Update nginx.org-make-aws.yml #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: nginx.org build | ||
| on: | ||
| workflow_call: | ||
| secrets: | ||
| AWS_ACCOUNT_ID: | ||
| required: true | ||
| AWS_ROLE_NAME: | ||
| required: true | ||
| ALLOWED_USERS: | ||
| required: true | ||
| inputs: | ||
| deployment_env: | ||
| required: false | ||
| type: string | ||
| default: staging | ||
| url_prod: | ||
| required: false | ||
| type: string | ||
| default: nginx.org | ||
| url_staging: | ||
| required: false | ||
| type: string | ||
| default: staging.nginx.org | ||
| s3_bucket: | ||
| required: false | ||
| type: string | ||
| default: nginx-org-staging | ||
| aws_region: | ||
| required: false | ||
| type: string | ||
| default: eu-central-1 | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| defaults: | ||
| run: | ||
| shell: 'bash -Eeo pipefail -x {0}' | ||
| jobs: | ||
| build-staging: | ||
| name: build-staging | ||
| runs-on: ubuntu-latest | ||
| if: ${{ inputs.deployment_env == 'staging' }} | ||
| environment: | ||
| name: staging | ||
| steps: | ||
| - name: Decode OIDC sub | ||
| uses: actions/github-script@v7 | ||
| id: oidc | ||
| with: | ||
| script: | | ||
| const idToken = await core.getIDToken(); | ||
| const payload = idToken.split('.')[1]; | ||
| const decoded = Buffer.from(payload, 'base64').toString('utf8'); | ||
| core.info(decoded); | ||
| - name: Debug context | ||
| run: | | ||
| echo "Repository: $GITHUB_REPOSITORY" | ||
| echo "Ref: $GITHUB_REF" | ||
| echo "Actor: $GITHUB_ACTOR" | ||
| echo "${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}" | ||
| - name: Install dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y libxslt1-dev xsltproc libxml2-utils netpbm python-is-python3 | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }} | ||
| aws-region: ${{ inputs.aws_region }} | ||
| - name: Build | ||
| if: ${{ inputs.deployment_env == 'staging' }} | ||
| run: | | ||
| set -e | ||
| make all | ||
| make gzip | ||
| make images | ||
| make genapi | ||
| make all | ||
| make copy NGINX_ORG=www | ||
| # Verify build output | ||
| if [ ! -d www ]; then | ||
| echo "Error: Build did not create www/ directory" | ||
| exit 1 | ||
| fi | ||
| - name: Add deployment metadata | ||
| if: ${{ inputs.deployment_env == 'staging' }} | ||
| run: | | ||
| TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" | ||
| mkdir -p meta | ||
| echo "$GITHUB_SHA deployed at $TIMESTAMP" > meta/.deployed.txt | ||
| echo "actor=$GITHUB_ACTOR repo=$GITHUB_REPOSITORY" >> meta/.deployed.txt | ||
| cp meta/.deployed.txt www/ | ||
| - name: Compute safe repo name | ||
| id: vars | ||
| run: | | ||
| echo "safe_repo=${GITHUB_REPOSITORY//\//-}" >> "$GITHUB_OUTPUT" | ||
| - name: Sync www/ to S3 | ||
| run: | | ||
| aws s3 sync \ | ||
| www/ \ | ||
| s3://${{ inputs.s3_bucket }}/${{ steps.vars.outputs.safe_repo }}/staging/${GITHUB_SHA}/ \ | ||
| --delete --exact-timestamps | ||
| - name: Deployment summary | ||
| run: | | ||
| { | ||
| echo "### Deployment staging to ${{ inputs.url_staging }}/${{ steps.vars.outputs.safe_repo }}/${GITHUB_SHA}" | ||
| echo "### It should be accessible in 5 minutes" | ||
| } >> $GITHUB_STEP_SUMMARY | ||
| build-prod: | ||
| name: build-prod | ||
| runs-on: ubuntu-latest | ||
| if: ${{ inputs.deployment_env == 'prod' }} | ||
| environment: | ||
| name: prod | ||
| steps: | ||
| - name: Check prod access | ||
| if: ${{ inputs.deployment_env == 'prod' }} | ||
| run: | | ||
| if [ "$GITHUB_REF" != "refs/heads/main" ]; then | ||
| echo "Error: Production deployments are only allowed from the main branch." | ||
| exit 1 | ||
| fi | ||
| if [ "$GITHUB_REPOSITORY_OWNER" != "nginx" ] && [ "$GITHUB_REPOSITORY_OWNER" != "nginxinc" ]; then | ||
| echo "Error: This workflow is only allowed in repositories owned by 'nginx' or 'nginxinc'." | ||
| exit 1 | ||
| fi | ||
| allowed=false | ||
| USER_LIST="${{ secrets.ALLOWED_USERS }}" | ||
| for user in $USER_LIST; do | ||
| if [ "$GITHUB_ACTOR" == "$user" ]; then | ||
| echo "User $GITHUB_ACTOR is allowed to deploy to prod" | ||
| allowed=true | ||
| break | ||
| fi | ||
| done | ||
| if [ "$allowed" != true ]; then | ||
| echo "User $GITHUB_ACTOR is NOT allowed to deploy to prod" | ||
| exit 1 | ||
| fi | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }} | ||
| aws-region: ${{ inputs.aws_region }} | ||
| - name: Compute safe repo name | ||
| id: vars | ||
| run: | | ||
| echo "safe_repo=${GITHUB_REPOSITORY//\//-}" >> "$GITHUB_OUTPUT" | ||
| - name: Sync www/ to S3 | ||
| run: | | ||
| aws s3 sync \ | ||
| s3://${{ inputs.s3_bucket }}/${{ steps.vars.outputs.safe_repo }}/staging/${GITHUB_SHA}/ \ | ||
| s3://${{ inputs.s3_bucket }}/${{ steps.vars.outputs.safe_repo }}/prod/ \ | ||
| --delete --exact-timestamps | ||
| - name: Check prod deployment | ||
| run: | | ||
| DEPLOYED_URL="${{ inputs.url_staging }}/${{ steps.vars.outputs.safe_repo }}/${GITHUB_SHA}/.deployed.txt" | ||
| for i in {1..10}; do | ||
| DEPLOYED_SHA=$(curl -fsSL "$DEPLOYED_URL" 2>/dev/null | awk '{ print $1 }' || echo "") | ||
| if [ "$DEPLOYED_SHA" = "$GITHUB_SHA" ]; then | ||
| exit 0 | ||
| else | ||
| sleep 60 | ||
| fi | ||
| done | ||
| echo "Error: wrong SHA while requesting $DEPLOYED_URL" | ||
| exit 1 | ||
| - name: Deployment summary | ||
| run: | | ||
| { | ||
| echo "### prod is deployed by $GITHUB_ACTOR from $GITHUB_REPOSITORY/$GITHUB_SHA" | ||
| } >> $GITHUB_STEP_SUMMARY | ||
