Changed get approvar to use approvals api which can use the default g… #59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy Backend | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: ["v*.*.*"] | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| type: choice | |
| options: [Development, Stage] | |
| description: "Target environment" | |
| required: true | |
| env: | |
| # kosli commands picks up org, flow, trail and api-token from these environment variables | |
| KOSLI_ORG: kosli-public | |
| KOSLI_FLOW: github-release-example-backend | |
| KOSLI_API_TOKEN: "${{ secrets.KOSLI_PUBLIC_API_TOKEN }}" | |
| KOSLI_CLI_VERSION: "${{ vars.KOSLI_CLI_VERSION }}" | |
| KOSLI_TEMPLATE_FILE: "kosli-flow-templates/backend-template.yml" | |
| KOSLI_ENV_PROD: "github-release-example-prod" | |
| jobs: | |
| setup: | |
| name: Begin trail | |
| runs-on: ubuntu-latest | |
| outputs: | |
| kosli-trail: ${{ steps.set-kosli-trail.outputs.kosli-trail }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set KOSLI_TRAIL to tag if available | |
| id: set-kosli-trail | |
| run: | | |
| if [[ "${GITHUB_REF}" == refs/tags/* ]]; then | |
| echo "kosli-trail=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT | |
| else | |
| echo "kosli-trail=${GITHUB_SHA}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Begin trail | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| uses: ./.github/actions/kosli-begin-trail | |
| with: | |
| kosli-trail: ${{ steps.set-kosli-trail.outputs.kosli-trail }} | |
| kosli-template-file: ${{ env.KOSLI_TEMPLATE_FILE }} | |
| build: | |
| name: Build backend | |
| needs: [setup] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image-version: ${{ steps.build-artifact.outputs.image-version }} | |
| fingerprint: ${{ steps.calculate_fingerprint.outputs.fingerprint }} | |
| env: | |
| KOSLI_TRAIL: ${{ needs.setup.outputs.kosli-trail }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build backend | |
| id: build-artifact | |
| run: | | |
| echo "Here we could do some proper build" | |
| echo "image-version=${{ env.KOSLI_TRAIL }}" >> $GITHUB_OUTPUT | |
| - name: Extract short SHA | |
| run: echo "SHORT_SHA=${GITHUB_SHA:0:7}" >> $GITHUB_ENV | |
| - name: Attest artifact | |
| id: calculate_fingerprint | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| uses: ./.github/actions/kosli-attest-dir-artifact | |
| with: | |
| kosli-artifact-template-name: backend | |
| artifact-name: backend:${{ env.SHORT_SHA }} | |
| artifact-dir: apps/backend | |
| pull-request: | |
| name: Pull-request | |
| if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} | |
| needs: [setup] | |
| runs-on: ubuntu-latest | |
| env: | |
| KOSLI_TRAIL: ${{ needs.setup.outputs.kosli-trail }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Attest GitHub pull-request | |
| uses: ./.github/actions/kosli-attest-pullrequest | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| assert: true | |
| deploy-development: | |
| needs: build | |
| name: Deploy to development | |
| uses: ./.github/workflows/_deploy.yml | |
| with: | |
| environment: Development | |
| version: ${{ needs.build.outputs.image-version }} | |
| resource: dev-backend | |
| secrets: inherit | |
| deploy-stage: | |
| if: ${{ github.event_name != 'workflow_dispatch' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Stage') }} | |
| needs: [build,deploy-development] | |
| name: Deploy to stage | |
| uses: ./.github/workflows/_deploy.yml | |
| with: | |
| environment: Stage | |
| version: ${{ needs.build.outputs.image-version }} | |
| resource: stage-backend | |
| secrets: inherit | |
| get-approver-for-stage: | |
| needs: deploy-stage | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Get approver from audit log | |
| id: get-approver | |
| uses: ./.github/actions/get-github-workflow-approver | |
| with: | |
| environment-name: Stage | |
| - name: Debug | |
| run: | | |
| echo "### Approval Actor for stage: ${{ steps.get-approver.outputs.approver }}" >> $GITHUB_STEP_SUMMARY | |
| semver-tag: | |
| needs: [build,deploy-stage] | |
| name: Check for semver tag | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release-to-prod: ${{ steps.check-tag.outputs.match }} | |
| steps: | |
| - name: Check Tag | |
| id: check-tag | |
| run: | | |
| if [[ ${{ github.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "match=true" >> $GITHUB_OUTPUT | |
| fi | |
| create-release: | |
| needs: semver-tag | |
| if: needs.semver-tag.outputs.release-to-prod == 'true' | |
| name: Create GitHub Release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Create GitHub Release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAG_NAME: ${{ github.ref_name }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| API_URL="https://api.github.com/repos/${REPO}/releases" | |
| JSON_PAYLOAD=$(jq -n \ | |
| --arg tag "$TAG_NAME" \ | |
| --arg name "$TAG_NAME" \ | |
| '{ tag_name: $tag, name: $name, generate_release_notes: true, draft: false, prerelease: false }') | |
| curl -s -X POST "$API_URL" \ | |
| -H "Authorization: Bearer $GITHUB_TOKEN" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$JSON_PAYLOAD" | |
| assert-artifact: | |
| name: Assert artifacts | |
| if: ${{ (github.event_name != 'workflow_dispatch' && needs.semver-tag.outputs.release-to-prod == 'true') }} | |
| needs: [build, pull-request, deploy-stage, semver-tag] | |
| env: | |
| KOSLI_TRAIL: ${{ needs.setup.outputs.kosli-trail }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup Kosli cli | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: | |
| ${{ vars.KOSLI_CLI_VERSION }} | |
| - name: Assert Artifacts | |
| run: | | |
| kosli assert artifact --fingerprint ${{ needs.build.outputs.fingerprint }} | |
| deploy-production: | |
| if: ${{ (github.event_name != 'workflow_dispatch' && needs.semver-tag.outputs.release-to-prod == 'true') }} | |
| needs: [build,deploy-stage,semver-tag,assert-artifact] | |
| name: Deploy to production | |
| uses: ./.github/workflows/_deploy.yml | |
| with: | |
| environment: Production | |
| version: ${{ needs.build.outputs.image-version }} | |
| resource: prod-backend | |
| secrets: inherit | |
| get-approver-for-production: | |
| needs: [setup, build, deploy-production] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Get approver from audit log | |
| id: get-approver | |
| uses: ./.github/actions/get-github-workflow-approver | |
| with: | |
| environment-name: Production | |
| - name: Setup Kosli cli | |
| uses: kosli-dev/setup-cli-action@v2 | |
| with: | |
| version: | |
| ${{ env.KOSLI_CLI_VERSION }} | |
| - name: Report approval to kosli | |
| run: | | |
| kosli attest custom \ | |
| --type=approval-github-workflow \ | |
| --name release-approval \ | |
| --flow ${{ env.KOSLI_FLOW }} \ | |
| --trail ${{ needs.setup.outputs.kosli-trail }} \ | |
| --fingerprint ${{ needs.build.outputs.fingerprint }} \ | |
| --attestation-data ${{ steps.get-approver.outputs.approval-json-file }} \ | |
| --annotate Approver="${{ steps.get-approver.outputs.approver }}" | |
| echo "### Approval Actor for production: ${{ steps.get-approver.outputs.approver }}" >> $GITHUB_STEP_SUMMARY |