With environment restriction #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| jobs: | |
| build-and-deploy: | |
| name: Build and deploy | |
| runs-on: ubuntu-latest | |
| environment: production | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: DeterminateSystems/nix-installer-action@main | |
| - uses: actions/checkout@v4 | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| id: aws | |
| with: | |
| role-to-assume: "${{ vars.DEPLOY_ROLE_ARN }}" | |
| aws-region: eu-central-1 | |
| output-credentials: true | |
| # Needed for substitution as that happens by nix-daemon and runs as root | |
| - name: Set up aws credentials for root user | |
| run: | | |
| sudo aws configure set aws_access_key_id ${{ steps.aws.outputs.aws-access-key-id }} | |
| sudo aws configure set aws_secret_access_key ${{ steps.aws.outputs.aws-secret-access-key }} | |
| sudo aws configure set aws_session_token ${{ steps.aws.outputs.aws-session-token }} | |
| sudo aws configure set region eu-central-1 | |
| - id: get-cache-secret-key | |
| name: Get cache secret key | |
| run: echo "${{ secrets.CACHE_SECRET_KEY }}" > cache-secret-key | |
| - id: build | |
| name: Build | |
| run: | | |
| store="${{ vars.CACHE_BUCKET }}&secret-key=$(realpath ./cache-secret-key)" | |
| if ! nix path-info --eval-store auto --store "$store" .#nixosConfigurations.web-push.config.system.build.toplevel; then | |
| nix copy --eval-store auto --to "$store" .#nixosConfigurations.web-push.config.system.build.toplevel | |
| fi | |
| out_path=$(nix path-info --eval-store auto --store "$store" .#nixosConfigurations.web-push.config.system.build.toplevel) | |
| echo "out_path=$out_path" >> "$GITHUB_OUTPUT" | |
| - id: deploy | |
| name: Deploy | |
| run: | | |
| aws ssm send-command \ | |
| --document-name ${{ vars.SSM_DOCUMENT_NAME }} \ | |
| --targets 'Key=tag:Name,Values=web-push' \ | |
| --parameters "installable=${{ steps.build.outputs.out_path }},substituters=${{ vars.CACHE_BUCKET }},trustedPublicKeys=${{ vars.CACHE_PUBLIC_KEY }}" | |
| - id: wait-for-deploy | |
| name: Wait for deploy | |
| run: | | |
| echo "TODO: Implement" | |
| echo "Deployed successfully" |