|
| 1 | +name: "Review apps: on PR change" |
| 2 | +on: |
| 3 | + workflow_call: |
| 4 | + inputs: |
| 5 | + aws-account-number: |
| 6 | + type: string |
| 7 | + default: "842676007477" |
| 8 | + aws-region: |
| 9 | + type: string |
| 10 | + default: "eu-west-2" |
| 11 | + app-name: |
| 12 | + type: string |
| 13 | + description: "The name of the application, used for the ECR repository and CodeBuild project. eg. forms-product-page" |
| 14 | + |
| 15 | +jobs: |
| 16 | + update-review-app: |
| 17 | + runs-on: ubuntu-24.04-arm |
| 18 | + permissions: |
| 19 | + id-token: write |
| 20 | + contents: read |
| 21 | + pull-requests: write |
| 22 | + |
| 23 | + steps: |
| 24 | + - name: Configure AWS credentials |
| 25 | + uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 |
| 26 | + with: |
| 27 | + role-to-assume: arn:aws:iam::${{ inputs.aws-account-number }}:role/review-github-actions-${{ inputs.app-name }} |
| 28 | + aws-region: ${{ inputs.aws-region }} |
| 29 | + |
| 30 | + - name: Checkout code |
| 31 | + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 |
| 32 | + |
| 33 | + - name: Generate container image URI |
| 34 | + id: generate_image_uri |
| 35 | + env: |
| 36 | + ECR_REPO: ${{ inputs.aws-account-number }}.dkr.ecr.${{ inputs.aws-region }}.amazonaws.com/${{ inputs.app-name }} |
| 37 | + PR_NUMBER: ${{ github.event.pull_request.number }} |
| 38 | + HEAD_SHA: ${{ github.event.pull_request.head.sha }} |
| 39 | + run: | |
| 40 | + echo "ECR_REPO=${ECR_REPO}" >> "$GITHUB_OUTPUT" |
| 41 | + echo "URI=${ECR_REPO}:pr-${PR_NUMBER}-${HEAD_SHA}-$(date +%s)" >> "$GITHUB_OUTPUT" |
| 42 | +
|
| 43 | + - name: Build container |
| 44 | + run: docker build --tag "${{steps.generate_image_uri.outputs.URI}}" . |
| 45 | + |
| 46 | + - name: Push container |
| 47 | + run: | |
| 48 | + aws ecr get-login-password --region ${{ inputs.aws-region }} \ |
| 49 | + | docker login --username AWS --password-stdin "${{ steps.generate_image_uri.outputs.ECR_REPO }}" |
| 50 | +
|
| 51 | + docker push "${{steps.generate_image_uri.outputs.URI}}" |
| 52 | +
|
| 53 | + - name: Deploy review app via CodeBuild |
| 54 | + id: codebuild |
| 55 | + uses: aws-actions/aws-codebuild-run-build@4d15a47425739ac2296ba5e7eee3bdd4bfbdd767 # v1.0.18 |
| 56 | + with: |
| 57 | + project-name: review-${{ inputs.app-name }}-deploy |
| 58 | + env-vars-for-codebuild: | |
| 59 | + PR_NUMBER, |
| 60 | + CONTAINER_IMAGE |
| 61 | + env: |
| 62 | + PR_NUMBER: ${{ github.event.pull_request.number }} |
| 63 | + CONTAINER_IMAGE: ${{ steps.generate_image_uri.outputs.URI }} |
| 64 | + |
| 65 | + - name: Fetch terraform outputs |
| 66 | + id: outputs |
| 67 | + env: |
| 68 | + BUILD_ID: ${{ steps.codebuild.outputs.aws-build-id }} |
| 69 | + run: | |
| 70 | + # Extract build UUID from ARN (format: arn:aws:codebuild:region:account:build/project:uuid) |
| 71 | + # shellcheck disable=SC2153 # BUILD_ID is set in env, but shellcheck doesn't recognize it |
| 72 | + BUILD_UUID="${BUILD_ID##*:}" |
| 73 | +
|
| 74 | + # Download artifact |
| 75 | + aws s3 cp "s3://forms-review-codebuild-artifacts/${BUILD_UUID}/review-${{ inputs.app-name }}-deploy/outputs.json" outputs.json |
| 76 | +
|
| 77 | + # Parse outputs |
| 78 | + { |
| 79 | + echo "REVIEW_APP_URL=$(jq -r '.review_app_url.value' outputs.json)" |
| 80 | + echo "ECS_CLUSTER_ID=$(jq -r '.review_app_ecs_cluster_id.value' outputs.json)" |
| 81 | + echo "ECS_SERVICE_NAME=$(jq -r '.review_app_ecs_service_name.value' outputs.json)" |
| 82 | + } >> "$GITHUB_OUTPUT" |
| 83 | +
|
| 84 | + # Clean up artifact |
| 85 | + aws s3 rm "s3://forms-review-codebuild-artifacts/${BUILD_UUID}/review-${{ inputs.app-name }}-deploy/outputs.json" |
| 86 | +
|
| 87 | + - name: Wait for AWS ECS deployments to finish |
| 88 | + run: | |
| 89 | + aws ecs wait services-stable \ |
| 90 | + --cluster "${{ steps.outputs.outputs.ECS_CLUSTER_ID }}" \ |
| 91 | + --services "${{ steps.outputs.outputs.ECS_SERVICE_NAME }}" |
| 92 | +
|
| 93 | + - name: Comment on PR |
| 94 | + env: |
| 95 | + COMMENT_MARKER: <!-- review apps on pr change --> |
| 96 | + GH_TOKEN: ${{ github.token }} |
| 97 | + run: | |
| 98 | + cat <<EOF > "${{runner.temp}}/pr-comment.md" |
| 99 | + :tada: A review copy of this PR has been deployed! You can reach it at: ${{steps.outputs.outputs.REVIEW_APP_URL}} |
| 100 | +
|
| 101 | + It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready |
| 102 | + after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account |
| 103 | + to debug, or otherwise ask an infrastructure person. |
| 104 | +
|
| 105 | + For the sign in details and more information, [see the review apps wiki page](https://github.com/alphagov/forms-team/wiki/Review-apps). |
| 106 | +
|
| 107 | + $COMMENT_MARKER |
| 108 | + EOF |
| 109 | +
|
| 110 | + old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq "map(select((.user.login == \"github-actions[bot]\") and (.body | endswith(\$ENV.COMMENT_MARKER + \"\n\")))) | .[].id") |
| 111 | + for comment_id in $old_comment_ids; do |
| 112 | + gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}" |
| 113 | + done |
| 114 | +
|
| 115 | + gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md" |
0 commit comments