@@ -21,138 +21,124 @@ jobs:
2121 curl -o iocs.csv https://raw.githubusercontent.com/DataDog/indicators-of-compromise/refs/heads/main/shai-hulud-2.0/consolidated_iocs.csv
2222name : Scan dependencies against IOCs
2323 run : node scripts/scan-dependencies.js
24- # validations:
25- # runs-on: ubuntu-latest
26- # env:
27- # DATABASE_URL: postgresql://catalogi:pg_password@localhost:5432/db
28- # services:
29- # postgres:
30- # image: postgres:16-alpine
31- # env:
32- # POSTGRES_USER: catalogi
33- # POSTGRES_PASSWORD: pg_password
34- # POSTGRES_DB: db
35- # ports:
36- # - 5432:5432
37- # steps:
38- # - uses: actions/checkout@v4
39- # - uses: actions/setup-node@v4
40- # with:
41- # node-version: "22"
42- # - uses: bahmutov/npm-install@v1
43- # - name: Build back
44- # run: cd api && yarn build
45- # - name: Migrate db
46- # run: cd api && yarn migrate latest
47- # - name: Fullcheck
48- # run: yarn fullcheck
24+ validations :
25+ needs : security-scan
26+ runs-on : ubuntu-latest
27+ env :
28+ DATABASE_URL : postgresql://catalogi:pg_password@localhost:5432/db
29+ services :
30+ postgres :
31+ image : postgres:16-alpine
32+ env :
33+ POSTGRES_USER : catalogi
34+ POSTGRES_PASSWORD : pg_password
35+ POSTGRES_DB : db
36+ ports :
37+ - 5432:5432
38+ steps :
39+ - uses : actions/checkout@v4
40+ - uses : actions/setup-node@v4
41+ with :
42+ node-version : " 22"
43+ - uses : bahmutov/npm-install@v1
44+ - name : Build back
45+ run : cd api && yarn build
46+ - name : Migrate db
47+ run : cd api && yarn migrate latest
48+ - name : Fullcheck
49+ run : yarn fullcheck
4950
50- # check_if_version_upgraded:
51- # name: Check if version upgrade
52- # if: github.event_name == 'push'
53- # runs-on: ubuntu-latest
54- # needs: validations
55- # outputs:
56- # is_upgraded_in_preprod: ${{ steps.check_version.outputs.is_upgraded_in_preprod }}
57- # is_upgraded_version: ${{ steps.check_version.outputs.is_upgraded_version }}
58- # to_version: ${{ steps.check_version.outputs.to_version }}
59- # from_version: ${{ steps.check_version.outputs.from_version }}
60- # steps:
61- # - uses: actions/checkout@v4
62- # - name: Check version upgrade
63- # id: check_version
64- # run: |
65- # # Get current version from package.json
66- # CURRENT_VERSION=$(jq -r '.version' package.json)
67- # echo "Version in package.json: $CURRENT_VERSION"
51+ check_if_version_upgraded :
52+ name : Check if version upgrade
53+ if : github.event_name == 'push'
54+ runs-on : ubuntu-latest
55+ needs : validations
56+ outputs :
57+ is_upgraded_in_preprod : ${{ steps.check_version.outputs.is_upgraded_in_preprod }}
58+ is_upgraded_version : ${{ steps.check_version.outputs.is_upgraded_version }}
59+ to_version : ${{ steps.check_version.outputs.to_version }}
60+ from_version : ${{ steps.check_version.outputs.from_version }}
61+ steps :
62+ - uses : actions/checkout@v4
63+ - name : Check version upgrade
64+ id : check_version
65+ run : |
66+ # Get current version from package.json
67+ CURRENT_VERSION=$(jq -r '.version' package.json)
68+ echo "Version in package.json: $CURRENT_VERSION"
6869
69- # # Get deployed version from preprod API
70- # PRE_PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill-preprod/api/getApiVersion" | jq -r '.result.data.json')
71- # PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill/api/getApiVersion" | jq -r '.result.data.json')
72- # echo "Deployed version in preprod: $PRE_PROD_DEPLOYED_VERSION"
73- # echo "Deployed version in prod: $PROD_DEPLOYED_VERSION"
70+ # Get deployed version from preprod API
71+ PRE_PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill-preprod/api/getApiVersion" | jq -r '.result.data.json')
72+ PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill/api/getApiVersion" | jq -r '.result.data.json')
73+ echo "Deployed version in preprod: $PRE_PROD_DEPLOYED_VERSION"
74+ echo "Deployed version in prod: $PROD_DEPLOYED_VERSION"
7475
75- # # Simple comparison: check if versions are different
76- # if [ "$CURRENT_VERSION" != "$PRE_PROD_DEPLOYED_VERSION" ]; then
77- # IS_UPGRADED_IN_PRE_PROD="true"
78- # IS_UPGRADED="true"
79- # echo "✅ Version different from preprod ($PRE_PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION"
80- # elif [ "$CURRENT_VERSION" != "$PROD_DEPLOYED_VERSION" ]; then
81- # IS_UPGRADED="true"
82- # echo "✅ Version different from prod ($PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION"
83- # else
84- # IS_UPGRADED="false"
85- # echo "ℹ️ Version unchanged: $CURRENT_VERSION"
86- # fi
76+ # Simple comparison: check if versions are different
77+ if [ "$CURRENT_VERSION" != "$PRE_PROD_DEPLOYED_VERSION" ]; then
78+ IS_UPGRADED_IN_PRE_PROD="true"
79+ IS_UPGRADED="true"
80+ echo "✅ Version different from preprod ($PRE_PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION"
81+ elif [ "$CURRENT_VERSION" != "$PROD_DEPLOYED_VERSION" ]; then
82+ IS_UPGRADED="true"
83+ echo "✅ Version different from prod ($PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION"
84+ else
85+ IS_UPGRADED="false"
86+ echo "ℹ️ Version unchanged: $CURRENT_VERSION"
87+ fi
8788
88- # echo "Is version upgraded: $IS_UPGRADED"
89+ echo "Is version upgraded: $IS_UPGRADED"
8990
90- # # Set outputs
91- # echo "is_upgraded_version=$IS_UPGRADED" >> $GITHUB_OUTPUT
92- # echo "is_upgraded_in_preprod=$IS_UPGRADED_IN_PRE_PROD" >> $GITHUB_OUTPUT
93- # echo "to_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
94- # echo "from_version=$PRE_PROD_DEPLOYED_VERSION" >> $GITHUB_OUTPUT
91+ # Set outputs
92+ echo "is_upgraded_version=$IS_UPGRADED" >> $GITHUB_OUTPUT
93+ echo "is_upgraded_in_preprod=$IS_UPGRADED_IN_PRE_PROD" >> $GITHUB_OUTPUT
94+ echo "to_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
95+ echo "from_version=$PRE_PROD_DEPLOYED_VERSION" >> $GITHUB_OUTPUT
9596
9697trigger_pre_production_deploy :
97- name : " Trigger pre-production deploy"
98- runs-on : ubuntu-latest
99- concurrency :
100- group : deploy-to-pre-production
101- cancel-in-progress : true
10298 needs :
103- - security-scan
104- # if: needs.check_if_version_upgraded.outputs.is_upgraded_in_preprod == 'true'
105- env :
106- TO_VERSION : 1.53.3
107- # TO_VERSION: ${{ needs.check_if_version_upgraded.outputs.to_version }}
108- steps :
109- - run : echo "v${{ env.TO_VERSION }} -Triggering pre-production deploy"
110- - name : Set up SSH, update repo and restart docker-compose
111- timeout-minutes : 10
112- run : |
113- set -e
114- mkdir -p ~/.ssh
115- echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
116- chmod 600 ~/.ssh/id_ed25519
117- ssh-keyscan code.gouv.fr >> ~/.ssh/known_hosts
118-
119- echo "Connecting to server and running deployment script..."
120- ssh web@code.gouv.fr "bash -c 'set -e && eval \"\$(ssh-agent -s)\" && ssh-add ~/.ssh/sill-data && ./update-sill-preprod.sh v${{ env.TO_VERSION }}'" 2>&1 | tee deploy.log
99+ - check_if_version_upgraded
100+ if : needs.check_if_version_upgraded.outputs.is_upgraded_in_preprod == 'true'
101+ uses : ./.github/workflows/trigger-deploy.yaml
102+ with :
103+ server_host : code.gouv.fr
104+ server_user : web
105+ deploy_script_path : ./update-sill-preprod.sh
106+ server_ssh_key_path : ~/.ssh/sill-data
107+ environment_name : pre-production
108+ version : v${{ needs.check_if_version_upgraded.outputs.to_version }}
109+ secrets :
110+ SSH_PRIVATE_KEY : ${{ secrets.SSH_PRIVATE_KEY }}
121111
122- echo "✅ Pre-production deployment completed successfully"
123- env :
124- SSH_PRIVATE_KEY : ${{ secrets.SSH_PRIVATE_KEY }}
112+ trigger_pre_prodcution_deploy_scaleway :
113+ needs :
114+ - check_if_version_upgraded
115+ if : needs.check_if_version_upgraded.outputs.is_upgraded_in_preprod == 'true'
116+ uses : ./.github/workflows/trigger-deploy.yaml
117+ with :
118+ server_host : 163.172.181.215
119+ server_user : web
120+ deploy_script_path : ./update-sill-preprod.sh
121+ server_ssh_key_path : ~/.ssh/sill-github
122+ environment_name : pre-production-scaleway
123+ version : v${{ needs.check_if_version_upgraded.outputs.to_version }}
124+ secrets :
125+ SSH_PRIVATE_KEY : ${{ secrets.SSH_PRIVATE_KEY }}
125126
126127
127128 trigger_production_deploy :
128- name : " Trigger production deploy"
129- runs-on : ubuntu-latest
130- environment : production
131- concurrency :
132- group : deploy-to-production
133- cancel-in-progress : true
134129 needs :
135130 - trigger_pre_production_deploy
136- # - check_if_version_upgraded
137- # if: always() && needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true' && (needs.trigger_pre_production_deploy.result == 'success' || needs.trigger_pre_production_deploy.result == 'skipped')
138- env :
139- TO_VERSION : 1.53.3
140- # TO_VERSION: ${{ needs.check_if_version_upgraded.outputs.to_version }}
141- steps :
142- - run : echo "v${{ env.TO_VERSION }} - Triggering production deploy"
143- - name : Set up SSH, update repo and restart docker-compose
144- timeout-minutes : 10
145- run : |
146- set -e
147- mkdir -p ~/.ssh
148- echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
149- chmod 600 ~/.ssh/id_ed25519
150- ssh-keyscan code.gouv.fr >> ~/.ssh/known_hosts
151-
152- echo "Connecting to server and running deployment script..."
153- ssh web@code.gouv.fr "bash -c 'set -e && eval \"\$(ssh-agent -s)\" && ssh-add ~/.ssh/sill-data && ./update-sill-docker-compose.sh v${{ env.TO_VERSION }}'" 2>&1 | tee deploy.log
154-
155- echo "✅ Production deployment completed successfully"
156- env :
157- SSH_PRIVATE_KEY : ${{ secrets.SSH_PRIVATE_KEY }}
131+ - check_if_version_upgraded
132+ if : needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true' && (needs.trigger_pre_production_deploy.result == 'success' || needs.trigger_pre_production_deploy.result == 'skipped')
133+ uses : ./.github/workflows/trigger-deploy.yaml
134+ with :
135+ server_host : code.gouv.fr
136+ server_user : web
137+ deploy_script_path : ./update-sill-docker-compose.sh
138+ server_ssh_key_path : ~/.ssh/sill-data
139+ environment_name : production
140+ version : v${{ needs.check_if_version_upgraded.outputs.to_version }}
141+ github_environment : production
142+ secrets :
143+ SSH_PRIVATE_KEY : ${{ secrets.SSH_PRIVATE_KEY }}
158144
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments