From 1455ec7876af2e022208a94ba508b45b1321e11f Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 10:42:35 -0800 Subject: [PATCH 01/15] First pass at tagging workflow. --- .github/workflows/production-tag.yml | 129 +++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 .github/workflows/production-tag.yml diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml new file mode 100644 index 000000000..a591f85b6 --- /dev/null +++ b/.github/workflows/production-tag.yml @@ -0,0 +1,129 @@ +name: Daily Production Release + +on: + workflow_dispatch: + # schedule: + # - cron: 0 20 * * 1-5 + +concurrency: + group: production-tag + cancel-in-progress: true + +env: + SLACK_CHANNEL: C06DSBT7CBW #status-content-build + DSVA_SCHEDULE_ENABLED: true + +jobs: + create-release: + name: Create Release + runs-on: ubuntu-latest + outputs: + RELEASE_NAME: ${{ steps.export-release-name.outputs.RELEASE_NAME }} + + steps: + - name: Cancel workflow due to DSVA schedule + if: ${{ github.event_name == 'schedule' && env.DSVA_SCHEDULE_ENABLED != 'true' }} + uses: andymckay/cancel-action@b9280e3f8986d7a8e91c7462efc0fa318010c8b1 # v0.3 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-gov-west-1 + + - name: Get bot token from Parameter Store + uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest + with: + ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN + env_variable_name: VA_VSP_BOT_GITHUB_TOKEN + + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version-file: .nvmrc + + - name: Install Npm Dependencies + run: | + yarn set version 3.6.1 + HUSKY=0 yarn install --immutable + + - name: Get current ref + id: get-current-ref + run: echo REF=$(git rev-parse HEAD) >> $GITHUB_OUTPUT + + # - name: Validate build status + # run: node ./script/github-actions/validate-build-status.js ${{ steps.get-current-ref.outputs.REF }} + # env: + # GITHUB_TOKEN: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }} + + - name: Get latest tag + id: get-latest-tag + run: echo LATEST_TAG_VERSION=$(git fetch --all --tags > /dev/null && git tag -l | sort -V --reverse | head -n 1) >> $GITHUB_OUTPUT + + - name: Get next tag version + run: | + current_patch=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | cut -d'.' -f3) + echo "new_patch=$(echo $(( $current_patch + 1 )))" >> $GITHUB_ENV + + - name: Create next tag + uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3 + with: + timeout_seconds: 30 + max_attempts: 3 + command: git tag v0.0.${{ env.new_patch }} ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin v0.0.${{ env.new_patch }} + new_command_on_retry: | + next_patch=$(echo $(( ${{ env.new_patch }} + 1 ))) + echo "new_patch=$next_patch" >> $GITHUB_ENV + git tag v0.0.$next_patch ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin v0.0.$next_patch + + - name: Create release + uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0 + with: + tag: v0.0.${{ env.new_patch }} + name: content-build/v0.0.${{ env.new_patch }} + token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }} + commit: ${{ steps.get-current-ref.outputs.REF }} + + - name: Export new release name + id: export-release-name + run: | + echo RELEASE_NAME=v0.0.${{ env.new_patch }} >> $GITHUB_OUTPUT + + notify-success: + name: Notify Success + runs-on: ubuntu-latest + needs: create-release + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Notify Slack + uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main + continue-on-error: true + with: + payload: '{"attachments": [{"color": "#07711E","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "Successfully tagged new content-build release: ${{ needs.create-release.outputs.RELEASE_NAME }}"}}]}]}' + channel_id: ${{ env.SLACK_CHANNEL }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + notify-failure: + name: Notify Failure + runs-on: ubuntu-latest + if: ${{ failure() || cancelled() }} + needs: create-release + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Notify Slack + if: ${{ env.DSVA_SCHEDULE_ENABLED == 'true' }} + uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main + continue-on-error: true + with: + payload: '{"attachments": [{"color": "#D33834","blocks": [{"type": "section","text": {"type": "mrkdwn","text": " New content-build release could not be tagged!: "}}]}]}' + channel_id: ${{ env.SLACK_CHANNEL }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From 420e252a7fb8a06f6e21c527913a0395dcbf8c7f Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 10:44:36 -0800 Subject: [PATCH 02/15] Add pull_request trigger temporarily so that GHA sees the action. --- .github/workflows/production-tag.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index a591f85b6..d4ff6ac59 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -4,6 +4,8 @@ on: workflow_dispatch: # schedule: # - cron: 0 20 * * 1-5 + # added temporarily to allow GHA to see the action + pull_request: concurrency: group: production-tag From ad8dee5d5799a73938c794c224fd18db9c44f40d Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 10:59:36 -0800 Subject: [PATCH 03/15] Rename; add push event. --- .github/workflows/production-tag.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index d4ff6ac59..d45bc59d3 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -1,4 +1,4 @@ -name: Daily Production Release +name: Create Production Tag on: workflow_dispatch: @@ -6,6 +6,7 @@ on: # - cron: 0 20 * * 1-5 # added temporarily to allow GHA to see the action pull_request: + push: concurrency: group: production-tag From 202ce816d693cc2b40cc8119db25f27f3a3a019e Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 12:46:17 -0800 Subject: [PATCH 04/15] Rework tag parse and write to account for subsequent major/minor versions. --- .github/workflows/production-tag.yml | 53 ++++++++++++++-------------- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index d45bc59d3..401ca76d0 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -13,7 +13,7 @@ concurrency: cancel-in-progress: true env: - SLACK_CHANNEL: C06DSBT7CBW #status-content-build + SLACK_CHANNEL: C06DSBT7CBW #status-next-build DSVA_SCHEDULE_ENABLED: true jobs: @@ -24,8 +24,8 @@ jobs: RELEASE_NAME: ${{ steps.export-release-name.outputs.RELEASE_NAME }} steps: - - name: Cancel workflow due to DSVA schedule - if: ${{ github.event_name == 'schedule' && env.DSVA_SCHEDULE_ENABLED != 'true' }} + - name: Cancel workflow due to DSVA schedule, unless this is a manual build + if: ${{ github.event_name != 'workflow_dispatch' && env.DSVA_SCHEDULE_ENABLED != 'true' }} uses: andymckay/cancel-action@b9280e3f8986d7a8e91c7462efc0fa318010c8b1 # v0.3 - name: Configure AWS Credentials @@ -66,32 +66,31 @@ jobs: - name: Get next tag version run: | - current_patch=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | cut -d'.' -f3) - echo "new_patch=$(echo $(( $current_patch + 1 )))" >> $GITHUB_ENV - - - name: Create next tag - uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3 - with: - timeout_seconds: 30 - max_attempts: 3 - command: git tag v0.0.${{ env.new_patch }} ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin v0.0.${{ env.new_patch }} - new_command_on_retry: | - next_patch=$(echo $(( ${{ env.new_patch }} + 1 ))) - echo "new_patch=$next_patch" >> $GITHUB_ENV - git tag v0.0.$next_patch ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin v0.0.$next_patch - - - name: Create release - uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0 - with: - tag: v0.0.${{ env.new_patch }} - name: content-build/v0.0.${{ env.new_patch }} - token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }} - commit: ${{ steps.get-current-ref.outputs.REF }} + current_increment=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | cut -d'.' -f3) + # echo "NEW_TAG=$(echo $(( $current_increment + 1 )))" >> $GITHUB_ENV + echo "NEW_TAG=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | sed -E 's/\.[0-9]+/.$(echo $(( $current_increment + 1 )))/2'" >> $GITHUB_ENV + + # - name: Create next tag + # uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3 + # with: + # timeout_seconds: 30 + # max_attempts: 3 + # command: git tag ${{ env.NEW_TAG }} ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin ${{ env.NEW_TAG }} + # new_command_on_retry: git tag ${{ env.NEW_TAG }} ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin ${{ env.NEW_TAG }} + + + # - name: Create release + # uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0 + # with: + # tag: ${{ env.NEW_TAG }} + # name: next-build/${{ env.new_NEW_TAG }} + # token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }} + # commit: ${{ steps.get-current-ref.outputs.REF }} - name: Export new release name id: export-release-name run: | - echo RELEASE_NAME=v0.0.${{ env.new_patch }} >> $GITHUB_OUTPUT + echo RELEASE_NAME=${{ env.new_NEW_TAG }} >> $GITHUB_OUTPUT notify-success: name: Notify Success @@ -106,7 +105,7 @@ jobs: uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main continue-on-error: true with: - payload: '{"attachments": [{"color": "#07711E","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "Successfully tagged new content-build release: ${{ needs.create-release.outputs.RELEASE_NAME }}"}}]}]}' + payload: '{"attachments": [{"color": "#07711E","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "Successfully tagged new next-build release: ${{ needs.create-release.outputs.RELEASE_NAME }}"}}]}]}' channel_id: ${{ env.SLACK_CHANNEL }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -126,7 +125,7 @@ jobs: uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main continue-on-error: true with: - payload: '{"attachments": [{"color": "#D33834","blocks": [{"type": "section","text": {"type": "mrkdwn","text": " New content-build release could not be tagged!: "}}]}]}' + payload: '{"attachments": [{"color": "#D33834","blocks": [{"type": "section","text": {"type": "mrkdwn","text": " New next-build release could not be tagged!: "}}]}]}' channel_id: ${{ env.SLACK_CHANNEL }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From 4c23c5d9e663912452915376ef6fb35401332ebb Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 13:00:13 -0800 Subject: [PATCH 05/15] Reworked next tag calculation and output. --- .github/workflows/production-tag.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index 401ca76d0..c3fd7877a 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -66,9 +66,8 @@ jobs: - name: Get next tag version run: | - current_increment=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | cut -d'.' -f3) - # echo "NEW_TAG=$(echo $(( $current_increment + 1 )))" >> $GITHUB_ENV - echo "NEW_TAG=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | sed -E 's/\.[0-9]+/.$(echo $(( $current_increment + 1 )))/2'" >> $GITHUB_ENV + next_increment=$(( $(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | cut -d'.' -f3) + 1)) + echo "NEW_TAG=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | sed -E "s/\.[0-9]+/.$next_increment/2")" >> $GITHUB_OUTPUT # - name: Create next tag # uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3 @@ -125,7 +124,7 @@ jobs: uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main continue-on-error: true with: - payload: '{"attachments": [{"color": "#D33834","blocks": [{"type": "section","text": {"type": "mrkdwn","text": " New next-build release could not be tagged!: "}}]}]}' + payload: '{"attachments": [{"color": "#D33834","blocks": [{"type": "section","text": {"type": "mrkdwn","text": ">!here< New next-build release could not be tagged!: "}}]}]}' channel_id: ${{ env.SLACK_CHANNEL }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From df3af98c257026953a8802722f638dd25535eb44 Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 13:14:56 -0800 Subject: [PATCH 06/15] Fixes to tag output assignment and reference. --- .github/workflows/production-tag.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index c3fd7877a..9d01ca09e 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -6,7 +6,6 @@ on: # - cron: 0 20 * * 1-5 # added temporarily to allow GHA to see the action pull_request: - push: concurrency: group: production-tag @@ -67,7 +66,7 @@ jobs: - name: Get next tag version run: | next_increment=$(( $(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | cut -d'.' -f3) + 1)) - echo "NEW_TAG=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | sed -E "s/\.[0-9]+/.$next_increment/2")" >> $GITHUB_OUTPUT + echo "NEW_TAG=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | sed -E "s/\.[0-9]+/.$next_increment/2")" >> $GITHUB_ENV # - name: Create next tag # uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3 @@ -89,7 +88,7 @@ jobs: - name: Export new release name id: export-release-name run: | - echo RELEASE_NAME=${{ env.new_NEW_TAG }} >> $GITHUB_OUTPUT + echo RELEASE_NAME=${{ env.NEW_TAG }} >> $GITHUB_OUTPUT notify-success: name: Notify Success From ec161f9e05d4bd6af667561f33b8d6c50e028462 Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 14:18:22 -0800 Subject: [PATCH 07/15] Add workflow trigger from CI. --- .github/workflows/production-tag.yml | 50 +++++++++++++--------------- 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index 9d01ca09e..2b0a76e9e 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -2,10 +2,10 @@ name: Create Production Tag on: workflow_dispatch: - # schedule: - # - cron: 0 20 * * 1-5 - # added temporarily to allow GHA to see the action - pull_request: + workflow_run: + workflows: ['Continuous Integration'] + types: [completed] + branches: [main] concurrency: group: production-tag @@ -16,9 +16,10 @@ env: DSVA_SCHEDULE_ENABLED: true jobs: - create-release: - name: Create Release + create-production-tag: + name: Create Production Tag runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} outputs: RELEASE_NAME: ${{ steps.export-release-name.outputs.RELEASE_NAME }} @@ -54,11 +55,6 @@ jobs: id: get-current-ref run: echo REF=$(git rev-parse HEAD) >> $GITHUB_OUTPUT - # - name: Validate build status - # run: node ./script/github-actions/validate-build-status.js ${{ steps.get-current-ref.outputs.REF }} - # env: - # GITHUB_TOKEN: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }} - - name: Get latest tag id: get-latest-tag run: echo LATEST_TAG_VERSION=$(git fetch --all --tags > /dev/null && git tag -l | sort -V --reverse | head -n 1) >> $GITHUB_OUTPUT @@ -68,22 +64,22 @@ jobs: next_increment=$(( $(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | cut -d'.' -f3) + 1)) echo "NEW_TAG=$(echo ${{ steps.get-latest-tag.outputs.LATEST_TAG_VERSION }} | sed -E "s/\.[0-9]+/.$next_increment/2")" >> $GITHUB_ENV - # - name: Create next tag - # uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3 - # with: - # timeout_seconds: 30 - # max_attempts: 3 - # command: git tag ${{ env.NEW_TAG }} ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin ${{ env.NEW_TAG }} - # new_command_on_retry: git tag ${{ env.NEW_TAG }} ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin ${{ env.NEW_TAG }} + - name: Create next tag + uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3 + with: + timeout_seconds: 30 + max_attempts: 3 + command: git tag ${{ env.NEW_TAG }} ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin ${{ env.NEW_TAG }} + new_command_on_retry: git tag ${{ env.NEW_TAG }} ${{ steps.get-current-ref.outputs.REF }} && git push --no-verify origin ${{ env.NEW_TAG }} - # - name: Create release - # uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0 - # with: - # tag: ${{ env.NEW_TAG }} - # name: next-build/${{ env.new_NEW_TAG }} - # token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }} - # commit: ${{ steps.get-current-ref.outputs.REF }} + - name: Create release + uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0 + with: + tag: ${{ env.NEW_TAG }} + name: next-build/${{ env.new_NEW_TAG }} + token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }} + commit: ${{ steps.get-current-ref.outputs.REF }} - name: Export new release name id: export-release-name @@ -93,7 +89,7 @@ jobs: notify-success: name: Notify Success runs-on: ubuntu-latest - needs: create-release + needs: create-production-tag steps: - name: Checkout @@ -112,7 +108,7 @@ jobs: name: Notify Failure runs-on: ubuntu-latest if: ${{ failure() || cancelled() }} - needs: create-release + needs: create-production-tag steps: - name: Checkout From 083d115faf709736ab73982f6a42837a671d429c Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 14:21:15 -0800 Subject: [PATCH 08/15] Adding PR trigger back for testing. --- .github/workflows/production-tag.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index 2b0a76e9e..f87808847 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -2,6 +2,7 @@ name: Create Production Tag on: workflow_dispatch: + pull_request: workflow_run: workflows: ['Continuous Integration'] types: [completed] From 7f0d67d4b7dcd347b2ada061b6c6162a6d72003b Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 14:25:55 -0800 Subject: [PATCH 09/15] Fix workflow run condition. --- .github/workflows/production-tag.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index f87808847..8d36e05ba 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -20,7 +20,8 @@ jobs: create-production-tag: name: Create Production Tag runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} + # Run the workflow unless it was triggered by CI and that failed + if: ${{ !(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'failure') }} outputs: RELEASE_NAME: ${{ steps.export-release-name.outputs.RELEASE_NAME }} From 02ddfe65a3613490b7f7890c30f07dc9919f03fb Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 14:47:03 -0800 Subject: [PATCH 10/15] Fix reference to job. --- .github/workflows/production-tag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index 8d36e05ba..cb9042f64 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -101,7 +101,7 @@ jobs: uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main continue-on-error: true with: - payload: '{"attachments": [{"color": "#07711E","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "Successfully tagged new next-build release: ${{ needs.create-release.outputs.RELEASE_NAME }}"}}]}]}' + payload: '{"attachments": [{"color": "#07711E","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "Successfully tagged new next-build release: ${{ needs.create-create-production-tag.outputs.RELEASE_NAME }}"}}]}]}' channel_id: ${{ env.SLACK_CHANNEL }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From e5ca909a29b9d9c3377131a38598b01546e8ef50 Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 15:02:06 -0800 Subject: [PATCH 11/15] Actually fix the reference. --- .github/workflows/production-tag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index cb9042f64..44a85b3d2 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -101,7 +101,7 @@ jobs: uses: department-of-veterans-affairs/platform-release-tools-actions/slack-notify@8c496a4b0c9158d18edcd9be8722ed0f79e8c5b4 # main continue-on-error: true with: - payload: '{"attachments": [{"color": "#07711E","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "Successfully tagged new next-build release: ${{ needs.create-create-production-tag.outputs.RELEASE_NAME }}"}}]}]}' + payload: '{"attachments": [{"color": "#07711E","blocks": [{"type": "section","text": {"type": "mrkdwn","text": "Successfully tagged new next-build release: ${{ needs.create-production-tag.outputs.RELEASE_NAME }}"}}]}]}' channel_id: ${{ env.SLACK_CHANNEL }} aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From d2680e5614c61225997b115afd15978f24bec83c Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 15:07:49 -0800 Subject: [PATCH 12/15] Switch to OIDC. --- .github/workflows/production-tag.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index 44a85b3d2..dce4459fa 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -33,8 +33,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ vars.AWS_ASSUME_ROLE }} aws-region: us-gov-west-1 - name: Get bot token from Parameter Store From b73b4f89b386bffd3758c6b1126a3fe1c72f9781 Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 15:14:36 -0800 Subject: [PATCH 13/15] Restoring key/secret authentication for now. --- .github/workflows/production-tag.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index dce4459fa..44a85b3d2 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -33,7 +33,8 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: - role-to-assume: ${{ vars.AWS_ASSUME_ROLE }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-gov-west-1 - name: Get bot token from Parameter Store From 85feb1ff629138480abd711850ab28d27edbd0c8 Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 15:21:42 -0800 Subject: [PATCH 14/15] Use OIDC role, add permissions. --- .github/workflows/production-tag.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index 44a85b3d2..87131ad88 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -24,6 +24,9 @@ jobs: if: ${{ !(github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'failure') }} outputs: RELEASE_NAME: ${{ steps.export-release-name.outputs.RELEASE_NAME }} + permissions: + id-token: write + contents: read steps: - name: Cancel workflow due to DSVA schedule, unless this is a manual build @@ -33,8 +36,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ vars.AWS_ASSUME_ROLE }} aws-region: us-gov-west-1 - name: Get bot token from Parameter Store From 34a96e56477ca70cf22d2551f0f7da6ddf6bf652 Mon Sep 17 00:00:00 2001 From: Tim Cosgrove Date: Fri, 12 Jan 2024 15:29:38 -0800 Subject: [PATCH 15/15] Allow Github to write commits. --- .github/workflows/production-tag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/production-tag.yml b/.github/workflows/production-tag.yml index 87131ad88..0777459a6 100644 --- a/.github/workflows/production-tag.yml +++ b/.github/workflows/production-tag.yml @@ -26,7 +26,7 @@ jobs: RELEASE_NAME: ${{ steps.export-release-name.outputs.RELEASE_NAME }} permissions: id-token: write - contents: read + contents: write steps: - name: Cancel workflow due to DSVA schedule, unless this is a manual build