forms-deploy/.github/workflows/reusable-review_apps_on_pr_change.yml at b8d666386226429d34bbdb772b4e7aeeeea6f152 · govuk-forms/forms-deploy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: "Review apps: on PR change"
on:
  workflow_call:
    inputs:
      aws-account-number:
        type: string
        default: "842676007477"
      aws-region:
        type: string
        default: "eu-west-2"
      app-name:
        type: string
        description: "The name of the application, used for the ECR repository and CodeBuild project. eg. forms-product-page"

jobs:
  update-review-app:
    runs-on: ubuntu-24.04-arm
    permissions:
      id-token: write
      contents: read
      pull-requests: write

    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
        with:
          role-to-assume: arn:aws:iam::${{ inputs.aws-account-number }}:role/review-github-actions-${{ inputs.app-name }}
          aws-region: ${{ inputs.aws-region }}
      - name: Log in to Amazon ECR
        uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Generate container image URI
        id: generate_image_uri
        env:
          ECR_REPO: ${{ inputs.aws-account-number }}.dkr.ecr.${{ inputs.aws-region }}.amazonaws.com/${{ inputs.app-name }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          echo "ECR_REPO=${ECR_REPO}" >> "$GITHUB_OUTPUT"
          BASE_URI="${ECR_REPO}:pr-${PR_NUMBER}"
          echo "BASE_URI=${BASE_URI}" >> "$GITHUB_OUTPUT"
          echo "URI=${BASE_URI}-${HEAD_SHA}-$(date +%s)" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Build
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          push: true
          tags: ${{ steps.generate_image_uri.outputs.URI }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Deploy review app via CodeBuild
        id: codebuild
        uses: aws-actions/aws-codebuild-run-build@4d15a47425739ac2296ba5e7eee3bdd4bfbdd767 # v1.0.18
        with:
          project-name: review-${{ inputs.app-name }}-deploy
          env-vars-for-codebuild: |
            PR_NUMBER,
            CONTAINER_IMAGE
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          CONTAINER_IMAGE: ${{ steps.generate_image_uri.outputs.URI }}

      - name: Fetch terraform outputs
        id: outputs
        env:
          BUILD_ID: ${{ steps.codebuild.outputs.aws-build-id }}
        run: |
          # Extract build UUID from ARN (format: arn:aws:codebuild:region:account:build/project:uuid)
          # shellcheck disable=SC2153 # BUILD_ID is set in env, but shellcheck doesn't recognize it
          BUILD_UUID="${BUILD_ID##*:}"

          # Download artifact
          aws s3 cp "s3://forms-review-codebuild-artifacts/${BUILD_UUID}/review-${{ inputs.app-name }}-deploy/outputs.json" outputs.json

          # Parse outputs
          {
            echo "REVIEW_APP_URL=$(jq -r '.review_app_url.value' outputs.json)"
            echo "ECS_CLUSTER_ID=$(jq -r '.review_app_ecs_cluster_id.value' outputs.json)"
            echo "ECS_SERVICE_NAME=$(jq -r '.review_app_ecs_service_name.value' outputs.json)"
          } >> "$GITHUB_OUTPUT"

          # Clean up artifact
          aws s3 rm "s3://forms-review-codebuild-artifacts/${BUILD_UUID}/review-${{ inputs.app-name }}-deploy/outputs.json"

      - name: Wait for AWS ECS deployments to finish
        run: |
          aws ecs wait services-stable \
            --cluster "${{ steps.outputs.outputs.ECS_CLUSTER_ID }}" \
            --services "${{ steps.outputs.outputs.ECS_SERVICE_NAME }}"

      - name: Comment on PR
        env:
          COMMENT_MARKER: <!-- review apps on pr change -->
          GH_TOKEN: ${{ github.token }}
        run: |
          cat <<EOF > "${{runner.temp}}/pr-comment.md"
          :tada: A review copy of this PR has been deployed! You can reach it at: ${{steps.outputs.outputs.REVIEW_APP_URL}}

          It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready
          after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account
          to debug, or otherwise ask an infrastructure person.

          For the sign in details and more information, [see the review apps wiki page](https://github.com/alphagov/forms-team/wiki/Review-apps).

          $COMMENT_MARKER
          EOF

          old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq "map(select((.user.login == \"github-actions[bot]\") and (.body | endswith(\$ENV.COMMENT_MARKER + \"\n\")))) | .[].id")
          for comment_id in $old_comment_ids; do
            gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
          done

          gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md"