "Secret $NAME exists, update"
                METHOD=PATCH
            fi

            curl --fail --location \
              --silent --output /dev/null \
              --write-out  "%{http_code}\n" \
              --request $METHOD \
              --url "$ENDPOINT" \
              --header 'Authorization: Bearer ${{ secrets.INFISICAL_TOKEN }}' \
              --header 'Content-Type: application/json' \
              --data-binary @- <<EOF
            {
              "workspaceId": "${{ vars.INFISICAL_WORKSPACE_ID}}",
              "environment": "${{ matrix.env }}",
              "type": "shared",
              "secretPath": "${{ vars.INFISICAL_PATH }}",
              "secretValue": "$VALUE"
            }
          EOF
            done <<< "$VARS"
        env:
          GET_VARS_SH: get-environments-vars.sh
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION }}

  dispatch-pigeon:
    runs-on: ubuntu-22.04
    needs:
      - put-secrets-into-infisical
    steps:
      - name: Pigeon App Repository Dispatch
        uses: peter-evans/repository-dispatch@v2
        with:
          token: ${{ secrets.TOKEN_TO_RUN_GITHUB_ACTION }}
          repository: kneu-messenger-pigeon/pigeon-app
          event-type: environments-updated
          client-payload: '{"initiator": "${{ github.event.repository.name }}"}'

  dispatch-browser-integration-tests:
    runs-on: ubuntu-22.04
    needs:
      - put-secrets-into-infisical
    steps:
      - name: Pigeon App Repository Dispatch
        uses: peter-evans/repository-dispatch@v2
        with:
          token: ${{ secrets.TOKEN_TO_RUN_GITHUB_ACTION }}
          repository: kneu-messenger-pigeon/realtime-capture-browser-integration-tests
          event-type: realtime-capture-deployed
          client-payload: '{"initiator": "${{ github.event.repository.name }}"}'