container_builds.yml

name: Container ECR build + deploy
on:
  push:
    branches:
      - main
      - demo

permissions:
  id-token: write
  contents: read

jobs:
  setup-env:
    if: github.repository == 'UnlockedLabs/UnlockEdv2' || github.repository == 'PThorpe92/UnlockEdv2'
    runs-on: ubuntu-latest
    outputs:
      changes: ${{ steps.check-changes.outputs.changes }}

    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 3

      - id: check-changes
        run: |
          paths=("frontend/" "backend/" "provider-middleware/" "backend/tasks")
          changes=""
          for path in "${paths[@]}"; do
            count=$(git diff --name-only HEAD~1 | grep "^${path}" | wc -l)
            changes+="${path}:${count},"
          done
          changes="${changes%,}"
          echo "changes=${changes}" >> $GITHUB_OUTPUT

      - name: Debug changes
        run: echo "${{ steps.check-changes.outputs.changes }}"

  build-and-push:
    if: github.repository == 'UnlockedLabs/UnlockEdv2' || github.repository == 'PThorpe92/UnlockEdv2'
    needs: setup-env
    runs-on: ubuntu-latest
    outputs:
      deployments: ${{ steps.build-images.outputs.deployments }}
    env:
      CHANGES: ${{ needs.setup-env.outputs.changes }}

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
          aws-region: us-west-2
          mask-aws-account-id: true

      - name: Log in to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - id: build-images
        run: |
          echo "CHANGES: $CHANGES"
          deployments=()
          IFS=',' read -ra entries <<< "$CHANGES"
          for entry in "${entries[@]}"; do
            if [ -z "$entry" ]; then
              continue
            fi
            path=$(echo "$entry" | cut -d':' -f1)
            count=$(echo "$entry" | cut -d':' -f2)
            if [[ $count -ne 0 ]]; then
              case $path in
                "frontend/")
                  echo "Building frontend image"
                  docker buildx build --platform linux/amd64 -t=${{ steps.login-ecr.outputs.registry }}/frontend:latest --push frontend/.
                  deployments+=("frontend")
                  ;;
                "backend/")
                  echo "Building backend image"
                  docker buildx build --platform linux/amd64 -t=${{ steps.login-ecr.outputs.registry }}/unlockedv2:latest --push -f backend/Dockerfile .
                  deployments+=("server")
                  ;;
                "provider-middleware/")
                  echo "Building middleware image"
                  docker buildx build --platform linux/amd64 -t=${{ steps.login-ecr.outputs.registry }}/provider_middleware:latest --push -f provider-middleware/Dockerfile .
                  deployments+=("provider-service")
                  ;;
                "backend/tasks")
                  echo "Building scheduler image"
                  docker buildx build --platform linux/amd64 -t=${{ steps.login-ecr.outputs.registry }}/cron_tasks:latest --push -f backend/tasks/Dockerfile .
                  deployments+=("cron-tasks")
                  ;;
              esac
            fi
          done
          echo "deployments=${deployments[*]}" >> $GITHUB_OUTPUT

  restart-deployments:
    if: github.repository == 'UnlockedLabs/UnlockEdv2' || github.repository == 'PThorpe92/UnlockEdv2'
    needs: build-and-push
    runs-on: ubuntu-latest
    env:
      SECURITY_GROUP_ID: ${{ secrets.SECURITY_GROUP_ID }}
      BASTION_HOST: ${{ secrets.BASTION_HOST }}
      SSH_KEY: ${{ secrets.SSH_KEY }}

    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
          aws-region: us-west-2
          mask-aws-account-id: true

      - name: Get Runner Public IP
        id: get_runner_ip
        run: |
          RUNNER_IP=$(curl -s https://checkip.amazonaws.com)
          echo "Runner IP: $RUNNER_IP"
          echo "RUNNER_IP=$RUNNER_IP" >> $GITHUB_ENV

      - name: Add Runner IP to Security Group
        run: |
          echo "Adding runner IP $RUNNER_IP to security group $SECURITY_GROUP_ID"
          aws ec2 authorize-security-group-ingress --group-id $SECURITY_GROUP_ID --protocol tcp --port 22 --cidr ${RUNNER_IP}/32

      - name: Restart Deployments
        env:
          RUNNER_IP: ${{ env.RUNNER_IP }}
        run: |
          deployments="${{ needs.build-and-push.outputs.deployments }}"
          if [[ -z "$deployments" ]]; then
            echo "No deployments need restarting."
            exit 0
          fi
          if [[ "${GITHUB_REF}" == "refs/heads/demo" ]]; then
            CONTEXT="demo"
          elif [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
            CONTEXT="staging"
          else
            echo "Unknown branch: ${GITHUB_REF}. No deployments restarted."
            exit 1
          fi
          mkdir -p ~/.ssh && echo "$SSH_KEY" | base64 -d > ~/.ssh/id_rsa && chmod 400 ~/.ssh/id_rsa
          ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no "$BASTION_HOST" "bash -s" <<EOF
            rollout.sh $CONTEXT $deployments
          EOF

      - name: Remove Runner IP from Security Group
        run: |
          shred -u ~/.ssh/id_rsa || rm -f ~/.ssh/id_rsa
          echo "Removing runner IP $RUNNER_IP from security group"
          aws ec2 revoke-security-group-ingress --group-id $SECURITY_GROUP_ID --protocol tcp --port 22 --cidr ${RUNNER_IP}/32