vets-api/.github/workflows/deploy-template.yml at 4ecf361f59cb0d93aaa768492fb0a2ab380a5419 · department-of-veterans-affairs/vets-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Release and Update Manifests

on:
  workflow_call:
    inputs:
      ecr_repository:
        required: true
        type: string
      manifests_directory:
        required: true
        type: string
      auto_deploy_envs:
        required: true
        type: string
      commit_sha:  # #${{ github.event.workflow_run.head_commit.id }}
        required: true
        type: string
    secrets:
      aws_access_key_id: #${{ secrets.AWS_ACCESS_KEY_ID }}
        required: true
      aws_secret_access_key: #${{ secrets.AWS_SECRET_ACCESS_KEY }}
        required: true
permissions:
  id-token: write
  contents: read
jobs:
  prepare-values:
    runs-on: ubuntu-latest
    outputs:
      environments: ${{ steps.set-environments.outputs.environments }}
    steps:
      - name: Set to auto deploy environments on push to master
        run: |
          echo "triggered via schedule"
          echo "environments=${{inputs.auto_deploy_envs}}" >> $GITHUB_ENV
      - name: Set output
        id: set-environments
        run: |
          echo "environments=${{ env.environments }}" >> $GITHUB_OUTPUT
  release:
    needs: [prepare-values]
    if: github.ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
        with:
          role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
          aws-region: "us-gov-west-1"

      - name: Log into ECR
        id: ecr-login
        uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2

      - name: Get bot token from Parameter Store
        uses: marvinpinto/action-inject-ssm-secrets@40db08dfe313758837e611cac1679e3a89b35531 # latest
        with:
          ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN
          env_variable_name: VA_VSP_BOT_GITHUB_TOKEN

      - name: Install yq
        run: |
          wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O yq
          chmod +x yq
          sudo mv yq /usr/local/bin/
          yq --version

      - name: Check out Manifest Repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          repository: department-of-veterans-affairs/vsp-infra-application-manifests
          token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
          fetch-depth: 1
          path: vsp-infra-application-manifests
          ref: refs/heads/main

      - name: Update vets-api image and version name in Manifest repo
        env:
          ECR_REGISTRY: ${{ steps.ecr-login.outputs.registry }}
          ECR_REPOSITORY: dsva/${{inputs.ecr_repository}}
        run: |
          cd vsp-infra-application-manifests/apps/${{inputs.manifests_directory}}

          for env in dev staging prod sandbox; do
            has_parent=$(yq e 'has("vets-api-parent")' "$env/values.yaml")
            has_vets=$(yq e 'has("vets-api")' "$env/values.yaml")

            if [[ "$has_parent" == "true" ]]; then
              chart_key="vets-api-parent"
            elif [[ "$has_vets" == "true" ]]; then
              chart_key="vets-api"
            else
              echo "Image tag failure. No known chart key found in $env/values.yaml."
              exit 1
            fi

            echo "$env -> $chart_key"
            export chart_key

            yq e -i '(.[env(chart_key)].image.tag) |= "${{ inputs.commit_sha }}"' "$env/values.yaml"
            yq e -i '(.[env(chart_key)].web.envSecrets[] | select(.name=="DD_VERSION").value) |= "${{ inputs.commit_sha }}"' "$env/values.yaml"
            yq e -i '(.[env(chart_key)].web.dbMigrate.envSecrets[] | select(.name=="DD_VERSION").value) |= "${{ inputs.commit_sha }}"' "$env/values.yaml"
            yq e -i '(.[env(chart_key)].worker.envSecrets[] | select(.name=="DD_VERSION").value) |= "${{ inputs.commit_sha }}"' "$env/values.yaml"
            yq e -i '(.[env(chart_key)].web.envSecrets[] | select(.name=="DD_GIT_COMMIT_SHA").value) |= "${{ inputs.commit_sha }}"' "$env/values.yaml"
            yq e -i '(.[env(chart_key)].web.dbMigrate.envSecrets[] | select(.name=="DD_GIT_COMMIT_SHA").value) |= "${{ inputs.commit_sha }}"' "$env/values.yaml"
            yq e -i '(.[env(chart_key)].worker.envSecrets[] | select(.name=="DD_GIT_COMMIT_SHA").value) |= "${{ inputs.commit_sha }}"' "$env/values.yaml"
          done

          git diff

      - name: Add and Commit file
        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
        with:
          new_branch: main
          add: "*"
          cwd: vsp-infra-application-manifests/apps
          author_name: va-vsp-bot
          author_email: 70344339+va-vsp-bot@users.noreply.github.com
          message: "Release ${{ needs.prepare-values.outputs.environments }} for ${{inputs.ecr_repository}} : ${{ inputs.commit_sha }}."