update tf #69
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: [main] | |
pull_request: | |
jobs: | |
build-and-deploy: | |
name: Build and deploy | |
runs-on: ubuntu-latest | |
environment: production | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- uses: DeterminateSystems/nix-installer-action@main | |
- uses: actions/checkout@v4 | |
- uses: aws-actions/configure-aws-credentials@v4 | |
id: aws | |
with: | |
role-to-assume: "${{ vars.DEPLOY_ROLE_ARN }}" | |
aws-region: eu-central-1 | |
output-credentials: true | |
# Needed for substitution as that happens by nix-daemon and runs as root | |
- name: Set up aws credentials for root user | |
run: | | |
sudo aws configure set aws_access_key_id ${{ steps.aws.outputs.aws-access-key-id }} | |
sudo aws configure set aws_secret_access_key ${{ steps.aws.outputs.aws-secret-access-key }} | |
sudo aws configure set aws_session_token ${{ steps.aws.outputs.aws-session-token }} | |
sudo aws configure set region eu-central-1 | |
- id: get-cache-secret-key | |
name: Get cache secret key | |
run: echo "${{ secrets.CACHE_SECRET_KEY }}" > cache-secret-key | |
- id: build | |
name: Build | |
run: | | |
store="${{ vars.CACHE_BUCKET }}&secret-key=$(realpath ./cache-secret-key)" | |
if ! nix path-info --eval-store auto --store "$store" .#nixosConfigurations.web-push.config.system.build.toplevel; then | |
nix copy --eval-store auto --to "$store" .#nixosConfigurations.web-push.config.system.build.toplevel | |
fi | |
out_path=$(nix path-info --eval-store auto --store "$store" .#nixosConfigurations.web-push.config.system.build.toplevel) | |
echo "out_path=$out_path" >> "$GITHUB_OUTPUT" | |
- id: send-command | |
name: Send command ${{ vars.SSM_DOCUMENT_NAME }} | |
run: | | |
command_id=$(aws ssm send-command \ | |
--document-name ${{ vars.SSM_DOCUMENT_NAME }} \ | |
--comment "${{github.run_id}}" \ | |
--targets 'Key=tag:Name,Values=web-push' \ | |
--parameters "installable=${{ steps.build.outputs.out_path }},substituters=${{ vars.CACHE_BUCKET }},trustedPublicKeys=${{ vars.CACHE_PUBLIC_KEY }}" \ | |
--output-s3-bucket-name "${{ vars.SSM_LOGS_BUCKET }}" \ | |
--output-s3-key-prefix "${{ vars.SSM_DOCUMENT_NAME }}" \ | |
--cloud-watch-output-config CloudWatchOutputEnabled=true \ | |
--query "Command.CommandId" \ | |
--output text) | |
echo "command_id=$command_id" >> "$GITHUB_OUTPUT" | |
- id: wait-for-deploy | |
name: Wait for deploy | |
run: | | |
tries=24 | |
while true; do | |
sleep 5 | |
if [ $tries -eq 0 ]; then | |
echo "Command did not finish in time" | |
exit 0 | |
fi | |
status=$(aws ssm list-commands \ | |
--command-id ${{ steps.send-command.outputs.command_id }} \ | |
--query "Commands[0].Status" \ | |
--output text) | |
# if pending or in progress, or cancelling | |
if [ "$status" = "Pending" ] || [ "$status" = "InProgress" ] || [ "$status" = "Cancelling" ]; then | |
tries=$((tries-1)) | |
continue | |
fi | |
break | |
done | |
echo "status=$status" >> "$GITHUB_OUTPUT" | |
- name: Show details | |
run: | | |
aws ssm list-command-invocations \ | |
--command-id ${{ steps.send-command.outputs.command_id }} \ | |
--details \ | |
--output yaml | |
- name: Fail if status is not Success | |
run: | | |
if [ "${{ steps.wait-for-deploy.outputs.status }}" != "Success" ]; then | |
echo "Command failed with status $status" | |
exit 1 | |
fi |