Add workflows for PSN terraform validate/release and functions deploy (#592)

mamu0 · web-flow · commit 067002c96afd · 2025-12-15T15:48:39.000+01:00
This pull request introduces two new GitHub Actions workflows to automate the planning and release processes for PSN infrastructure changes in the production environment. The workflows detect changes in specific infrastructure directories and trigger appropriate plan or release jobs, supporting both manual and automatic triggers. Add also a workflow for all functions deploy. Resolves: CES-1487
diff --git a/.github/workflows/release_psn_infra.yaml b/.github/workflows/release_psn_infra.yaml
@@ -0,0 +1,69 @@
+name: PR PSN Infrastructure Release - Prod
+
+on:
+  workflow_dispatch:
+  # TBD: Uncomment after permissions are set on identity
+  # push:
+  #   branches:
+  #     - master
+  #   paths:
+  #     - "infra/core/psn/hub/prod/**"
+  #     - "infra/core/psn/spoke/prod/**"
+  #     - "infra/resources/psn/prod/**"
+
+permissions:
+  contents: read
+  pull-requests: write
+  id-token: write
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      changes: ${{ steps.changes.outputs.changes || steps.all.outputs.changes }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        if: github.event_name != 'workflow_dispatch'
+
+      - name: Found changed PSN Infra modules
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 #v3.0.2
+        if: github.event_name != 'workflow_dispatch'
+        id: changes
+        with:
+          filters: |
+            core/psn/hub:
+              - 'infra/core/psn/hub/prod/**'
+            core/psn/spoke:
+              - 'infra/core/psn/spoke/prod/**'
+            resources/psn:
+              - 'infra/resources/psn/prod/**'
+
+      - name: All PSN Infra modules (for manual trigger)
+        if: github.event_name == 'workflow_dispatch'
+        id: all
+        run: |
+          echo 'changes=["core/psn/hub", "core/psn/spoke", "resources/psn"]' >> $GITHUB_OUTPUT
+
+  release_prod:
+    needs: changes
+    uses: pagopa/dx/.github/workflows/infra_apply.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    name: Infrastructure Release
+    secrets: inherit
+
+    strategy:
+      fail-fast: false
+      matrix:
+        infra: ${{ fromJSON( needs.changes.outputs.changes ) }}
+
+    with:
+      environment: prod
+      base_path: infra/${{ matrix.infra }}
+      use_private_agent: true
+      override_github_environment: infra-prod
+      use_labels: true
+      override_labels: psn
diff --git a/.github/workflows/support_function_deploy_psn.yaml b/.github/workflows/support_function_deploy_psn.yaml
@@ -0,0 +1,28 @@
+name: Deploy Function App PSN (support-func)
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches:
+      - master
+    paths:
+      - "apps/io-wallet-support-func/CHANGELOG.md"
+
+permissions:
+  attestations: write
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy
+    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    secrets: inherit
+    with:
+      workspace_name: io-wallet-support-func
+      environment: app-prod
+      resource_group_name: iw-p-itn-wallet-rg-01
+      web_app_name: iw-p-itn-support-func-01
+      disable_auto_staging_deploy: true
+      use_labels: true
+      override_labels: psn
diff --git a/.github/workflows/user_function_deploy_psn.yaml b/.github/workflows/user_function_deploy_psn.yaml
@@ -0,0 +1,28 @@
+name: Deploy Function App PSN (user-func)
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches:
+      - master
+    paths:
+      - "apps/io-wallet-user-func/CHANGELOG.md"
+
+permissions:
+  attestations: write
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy
+    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    secrets: inherit
+    with:
+      workspace_name: io-wallet-user-func
+      environment: app-prod
+      resource_group_name: iw-p-itn-wallet-rg-01
+      web_app_name: iw-p-itn-user-func-01
+      disable_auto_staging_deploy: true
+      use_labels: true
+      override_labels: psn
diff --git a/.github/workflows/user_uat_function_deploy_psn.yaml b/.github/workflows/user_uat_function_deploy_psn.yaml
@@ -0,0 +1,28 @@
+name: Deploy Function App PSN (user-uat-func)
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches:
+      - master
+    paths:
+      - "apps/io-wallet-user-func/CHANGELOG.md"
+
+permissions:
+  attestations: write
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy
+    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    secrets: inherit
+    with:
+      workspace_name: io-wallet-user-func
+      environment: app-prod
+      resource_group_name: iw-p-itn-wallet-rg-01
+      web_app_name: iw-u-itn-user-func-01
+      disable_auto_staging_deploy: true
+      use_labels: true
+      override_labels: psn
diff --git a/.github/workflows/validate_psn_infra.yaml b/.github/workflows/validate_psn_infra.yaml
@@ -0,0 +1,71 @@
+name: PR PSN Infrastructure Plan - Prod
+
+on:
+  workflow_dispatch:
+  # TBD: Uncomment after permissions are set on identity
+  # pull_request:
+  #   types:
+  #     - opened
+  #     - edited
+  #     - synchronize
+  #     - reopened
+  #     - ready_for_review
+  #   paths:
+  #     - "infra/core/psn/hub/prod/**"
+  #     - "infra/core/psn/spoke/prod/**"
+  #     - "infra/resources/psn/prod/**"
+  #     - ".github/workflows/pr_psn_infra.yaml"
+
+permissions:
+  contents: read
+  pull-requests: write
+  id-token: write
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      changes: ${{ steps.changes.outputs.changes || steps.all.outputs.changes }}
+    steps:
+      - name: Found changed PSN Infra modules
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 #v3.0.2
+        if: github.event_name != 'workflow_dispatch'
+        id: changes
+        with:
+          filters: |
+            core/psn/hub:
+              - 'infra/core/psn/hub/prod/**'
+            core/psn/spoke:
+              - 'infra/core/psn/spoke/prod/**'
+            resources/psn:
+              - 'infra/resources/psn/prod/**'
+
+      - name: All PSN Infra modules (for manual trigger)
+        if: github.event_name == 'workflow_dispatch'
+        id: all
+        run: |
+          echo 'changes=["core/psn/hub", "core/psn/spoke", "resources/psn"]' >> $GITHUB_OUTPUT # removed for tests
+
+  plan_prod:
+    needs: changes
+    uses: pagopa/dx/.github/workflows/infra_plan.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    name: Infrastructure Plan
+    secrets: inherit
+
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        infra: ${{ fromJSON( needs.changes.outputs.changes ) }}
+
+    with:
+      environment: prod
+      base_path: infra/${{ matrix.infra }}
+      use_private_agent: true
+      override_github_environment: infra-prod
+      use_labels: true
+      override_labels: psn
