ci: streamline CI job #833
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run IAC Integration Tests | |
| on: | |
| # push: | |
| # branches: | |
| # - main | |
| # release.yaml runs the tests on commits to main | |
| pull_request: | |
| workflow_dispatch: | |
| inputs: | |
| debug_enabled: | |
| type: boolean | |
| description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)' | |
| required: false | |
| default: false | |
| workflow_call: | |
| schedule: | |
| - cron: '0 0 * * 1' # Monday at 00:00 UTC | |
| env: | |
| SAM_CLI_TELEMETRY: 0 | |
| jobs: | |
| permission_check: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| can-write: ${{ steps.check.outputs.can-write }} | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| steps: | |
| - id: check | |
| run: | | |
| # If the AWS_ACCESS_KEY_ID secret is MIA we can't run tests | |
| if [[ -z "$AWS_ACCESS_KEY_ID" ]]; then | |
| echo "can-write=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "can-write=true" >> $GITHUB_OUTPUT | |
| fi | |
| provision: | |
| runs-on: ubuntu-latest | |
| needs: [permission_check] | |
| if: needs.permission_check.outputs.can-write == 'true' | |
| steps: | |
| - name: DCE Provision | |
| uses: observeinc/github-action-dce@1.0.1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| budget-amount: ${{ vars.BUDGET_AMOUNT }} | |
| budget-currency: 'USD' | |
| expiry: '30m' | |
| email: 'joao+gha@observeinc.com' | |
| - name: Setup tmate session | |
| uses: mxschmitt/action-tmate@v3 | |
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} | |
| with: | |
| limit-access-to-actor: true | |
| - name: Create S3 Bucket for Artifacts | |
| run: | | |
| if ! aws s3api head-bucket --bucket "${{ env.S3_BUCKET_PREFIX }}-${{ env.AWS_REGION }}" 2>/dev/null; then | |
| aws s3 mb s3://"${{ env.S3_BUCKET_PREFIX }}-${{ env.AWS_REGION }}" --region $AWS_REGION | |
| fi | |
| env: | |
| AWS_REGION: us-west-2 | |
| S3_BUCKET_PREFIX: ${{ github.event.repository.name }}-${{ github.run_id }} | |
| discover: | |
| needs: [permission_check] | |
| if: needs.permission_check.outputs.can-write == 'true' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| apps: ${{ steps.apps.outputs.matrix }} | |
| tests: ${{ steps.tests.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Find apps | |
| id: apps | |
| run: | | |
| echo "matrix=$(ls apps/ | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT | |
| - name: Find tests | |
| id: tests | |
| run: | | |
| cd integration && \ | |
| echo "matrix=$(ls tests/*.hcl | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT | |
| build: | |
| needs: [discover, provision] | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| app: ${{fromJson(needs.discover.outputs.apps)}} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Validate SAM app | |
| run: make sam-validate | |
| env: | |
| APP: ${{ matrix.app }} | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Build SAM app | |
| run: make sam-build | |
| env: | |
| APP: ${{ matrix.app }} | |
| - name: DCE Use | |
| id: dce_setup | |
| uses: observeinc/github-action-dce@1.0.1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| - name: Package SAM app | |
| run: make sam-package | |
| env: | |
| APP: ${{ matrix.app }} | |
| S3_BUCKET_PREFIX: ${{ github.event.repository.name }}-${{ github.run_id }} | |
| AWS_REGION: us-west-2 | |
| - name: Archive build directory | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.app }} | |
| # we only need the packaged yaml, since other artifacts are already in S3 | |
| path: | | |
| ${{ github.workspace }}/.aws-sam/build/${{ matrix.app }}/*.yaml | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: [discover, build] | |
| strategy: | |
| matrix: | |
| testfile: ${{fromJson(needs.discover.outputs.tests)}} | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v4 | |
| - name: Download build directory | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: .aws-sam/build/ | |
| - name: DCE Use | |
| id: dce_setup | |
| uses: observeinc/github-action-dce@1.0.1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| - name: Integration test for ${{ matrix.testfile }} | |
| run: TEST_ARGS='-filter=${{ matrix.testfile }} -verbose' make integration-test | |
| env: | |
| AWS_REGION: us-west-2 | |
| cleanup: | |
| needs: [permission_check, test] | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: DCE Cleanup | |
| if: needs.permission_check.outputs.can-write == 'true' | |
| uses: observeinc/github-action-dce@1.0.1 | |
| with: | |
| action-type: 'decommission' | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} |