-
-
Notifications
You must be signed in to change notification settings - Fork 2
99 lines (95 loc) · 3.79 KB
/
infrastructure-ci-cd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: "App Service CI / CD"
on:
pull_request: {}
push:
branches: [main]
paths: [infrastructure/**.bicep, infrastructure/**.parameters.json]
workflow_dispatch:
inputs:
What-If:
description: "What-If: Set to 'false' if you want to deploy"
required: true
default: "true"
env:
github_app_client_secret: ${{ secrets.GITHUBAPP_CLIENT_SECRET }}
github_app_private_ssh_key_secret: ${{ secrets.PRIVATE_SSH_KEY }}
github_app_webhook_secret: ${{ secrets.WEBHOOK_SECRET }}
location: "centralus"
service_principal_id: "a815ac51-ea5e-4b31-aa3c-eefb9c87403b"
service_principal_secret: ${{ secrets.SERVICE_PRINCIPAL_SECRET }}
subcription_id: "7100b295-05bb-4ecf-a59b-246bd1f17d9a"
template_file: "infrastructure/announcement-drafter.bicep"
template_parameter_file: "infrastructure/announcement-drafter.parameters.json"
tenant_id: "87e276c0-7d18-4d86-948a-ba5eea990211"
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
what-if-deploy:
name: What-If Deploy
if: github.event_name == 'pull_request' || ( github.event_name == 'workflow_dispatch' && github.event.inputs.What-If == 'true' )
runs-on: ubuntu-latest
environment:
name: "production"
env:
what_if: true
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: az bicep build --file "${{ env.template_file }}"
shell: bash
run: az bicep build --file "${{ env.template_file }}"
- name: Replace Tokens
uses: cschleiden/replace-tokens@v1
with:
files: '["infrastructure/**/*.parameters.json"]'
env:
GITHUB_CLIENT_SECRET: ${{ env.github_app_client_secret }}
PRIVATE_SSH_KEY: ${{ env.github_app_private_ssh_key_secret }}
WEBHOOK_SECRET: ${{ env.github_app_webhook_secret }}
- name: Azure Login
uses: ./.github/workflows/composite/azure-login
with:
service_principal_id: ${{ env.service_principal_id }}
service_principal_secret: ${{ env.service_principal_secret }}
subcription_id: ${{ env.subcription_id }}
tenant_id: ${{ env.tenant_id }}
- name: What-If Deploy
uses: ./.github/workflows/composite/azure-subscription-deployment
with:
template_file: ${{ env.template_file }}
template_parameter_file: ${{ env.template_parameter_file }}
what_if: ${{ env.what_if }}
deploy:
name: Deploy
if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || ( github.event_name == 'workflow_dispatch' && github.event.inputs.What-If == 'false' ))
concurrency: production-deploy
runs-on: ubuntu-latest
environment:
name: "production"
env:
what_if: false
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: Replace Tokens
uses: cschleiden/replace-tokens@v1
with:
files: '["infrastructure/**/*.parameters.json"]'
env:
GITHUB_CLIENT_SECRET: ${{ env.github_app_client_secret }}
PRIVATE_SSH_KEY: ${{ env.github_app_private_ssh_key_secret }}
WEBHOOK_SECRET: ${{ env.github_app_webhook_secret }}
- name: Azure Login
uses: ./.github/workflows/composite/azure-login
with:
service_principal_id: ${{ env.service_principal_id }}
service_principal_secret: ${{ env.service_principal_secret }}
subcription_id: ${{ env.subcription_id }}
tenant_id: ${{ env.tenant_id }}
- name: Deploy
uses: ./.github/workflows/composite/azure-subscription-deployment
with:
template_file: ${{ env.template_file }}
template_parameter_file: ${{ env.template_parameter_file }}
what_if: ${{ env.what_if }}