-
Notifications
You must be signed in to change notification settings - Fork 4
197 lines (194 loc) · 8.33 KB
/
release.yml
File metadata and controls
197 lines (194 loc) · 8.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
---
name: release
on: # yamllint disable-line rule:truthy
release:
types:
- released
env:
AWS_DEFAULT_REGION: us-east-1
# We have seen some failures of packer init in GitHub Actions due to
# rate limiting when pulling Packer plugins from GitHub. Having
# Packer use a GitHub API token should reduce this. The rate
# limiting for unauthenticated requests is 60 requests/hour while
# the rate limiting for authenticated requests is 5000
# requests/hour.
PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# COPY_REGIONS_KMS_MAP: "us-east-2:alias/cool-amis,
# us-west-1:alias/cool-amis,
# us-west-2:alias/cool-amis"
PIP_CACHE_DIR: ~/.cache/pip
RUN_TMATE: ${{ secrets.RUN_TMATE }}
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- name: Apply standard cisagov job preamble
uses: cisagov/action-job-preamble@v1
with:
check_github_status: "true"
# This functionality is poorly implemented and has been
# causing problems due to the MITM implementation hogging or
# leaking memory. As a result we disable it by default. If
# you want to temporarily enable it, simply set
# monitor_permissions equal to "true".
#
# TODO: Re-enable this functionality when practical. See
# cisagov/skeleton-packer#411 for more details.
monitor_permissions: "false"
output_workflow_context: "true"
# Use a variable to specify the permissions monitoring
# configuration. By default this will yield the
# configuration stored in the cisagov organization-level
# variable, but if you want to use a different configuration
# then simply:
# 1. Create a repository-level variable with the name
# ACTIONS_PERMISSIONS_CONFIG.
# 2. Set this new variable's value to the configuration you
# want to use for this repository.
#
# Note in particular that changing the permissions
# monitoring configuration *does not* require you to modify
# this workflow.
permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
release:
environment: production
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
- arm64
- x86_64
steps:
- name: Apply standard cisagov job preamble
uses: cisagov/action-job-preamble@v1
with:
# This functionality is poorly implemented and has been
# causing problems due to the MITM implementation hogging or
# leaking memory. As a result we disable it by default. If
# you want to temporarily enable it, simply set
# monitor_permissions equal to "true".
#
# TODO: Re-enable this functionality when practical. See
# cisagov/skeleton-packer#411 for more details.
monitor_permissions: "false"
# Use a variable to specify the permissions monitoring
# configuration. By default this will yield the
# configuration stored in the cisagov organization-level
# variable, but if you want to use a different configuration
# then simply:
# 1. Create a repository-level variable with the name
# ACTIONS_PERMISSIONS_CONFIG.
# 2. Set this new variable's value to the configuration you
# want to use for this repository.
#
# Note in particular that changing the permissions
# monitoring configuration *does not* require you to modify
# this workflow.
permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: setup-env
uses: cisagov/setup-env-github-action@v1
- uses: actions/checkout@v6
- id: setup-python
uses: actions/setup-python@v6
with:
python-version: ${{ steps.setup-env.outputs.python-version }}
- uses: actions/cache@v5
env:
BASE_CACHE_KEY: >-
${{ github.job }}-${{ runner.os }}-py${{
steps.setup-python.outputs.python-version }}-packer${{
steps.setup-env.outputs.packer-version }}-tf-${{
steps.setup-env.outputs.terraform-version }}-
with:
path: |
${{ env.PIP_CACHE_DIR }}
key: >-
${{ env.BASE_CACHE_KEY }}${{
hashFiles('**/requirements.txt') }}
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- uses: hashicorp/setup-packer@v3
with:
version: ${{ steps.setup-env.outputs.packer-version }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install --upgrade \
--requirement requirements.txt
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# - name: Add copy regions to packer configuration
# run: |
# echo $COPY_REGIONS_KMS_MAP | \
# ./patch_packer_config.py variables.pkr.hcl
- name: Assume AWS build role
uses: aws-actions/configure-aws-credentials@v6
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME }}
role-duration-seconds: 3600
# When called by Packer, Ansible will find /usr/bin/python3 and
# use it; therefore, we must ensure that /usr/bin/python3 points
# to the version of Python that we installed in the
# actions/setup-python step above. This can hose other tasks
# that are expecting to find the system Python at that location,
# though, so we undo this change after running Packer.
- name: Create a /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3 /usr/bin/python3-default
sudo ln -s ${{ env.pythonLocation }}/bin/python3 \
/usr/bin/python3
- name: Install Packer plugins
run: packer init .
# If the AMI to be built via Packer requires anything from the
# third-party bucket then you will require this step.
# - id: get-third-party-bucket-name
# name: Get the third-party bucket name from SSM Parameter Store
# run: |
# echo name=$(aws ssm get-parameter \
# --name /third_party_bucket_name \
# --output text \
# --query Parameter.Value \
# --with-decryption) >> $GITHUB_OUTPUT
- name: Create machine image
# Note that if you uncomment the get-third-party-bucket-name
# step above then you will likely need to add a line like
# this after -timestamp-ui \:
# -var build_bucket=${{ steps.get-third-party-bucket-name.outputs.name }} \
run: |
packer build -only amazon-ebs.${{ matrix.architecture }} \
-timestamp-ui \
-var github_ref_name=${{ github.ref_name }} \
-var github_sha=${{ github.sha }} \
-var is_prerelease=${{ github.event.release.prerelease }} \
-var release_tag=${{ github.event.release.tag_name }} \
-var release_url=${{ github.event.release.html_url }} \
.
- name: Remove /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3-default /usr/bin/python3
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE