Move detect changes job to deploy-backend #111

Workflow file for this run

.github/workflows/deploy-backend.yml at 8cbf3ae

	name: Deploy Backend
Check failure on line 1 in .github/workflows/deploy-backend.yml View workflow run for this annotation GitHub Actions / .github/workflows/deploy-backend.yml Invalid workflow file `(Line: 83, Col: 9): Unrecognized named-value: 'env'. Located at position 1 within expression: env.build_record_processor \|\| inputs.build_recordprocessor_override, (Line: 126, Col: 9): Unrecognized named-value: 'env'. Located at position 2 within expression: !env.build_record_processor \|\| !inputs.build_recordprocessor_override`

	on:
	workflow_call:
	inputs:
	apigee_environment:
	required: true
	type: string
	build_recordprocessor_override:
	required: false
	type: boolean
	default: true
	create_mns_subscription:
	required: false
	type: boolean
	default: true
	environment:
	required: true
	type: string
	sub_environment:
	required: true
	type: string
	workflow_dispatch:
	inputs:
	apigee_environment:
	type: choice
	description: Select the Apigee proxy environment
	options:
	- internal-dev
	- internal-qa
	- int
	- ref
	- prod
	create_mns_subscription:
	description: Create an MNS Subscription programatically. Only available in AWS dev
	required: false
	type: boolean
	default: true
	environment:
	type: choice
	description: Select the AWS backend environment
	options:
	- dev
	- preprod
	- prod
	build_recordprocessor_override:
	description: Build and push a new recordprocessor image for this deployment
	required: false
	type: boolean
	default: true
	sub_environment:
	type: string
	description: Set the sub environment name e.g. pr-xxx, or green/blue in higher environments

	env: # Sonarcloud - do not allow direct usage of untrusted data
	APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
	ENVIRONMENT: ${{ inputs.environment }}
	SUB_ENVIRONMENT: ${{ inputs.sub_environment }}
	build_recordprocessor: true

	run-name: Deploy Backend - ${{ inputs.environment }} ${{ inputs.sub_environment }}

	jobs:
	detect-recordprocessor-changes:
	runs-on: ubuntu-latest
	if: github.event.action != 'opened' \|\| github.event.action != 'reopened' \|\| !inputs.build_recordprocessor_override
	steps:
	- name: Checkout
	uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
	with:
	fetch-depth: 0

	- name: Detect recordprocessor changes in PR
	id: detect
	run: \|
	if git diff --quiet "${{ github.event.before }}" "${{ github.sha }}" -- lambdas/recordprocessor/ lambdas/shared/src/common/; then
	echo "build_record_processor=false" >> "$GITHUB_OUTPUT"
	else
	echo "build_record_processor=true" >> "$GITHUB_OUTPUT"
	fi

	build-and-push-recordprocessor:
	if: ${{ env.build_record_processor \|\| inputs.build_recordprocessor_override }}
	permissions:
	id-token: write
	contents: read
	outputs:
	recordprocessor_image_tag: ${{ steps.build-image.outputs.recordprocessor_image_tag }}
	name: Build and push recordprocessor image
	runs-on: ubuntu-latest
	environment:
	name: ${{ inputs.environment }}
	env:
	AWS_REGION: eu-west-2
	SUB_ENVIRONMENT: ${{ inputs.sub_environment }}
	steps:
	- name: Checkout
	uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98

	- name: Connect to AWS
	uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
	with:
	aws-region: eu-west-2
	role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
	role-session-name: github-actions

	- name: Login to Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076

	- name: Build and push Docker image
	id: build-image
	env:
	ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
	working-directory: lambdas
	run: \|
	IMAGE_TAG="${SUB_ENVIRONMENT}-${GITHUB_SHA}"
	REPOSITORY_NAME="imms-recordprocessor-repo"
	IMAGE_URI="${ECR_REGISTRY}/${REPOSITORY_NAME}:${IMAGE_TAG}"

	docker build -f recordprocessor/Dockerfile -t "${IMAGE_URI}" .
	docker push "${IMAGE_URI}"
	echo "recordprocessor_image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"

	resolve-recordprocessor-image-tag:
	if: ${{ !env.build_record_processor \|\| !inputs.build_recordprocessor_override }}
	permissions:
	id-token: write
	contents: read
	outputs:
	recordprocessor_image_tag: ${{ steps.resolve-image-tag.outputs.recordprocessor_image_tag }}
	name: Resolve existing recordprocessor image tag
	runs-on: ubuntu-latest
	environment:
	name: ${{ inputs.environment }}
	steps:
	- name: Connect to AWS
	uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
	with:
	aws-region: eu-west-2
	role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
	role-session-name: github-actions

	- name: Resolve latest matching recordprocessor image tag
	id: resolve-image-tag
	env:
	REPOSITORY_NAME: imms-recordprocessor-repo
	TAG_PREFIX: ${{ inputs.sub_environment }}-
	AWS_REGION: eu-west-2
	run: \|
	IMAGE_TAG=$(
	aws ecr describe-images \
	--repository-name "${REPOSITORY_NAME}" \
	--region "${AWS_REGION}" \
	--filter tagStatus=TAGGED \
	--query 'sort_by(imageDetails,&imagePushedAt)[].imageTags[]' \
	--output text \
	\| tr '\t' '\n' \
	\| grep "^${TAG_PREFIX}" \
	\| tail -n1 \|\| true
	)

	if [ -z "${IMAGE_TAG}" ]; then
	echo "No existing recordprocessor image found for prefix '${TAG_PREFIX}'."
	echo "Trigger a run with build_recordprocessor=true to build one."
	exit 1
	fi

	echo "Using existing recordprocessor image tag: ${IMAGE_TAG}"
	echo "recordprocessor_image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"

	terraform-plan:
	permissions:
	id-token: write
	contents: read
	needs:
	- build-and-push-recordprocessor
	- resolve-recordprocessor-image-tag
	if: ${{ !cancelled() && (needs.build-and-push-recordprocessor.result == 'success' \|\| needs.resolve-recordprocessor-image-tag.result == 'success') }}
	outputs:
	recordprocessor_image_tag: ${{ needs.build-and-push-recordprocessor.outputs.recordprocessor_image_tag \|\| needs.resolve-recordprocessor-image-tag.outputs.recordprocessor_image_tag }}
	runs-on: ubuntu-latest
	env:
	TF_VAR_recordprocessor_image_tag: ${{ needs.build-and-push-recordprocessor.outputs.recordprocessor_image_tag \|\| needs.resolve-recordprocessor-image-tag.outputs.recordprocessor_image_tag }}
	environment:
	name: ${{ inputs.environment }}
	steps:
	- name: Checkout
	uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98

	- name: Connect to AWS
	uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
	with:
	aws-region: eu-west-2
	role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
	role-session-name: github-actions

	- uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
	with:
	terraform_version: "1.12.2"

	- name: Terraform Init
	working-directory: infrastructure/instance
	run: make init

	- name: Terraform Plan
	# Ignore cancellations to prevent Terraform from being killed while it holds a state lock
	# A stuck process can still be killed with the force-cancel API operation
	if: ${{ !failure() }}
	working-directory: infrastructure/instance
	run: make plan-ci

	- name: Save Terraform Plan
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
	with:
	name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
	path: infrastructure/instance/tfplan

	terraform-apply:
	permissions:
	id-token: write
	contents: read
	needs: terraform-plan
	if: ${{ !cancelled() && needs.terraform-plan.result == 'success' }}
	runs-on: ubuntu-latest
	env:
	TF_VAR_recordprocessor_image_tag: ${{ needs.terraform-plan.outputs.recordprocessor_image_tag }}
	environment:
	name: ${{ inputs.environment }}
	steps:
	- name: Checkout
	uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98

	- uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
	with:
	aws-region: eu-west-2
	role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
	role-session-name: github-actions

	- uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
	with:
	terraform_version: "1.12.2"

	- name: Retrieve Terraform Plan
	uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
	with:
	name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
	path: infrastructure/instance

	- name: Terraform Init
	working-directory: infrastructure/instance
	run: make init

	- name: Terraform Apply
	# Ignore cancellations to prevent Terraform from being killed while it holds a state lock
	# A stuck process can still be killed with the force-cancel API operation
	if: ${{ !failure() }}
	working-directory: infrastructure/instance
	run: \|
	make apply-ci
	echo "ID_SYNC_QUEUE_ARN=$(make -s output name=id_sync_queue_arn)" >> $GITHUB_ENV

	- name: Install poetry
	if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
	run: pip install poetry==2.1.4

	- uses: actions/setup-python@v6.2.0
	if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
	with:
	python-version: 3.11
	cache: "poetry"
	cache-dependency-path: \|
	lambdas/mns_subscription/poetry.lock
	lambdas/shared/poetry.lock

	- name: Create MNS Subscription
	if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
	working-directory: "./lambdas/mns_subscription"
	env:
	APIGEE_ENVIRONMENT: int
	SQS_ARN: ${{ env.ID_SYNC_QUEUE_ARN }}
	run: \|
	poetry install --no-root
	echo "Subscribing SQS to MNS for notifications..."
	make subscribe

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Move detect changes job to deploy-backend #111

Workflow file

Move detect changes job to deploy-backend #111

Uh oh!

Workflow file for this run

GitHub Actions / .github/workflows/deploy-backend.yml