acm-server/.github/workflows/deploy.yml at e4f1848b1c22c4edf960c9e0ad9a6eae326f9c30 · acmcsufoss/acm-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Deploy with Terraform

on:
  push:
    branches:
      - main
  workflow_call:
    secrets:
      GIT_CRYPT_KEY:
        required: true
  workflow_dispatch:

defaults:
  run:
    # Use Nix for all of our build commands.
    # Doing this will automatically run everything in our devShell.
    shell: nix develop -c bash -e -o pipefail {0}

jobs:
  deploy:
    name: Deploy with Terraform
    runs-on: ubuntu-latest
    environment: Production
    concurrency: Production
    outputs:
      commit_hash: ${{ steps.git-commit.outputs.commit_hash }}
    steps:
      - uses: actions/checkout@v4
        with:
          # Use ref_name instead of ref so we always get the branch to pull our
          # latest commit from.
          ref: ${{ github.ref_name }}

      - uses: nixbuild/nix-quick-install-action@v30
      - uses: nix-community/cache-nix-action@v6
        with: # see https://github.com/nix-community/cache-nix-action#example-steps
          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-
          gc-max-store-size-linux: 1G
          purge: true
          purge-prefixes: nix-${{ runner.os }}-
          purge-created: 0
          purge-primary-key: never

      # Add a Nix channel as a workaround for terraform-nixos-ng.
      # See https://github.com/Gabriella439/terraform-nixos-ng/issues/11.
      #
      # TODO: Remove this once terraform-nixos-ng is fixed.
      - name: Add NixOS channel
        run: |-
          nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs
          nix-channel --update
        shell: bash

      # Task: Initialize development environment

      # This step is a no-op. It just forces a first invocation of `nix develop`
      # and will let us isolate any issues with the Nix environment.
      - name: Initialize development environment
        run: true

      # Task: Handle Makefiles

      # This shouldn't need any secrets.
      # Avoid giving it any.
      - name: Run all package Makefiles
        run: ./scripts/pkg make

      - name: Commit changes, if any
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          branch: ${{ github.ref_name }}
          commit_message: Run all Makefiles using GitHub Actions

      # Task: Apply Terraform deployment

      - name: Decrypt git-crypt secrets
        uses: ./.github/actions/git-crypt
        with:
          key: ${{ secrets.GIT_CRYPT_KEY }}

      - name: Initialize Tailscale
        uses: tailscale/github-action@v3
        with:
          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
          tags: tag:server

      - name: Initialize Terraform
        id: terraform-init
        run: |-
          chmod 640 secrets/terraform.tfstate*
          terraform init

      - name: Calculate a Terraform deployment plan
        id: terraform-plan
        run: |-
          set +e
          terraform plan --detailed-exitcode --out="/tmp/acm-aws-plan"
          status=$?
          set -e

          if [[ $status == 1 ]]; then
            echo "::error::Terraform plan failed, exiting..."
            exit 1
          fi

          # 0 - Succeeded, diff is empty (no changes)
          # 1 - Errored
          # 2 - Succeeded, there is a diff
          echo "status=$status" >> $GITHUB_OUTPUT

      - name: Apply Terraform configurations
        id: terraform-apply
        if: steps.terraform-plan.outputs.status == 2
        run: |-
          set -o pipefail
          terraform apply --auto-approve "/tmp/acm-aws-plan" \
            |& tee /tmp/terraform-apply.log \
            |& grep -v 'deployment.null_resource.deploy (.*-exec):'

      - name: Commit changes, if any
        id: git-commit
        if: steps.terraform-plan.outputs.status == 2
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          commit_message: "Update deployment using GitHub Actions"
          branch: ${{ github.ref_name }}

      - name: Prepare Terraform deployment logs
        id: terraform-logs-prepare
        if: steps.terraform-plan.outputs.status == 2 && failure()
        run: |-
          ./scripts/encrypt-ssh \
            /tmp/terraform-apply.log \
            /tmp/terraform-apply.log.enc

      - name: Upload Terraform deployment logs
        id: terraform-logs-upload
        if: steps.terraform-plan.outputs.status == 2 && failure()
        uses: actions/upload-artifact@v4
        with:
          name: terraform-apply.log.enc
          path: /tmp/terraform-apply.log.enc