Skip to content

Automatic PR-validation dependency lock updates: move commit after merge #81

Automatic PR-validation dependency lock updates: move commit after merge

Automatic PR-validation dependency lock updates: move commit after merge #81

name: Main branch Build and Deployment
on:
pull_request:
types: [closed]
branches:
- main
jobs:
on-merge:
name: Skip on unmerged
if: github.event.pull_request.merged == true && !contains(github.event.pull_request.labels.*.name, 'no-deploy')
runs-on: ubuntu-22.04
steps:
- name: Confirm execution
shell: bash
run: |
echo "PR merge detected and deployment wanted."
on-deploy:
name: Skip on 'no-deploy' PRs
needs: on-merge
if: github.event.pull_request.merged == true && !contains(github.event.pull_request.labels.*.name, 'no-deploy')
runs-on: ubuntu-22.04
steps:
- name: Confirm execution
shell: bash
run: |
echo "PR merge detected and deployment wanted."
commit-deps-lock-updates:
runs-on: ubuntu-22.04
needs:
- on-merge
permissions:
contents: write
steps:
- name: create token for committing and pushing as agr-github-actions app
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.GH_ACTIONS_APP_ID }}
private-key: ${{ secrets.GH_ACTIONS_APP_PRIVATE_KEY }}
- name: Get GitHub App User ID
id: app-user-id
run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
- uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Download updated dependencies lock files bundle
if: ${{ !contains(github.event.pull_request.labels.*.name, 'no-deps-lock-updates') }}
uses: dawidd6/action-download-artifact@v6
with:
name: deps_lock_files_bundle
pr: ${{ github.event.pull_request.number }}
workflow: PR-validation.yml
workflow_conclusion: success
workflow_search: false
allow_forks: false
if_no_artifact_found: fail
skip_unpack: true
- name: Unpack the bundle
if: ${{ !contains(github.event.pull_request.labels.*.name, 'no-deps-lock-updates') }}
run: |
tar -xzv -f deps-lock-files.tar.gz
# Independent shared_aws_infra lock files commit required to pin hash representing the package
# to be included in depending aws_infra components' lock files.
- name: commit shared_aws_infra dependency lock file changes
if: ${{ !contains(github.event.pull_request.labels.*.name, 'no-deps-lock-updates') }}
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_user_name: ${{ steps.app-token.outputs.app-slug }}[bot]
commit_user_email: ${{ steps.app-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>
commit_message: Auto-updated pavi_shared_aws_infra deps lock files [skip actions]
file_pattern: 'shared_aws_infra/requirements.txt shared_aws_infra/tests/requirements.txt'
disable_globbing: true
# Build pavi_shared_aws_infra package (to ensure hash includes latest commit date)
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Build and install the pavi_shared_aws_infra package
working-directory: ./shared_aws_infra
run: |
make clean build install
- name: Upload package as artifact
id: shared-aws-infra-package
uses: actions/upload-artifact@v4
with:
name: shared_aws_infra_package
path: shared_aws_infra/dist/pavi_shared_aws_infra-0.0.0-py3-none-any.whl
- name: Update pavi_shared_aws_infra dependencies
if: ${{ !contains(github.event.pull_request.labels.*.name, 'no-deps-lock-updates') }}
run: |
make -C api/aws_infra/ pip-tools update-deps-lock-shared-aws-infra-only update-test-deps-lock-shared-aws-infra-only
make -C pipeline/aws_infra/ pip-tools update-deps-lock-shared-aws-infra-only update-test-deps-lock-shared-aws-infra-only
make -C webui/aws_infra/ pip-tools update-deps-lock-shared-aws-infra-only update-test-deps-lock-shared-aws-infra-only
- name: commit remaining dependency lock file changes
if: ${{ !contains(github.event.pull_request.labels.*.name, 'no-deps-lock-updates') }}
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_user_name: ${{ steps.app-token.outputs.app-slug }}[bot]
commit_user_email: ${{ steps.app-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>
commit_message: Auto-updated deps lock files [skip actions]
file_pattern: '*requirements.txt *package-lock.json'
disable_globbing: true
pipeline-deploy-aws-infra:
name: Deploy/update AWS infrastructure for pipeline
needs: [commit-deps-lock-updates]
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
defaults:
run:
working-directory: pipeline/aws_infra
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
- name: Setup node.js (CDK requirement)
uses: actions/setup-node@v4
with:
node-version: "18"
- name: Install CDK
run: npm install -g aws-cdk
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Download shared AWS infra package
uses: actions/download-artifact@v4
with:
name: shared_aws_infra_package
path: /tmp/
- name: Install CDK stack dependencies
run: pip install -r requirements.txt
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-cdk-deploy
aws-region: us-east-1
- name: CDK validations (resource assertions and cdk diff)
run: make validate
- name: Deploy CDK Stack
run: make deploy ADD_CDK_ARGS="--require-approval never"
api-deploy-image-repo:
name: Deploy/update container image repository stack for API
needs: [commit-deps-lock-updates]
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
defaults:
run:
working-directory: api/aws_infra
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
- name: Setup node.js (CDK requirement)
uses: actions/setup-node@v4
with:
node-version: "18"
- name: Install CDK
run: npm install -g aws-cdk
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Download shared AWS infra package
uses: actions/download-artifact@v4
with:
name: shared_aws_infra_package
path: /tmp/
- name: Install CDK stack dependencies
run: pip install -r requirements.txt
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-cdk-deploy
aws-region: us-east-1
- name: CDK validations (resource assertions and cdk diff)
run: make validate-image-stack
- name: Deploy CDK stack
run: make deploy-image-stack ADD_CDK_ARGS="--require-approval never"
webui-deploy-image-repo:
name: Deploy/update container image repository stack for web UI
needs: [commit-deps-lock-updates]
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
defaults:
run:
working-directory: webui/aws_infra
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
- name: Setup node.js (CDK requirement)
uses: actions/setup-node@v4
with:
node-version: "18"
- name: Install CDK
run: npm install -g aws-cdk
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Download shared AWS infra package
uses: actions/download-artifact@v4
with:
name: shared_aws_infra_package
path: /tmp/
- name: Install CDK stack dependencies
run: pip install -r requirements.txt
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-cdk-deploy
aws-region: us-east-1
- name: CDK validations (resource assertions and cdk diff)
run: make validate-image-stack
- name: Deploy CDK stack
run: make deploy-image-stack ADD_CDK_ARGS="--require-approval never"
pipeline-seq-retrieval-build-and-push-docker-image:
needs: [on-deploy, pipeline-deploy-aws-infra, commit-deps-lock-updates]
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
fetch-depth: 0
sparse-checkout: |
pipeline/seq_retrieval/
- name: Store release tag in env
shell: bash
run: |
echo "tagname=$(git describe --tags)" >> $GITHUB_ENV
# This step will configure environment variables to be used by all steps
# involving AWS interaction further down
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-build-image-pipeline-seq-retrieval
aws-region: us-east-1
- name: Amazon ECR login
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build and push container image
uses: docker/build-push-action@v6
env:
DOCKER_BUILD_SUMMARY: false
with:
context: ./pipeline/seq_retrieval/
push: true
tags: |
${{ steps.login-ecr.outputs.registry }}/agr_pavi/pipeline_seq_retrieval:${{ env.tagname }}
${{ steps.login-ecr.outputs.registry }}/agr_pavi/pipeline_seq_retrieval:${{ github.event.pull_request.base.ref }}
platforms: linux/amd64
pipeline-alignment-build-and-push-docker-image:
needs: [on-deploy, pipeline-deploy-aws-infra, commit-deps-lock-updates]
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
fetch-depth: 0
sparse-checkout: |
pipeline/alignment/
- name: Store release tag in env
shell: bash
run: |
echo "tagname=$(git describe --tags)" >> $GITHUB_ENV
# This step will configure environment variables to be used by all steps
# involving AWS interaction further down
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-build-image-pipeline-seq-retrieval
aws-region: us-east-1
- name: Amazon ECR login
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build and push container image
uses: docker/build-push-action@v6
env:
DOCKER_BUILD_SUMMARY: false
with:
context: ./pipeline/alignment/
push: true
tags: |
${{ steps.login-ecr.outputs.registry }}/agr_pavi/pipeline_alignment:${{ env.tagname }}
${{ steps.login-ecr.outputs.registry }}/agr_pavi/pipeline_alignment:${{ github.event.pull_request.base.ref }}
platforms: linux/amd64
api-build-and-push-docker-image:
needs: [on-deploy, api-deploy-image-repo, commit-deps-lock-updates]
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
fetch-depth: 0
- name: Store release tag in env
shell: bash
run: |
echo "tagname=$(git describe --tags)" >> $GITHUB_ENV
# This step will configure environment variables to be used by all steps
# involving AWS interaction further down
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-build-image-api
aws-region: us-east-1
- name: Amazon ECR login
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build and push container image
uses: docker/build-push-action@v6
env:
DOCKER_BUILD_SUMMARY: false
with:
context: ./
file: api/Dockerfile
push: true
tags: |
${{ steps.login-ecr.outputs.registry }}/agr_pavi/api:${{ env.tagname }}
${{ steps.login-ecr.outputs.registry }}/agr_pavi/api:${{ github.event.pull_request.base.ref }}
platforms: linux/amd64
webui-build-and-push-docker-image:
needs: [on-deploy, webui-deploy-image-repo, commit-deps-lock-updates]
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
fetch-depth: 0
- name: Store release tag in env
shell: bash
run: |
echo "tagname=$(git describe --tags)" >> $GITHUB_ENV
# This step will configure environment variables to be used by all steps
# involving AWS interaction further down
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-build-image-webui
aws-region: us-east-1
- name: Amazon ECR login
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build and push container image
uses: docker/build-push-action@v6
env:
DOCKER_BUILD_SUMMARY: false
with:
context: ./webui/
push: true
tags: |
${{ steps.login-ecr.outputs.registry }}/agr_pavi/webui:${{ env.tagname }}
${{ steps.login-ecr.outputs.registry }}/agr_pavi/webui:${{ github.event.pull_request.base.ref }}
platforms: linux/amd64
api-deploy-application:
name: Deploy application (version) for API
needs:
- on-deploy
- commit-deps-lock-updates
- api-build-and-push-docker-image
- pipeline-alignment-build-and-push-docker-image
- pipeline-seq-retrieval-build-and-push-docker-image
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
defaults:
run:
working-directory: api/aws_infra
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
fetch-depth: 0
- name: Store release tag in env
shell: bash
run: |
echo "tagname=$(git describe --tags)" >> $GITHUB_ENV
- name: Setup node.js (CDK requirement)
uses: actions/setup-node@v4
with:
node-version: "18"
- name: Install CDK
run: npm install -g aws-cdk
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Download shared AWS infra package
uses: actions/download-artifact@v4
with:
name: shared_aws_infra_package
path: /tmp/
- name: Install CDK stack dependencies
run: pip install -r requirements.txt
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-api-cdk-deploy
aws-region: us-east-1
- name: CDK validations (resource assertions and cdk diff)
run: make validate-application-stack validate-environment-stack PAVI_DEPLOY_VERSION_LABEL="${{ env.tagname }}" PAVI_IMAGE_TAG="${{ env.tagname }}"
- name: Deploy application (and version)
run: make deploy-application PAVI_DEPLOY_VERSION_LABEL="${{ env.tagname }}" ADD_CDK_ARGS="--require-approval never"
- name: Deploy to main environment
run: make deploy-environment PAVI_DEPLOY_VERSION_LABEL="${{ env.tagname }}" PAVI_IMAGE_TAG="${{ env.tagname }}" \
EB_ENV_CDK_STACK_NAME=PaviApiEbMainStack ADD_CDK_ARGS="--require-approval never"
webui-deploy-application:
name: Deploy application (version) for web UI
needs:
- on-deploy
- commit-deps-lock-updates
- webui-build-and-push-docker-image
- api-deploy-application
permissions:
id-token: write # This is required for requesting the JWT for gaining permissions to assume the IAM role to perform AWS actions
runs-on: ubuntu-22.04
defaults:
run:
working-directory: webui/aws_infra
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
ref: ${{ github.base_ref }}
fetch-depth: 0
- name: Store release tag in env
shell: bash
run: |
echo "tagname=$(git describe --tags)" >> $GITHUB_ENV
- name: Setup node.js (CDK requirement)
uses: actions/setup-node@v4
with:
node-version: "18"
- name: Install CDK
run: npm install -g aws-cdk
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Download shared AWS infra package
uses: actions/download-artifact@v4
with:
name: shared_aws_infra_package
path: /tmp/
- name: Install CDK stack dependencies
run: pip install -r requirements.txt
- name: AWS credentials configuration
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{secrets.GH_ACTIONS_AWS_ROLE}}
role-session-name: gh-actions-${{github.run_id}}.${{github.run_number}}.${{github.run_attempt}}-webui-cdk-deploy
aws-region: us-east-1
- name: CDK validations (resource assertions and cdk diff)
run: make validate-application-stack validate-environment-stack PAVI_API_ENV_NAME="PAVI-api-main" \
PAVI_DEPLOY_VERSION_LABEL="${{ env.tagname }}" PAVI_IMAGE_TAG="${{ env.tagname }}"
- name: Deploy application (and version)
run: make deploy-application PAVI_DEPLOY_VERSION_LABEL="${{ env.tagname }}" ADD_CDK_ARGS="--require-approval never"
- name: Deploy to main environment
run: make deploy-environment PAVI_API_ENV_NAME="PAVI-api-main" \
PAVI_DEPLOY_VERSION_LABEL="${{ env.tagname }}" PAVI_IMAGE_TAG="${{ env.tagname }}" \
EB_ENV_CDK_STACK_NAME=PaviWebUiEbMainStack ADD_CDK_ARGS="--require-approval never"