.github/workflows/docker-deploy-staging.yml

name: Docker deploy Staging

on:
  workflow_run:
    workflows: ["Docker build and push Staging"]
    types:
    - completed

env: 
  AWS_REGION: ca-central-1
  ECS_CLUSTER: superset
  REGISTRY: ${{ vars.STAGING_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com/superset
  GITHUB_SHA: ${{ github.sha }}

permissions:
  id-token: write

jobs:
  docker-deploy:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        service:
          - superset
          - celery-worker
          - celery-beat
    steps:
    - name: Audit DNS requests
      uses: cds-snc/dns-proxy-action@main
      env:
        DNS_PROXY_FORWARDTOSENTINEL: "true"
        DNS_PROXY_LOGANALYTICSWORKSPACEID: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
        DNS_PROXY_LOGANALYTICSSHAREDKEY: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}

    # TODO: Replace with a locked down IAM role
    - name: configure aws credentials using OIDC
      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::${{ vars.STAGING_AWS_ACCOUNT_ID }}:role/cds-superset-apply 
        role-session-name: DeployContainer
        aws-region: ${{ env.AWS_REGION }}

    - name: Download ECS task definition
      run: |
        aws ecs describe-task-definition \
          --task-definition ${{ matrix.service }} \
          --query taskDefinition > task-definition.json

    - name: Update ECS task image
      id: task-def
      uses: aws-actions/amazon-ecs-render-task-definition@f87d1f66e0c6e10caeeb51f8344a0d25c899c533 # v1.6.2
      with:
        task-definition: task-definition.json
        container-name: ${{ matrix.service }}
        image: ${{ env.REGISTRY }}:sha-${{ env.GITHUB_SHA }}

    - name: Deploy updated ECS task
      uses: aws-actions/amazon-ecs-deploy-task-definition@0e82244a9c6dac43d70151a94c67ebc4bab18fc5 # v2.2.0
      with:
        task-definition: ${{ steps.task-def.outputs.task-definition }}
        service: ${{ matrix.service }}
        cluster: ${{ env.ECS_CLUSTER }}
        wait-for-service-stability: true

    - name: Run Superset database upgrade
      if: ${{ matrix.service == 'superset' }}
      run: |
        aws ecs run-task \
          --cluster ${{ env.ECS_CLUSTER }} \
          --task-definition superset-upgrade \
          --launch-type FARGATE \
          --count 1 \
          --network-configuration "awsvpcConfiguration={subnets=[${{ secrets.STAGING_SUPERSET_PRIVATE_SUBNET_IDS }}],securityGroups=[${{ secrets.STAGING_SUPERSET_ECS_TASK_SECURITY_GROUP_ID }}],assignPublicIp=DISABLED}"