fix(ci): run gosec and syft inside cilock so outputs become products #23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: 'Environment to deploy to' | |
| required: true | |
| default: 'dev' | |
| type: choice | |
| options: | |
| - dev | |
| - prod | |
| env: | |
| AWS_REGION: us-east-1 | |
| ECR_REPOSITORY: dropbox-clone-api | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| build-and-push: | |
| name: Build and Push | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image_tag: ${{ steps.meta.outputs.tags }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }} | |
| tags: | | |
| type=sha,prefix= | |
| type=ref,event=branch | |
| type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| platforms: linux/amd64 | |
| deploy-dev: | |
| name: Deploy to Dev | |
| runs-on: ubuntu-latest | |
| needs: build-and-push | |
| if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event.inputs.environment == 'dev') | |
| environment: | |
| name: dev | |
| url: https://dev.dropbox-clone.example.com | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Update kubeconfig | |
| run: | | |
| aws eks update-kubeconfig --name dropbox-clone-dev --region ${{ env.AWS_REGION }} | |
| - name: Deploy to EKS | |
| run: | | |
| # Update image tag in kustomization | |
| cd k8s/overlays/dev | |
| kustomize edit set image ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }} | |
| # Apply manifests | |
| kubectl apply -k . | |
| # Wait for rollout | |
| kubectl rollout status deployment/dropbox-clone-api -n dropbox-clone --timeout=300s | |
| - name: Verify deployment | |
| run: | | |
| kubectl get pods -n dropbox-clone -l app.kubernetes.io/name=dropbox-clone-api | |
| kubectl get svc -n dropbox-clone | |
| deploy-prod: | |
| name: Deploy to Prod | |
| runs-on: ubuntu-latest | |
| needs: [build-and-push, deploy-dev] | |
| if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'prod' | |
| environment: | |
| name: prod | |
| url: https://dropbox-clone.example.com | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Update kubeconfig | |
| run: | | |
| aws eks update-kubeconfig --name dropbox-clone-prod --region ${{ env.AWS_REGION }} | |
| - name: Deploy to EKS | |
| run: | | |
| # Update image tag in kustomization | |
| cd k8s/overlays/prod | |
| kustomize edit set image ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }} | |
| # Apply manifests | |
| kubectl apply -k . | |
| # Wait for rollout | |
| kubectl rollout status deployment/dropbox-clone-api -n dropbox-clone --timeout=600s | |
| - name: Verify deployment | |
| run: | | |
| kubectl get pods -n dropbox-clone -l app.kubernetes.io/name=dropbox-clone-api | |
| kubectl get svc -n dropbox-clone | |
| kubectl get hpa -n dropbox-clone |