Add steps on disabling API keys. #387
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: [push, pull_request] | |
env: | |
COMPOSE_FILE: docker-compose.ci.yml | |
TEST_IMAGE_REPO: ghcr.io/18f/api.data.gov | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
outputs: | |
image-tag: ${{ steps.image-metadata.outputs.version }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Container metadata | |
id: image-metadata | |
uses: docker/metadata-action@v4 | |
with: | |
images: ${{ env.TEST_IMAGE_REPO }} | |
flavor: | | |
prefix=test-image- | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Docker build | |
run: docker buildx bake -f "${{ env.COMPOSE_FILE }}" --push | |
env: | |
TEST_IMAGE_TAG: ${{ steps.image-metadata.outputs.version }} | |
- name: ESLint | |
run: docker compose run --rm web yarn run lint --max-warnings 0 | |
env: | |
TEST_IMAGE_TAG: ${{ steps.image-metadata.outputs.version }} | |
- name: Prettier Check | |
run: docker compose run --rm web yarn run prettier:check | |
env: | |
TEST_IMAGE_TAG: ${{ steps.image-metadata.outputs.version }} | |
build: | |
runs-on: ubuntu-latest | |
needs: test | |
strategy: | |
matrix: | |
deploy_env: [production, staging] | |
include: | |
- deploy_env: production | |
web_site_root_secret_name: WEB_SITE_ROOT | |
- deploy_env: staging | |
web_site_root_secret_name: STAGING_WEB_SITE_ROOT | |
- deploy_env: production | |
signup_api_key_secret_name: API_KEY | |
- deploy_env: staging | |
signup_api_key_secret_name: STAGING_API_KEY | |
- deploy_env: production | |
contact_api_key_secret_name: CONTACT_API_KEY | |
- deploy_env: staging | |
contact_api_key_secret_name: STAGING_CONTACT_API_KEY | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Build | |
- name: Build | |
env: | |
TEST_IMAGE_TAG: ${{ needs.test.outputs.image-tag }} | |
run: | | |
docker compose run \ | |
-e "HUGO_PARAMS_APIUMBRELLACONTACTAPIKEY=${{ secrets[matrix.contact_api_key_secret_name] }}" \ | |
-e "HUGO_PARAMS_APIUMBRELLASIGNUPAPIKEY=${{ secrets[matrix.signup_api_key_secret_name] }}" \ | |
--rm \ | |
web \ | |
hugo \ | |
--minify \ | |
--baseURL "${{ secrets[matrix.web_site_root_secret_name] }}" | |
- uses: actions/upload-artifact@v1 | |
with: | |
name: build-${{ matrix.deploy_env }} | |
path: ./public | |
deploy: | |
if: success() && github.repository_owner == '18F' && github.ref == 'refs/heads/main' | |
needs: build | |
runs-on: ubuntu-latest | |
container: | |
image: rclone/rclone:1.62.2 | |
strategy: | |
matrix: | |
deploy_env: [production, staging] | |
include: | |
- deploy_env: production | |
bucket_name_secret_name: BUCKET_NAME | |
- deploy_env: staging | |
bucket_name_secret_name: STAGING_BUCKET_NAME | |
- deploy_env: production | |
aws_access_key_id_secret_name: AWS_ACCESS_KEY_ID | |
- deploy_env: staging | |
aws_access_key_id_secret_name: STAGING_AWS_ACCESS_KEY_ID | |
- deploy_env: production | |
aws_secret_access_key_secret_name: AWS_SECRET_ACCESS_KEY | |
- deploy_env: staging | |
aws_secret_access_key_secret_name: STAGING_AWS_SECRET_ACCESS_KEY | |
- deploy_env: production | |
aws_default_region_secret_name: AWS_DEFAULT_REGION | |
- deploy_env: staging | |
aws_default_region_secret_name: STAGING_AWS_DEFAULT_REGION | |
steps: | |
# Deploy to S3 bucket. | |
- uses: actions/download-artifact@v1 | |
with: | |
name: build-${{ matrix.deploy_env }} | |
path: ./public | |
- name: Deploy | |
env: | |
RCLONE_S3_ACCESS_KEY_ID: ${{ secrets[matrix.aws_access_key_id_secret_name] }} | |
RCLONE_S3_SECRET_ACCESS_KEY: ${{ secrets[matrix.aws_secret_access_key_secret_name] }} | |
RCLONE_S3_REGION: ${{ secrets[matrix.aws_default_region_secret_name] }} | |
S3_DEST: ":s3:${{ secrets[matrix.bucket_name_secret_name] }}/" | |
run: | | |
# Identify cache-busted assets by the fingerprint in the filename. | |
cache_busted_assets="/{images,javascripts,stylesheets}/**.{\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w\w}.*" | |
# Sync all cache-busted assets with long cache-control expirations. | |
rclone \ | |
copy \ | |
--verbose \ | |
--checksum \ | |
--no-update-modtime \ | |
--s3-no-check-bucket \ | |
--s3-no-head \ | |
--header-upload "Cache-Control: public, max-age=31536000, immutable" \ | |
--include "$cache_busted_assets" \ | |
./public/ \ | |
"$S3_DEST" | |
# Sync the remaining files, disallowing caching on those. | |
rclone \ | |
copy \ | |
--verbose \ | |
--checksum \ | |
--no-update-modtime \ | |
--s3-no-check-bucket \ | |
--s3-no-head \ | |
--header-upload "Cache-Control: no-cache, max-age=0, must-revalidate" \ | |
./public/ \ | |
"$S3_DEST" | |
# Run the sync one more time to delete old files. Keep old asset | |
# files around, so that if old HTML pages continue to load for a few | |
# minutes, they can still load older assets. | |
rclone \ | |
sync \ | |
--verbose \ | |
--checksum \ | |
--no-update-modtime \ | |
--s3-no-check-bucket \ | |
--s3-no-head \ | |
--exclude "$cache_busted_assets" \ | |
./public/ \ | |
"$S3_DEST" |