Skip to content
.github/workflows/nginx.org-make-aws.yml

Update nginx.org-make-aws.yml #2

Sign in to view logs

Update nginx.org-make-aws.yml

Update nginx.org-make-aws.yml #2

Workflow file for this run

.github/workflows/nginx.org-make-aws.yml at 94f9a25
name: nginx.org build

Check failure on line 1 in .github/workflows/nginx.org-make-aws.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/nginx.org-make-aws.yml

Invalid workflow file 

(Line: 49, Col: 14): The expression is not closed. An unescaped ${{ sequence was found, but the closing }} sequence was not found.
on:
workflow_call:
secrets:
AWS_ACCOUNT_ID:
required: true
AWS_ROLE_NAME:
required: true
ALLOWED_USERS:
required: true
inputs:
deployment_env:
required: false
type: string
default: staging
url_prod:
required: false
type: string
default: nginx.org
url_staging:
required: false
type: string
default: staging.nginx.org
s3_bucket:
required: false
type: string
default: nginx-org-staging
aws_region:
required: false
type: string
default: eu-central-1
permissions:
contents: read
id-token: write
defaults:
run:
shell: 'bash -Eeo pipefail -x {0}'
jobs:
check-if-allowed:
if: ${{ ( github.repository_owner == 'nginx' || github.repository_owner == 'nginxinc' ) }}
runs-on: ubuntu-latest
steps:
- name: Check if we're in the allowed environment
run: |
org_found=0
event_found=0
ref_found=0
user_found=0
ALLOWED_ORGS="nginx nginxinc"
ALLOWED_EVENTS="push workflow_dispatch"
ALLOWED_REFS="refs/heads/main"
ALLOWED_USERS="${{ secrets.ALLOWED_USERS }}"
for org in $ALLOWED_ORGS; do
if [ "$org" == "$GITHUB_REPOSITORY_OWNER" ]; then org_found=1; fi
done
for event in $ALLOWED_EVENTS; do
if [ "$event" == "$GITHUB_EVENT_NAME" ]; then event_found=1; fi
done
for ref in $ALLOWED_REFS; do
if [ ${{ inputs.deployment_env } == 'prod' ]; then
if [ "$ref" == "$GITHUB_REF" ]; then ref_found=1; fi
else
ref_found=1
fi
done
for user in ALLOWED_USERS; do
if [ ${{ inputs.deployment_env } == 'prod' ]; then
if [ "$user" == "$GITHUB_ACTOR" ]; then user_found=1; fi
else
user_found=1
fi
done
if [ $org_found$event_found$ref_found -ne 1111 ]; then
echo "Repository owner, event, ref or actor are not explicitely allowed to use this workflow: $GITHUB_REPOSITORY_OWNER, $GITHUB_EVENT_NAME, $GITHUB_REF, $GITHUB_ACTOR"
exit 1
fi
exit 0
build-staging:
name: build-staging
runs-on: ubuntu-latest
if: ${{ inputs.deployment_env == 'staging' }}
steps:
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y libxslt1-dev xsltproc libxml2-utils netpbm python-is-python3
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
aws-region: ${{ inputs.aws_region }}
- name: Build
if: ${{ inputs.deployment_env == 'staging' }}
run: |
set -e
make all
make gzip
make images
make genapi
make all
make copy NGINX_ORG=www
# Verify build output
if [ ! -d www ]; then
echo "Error: Build did not create www/ directory"
exit 1
fi
- name: Add deployment metadata
if: ${{ inputs.deployment_env == 'staging' }}
run: |
TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
mkdir -p meta
echo "$GITHUB_SHA deployed at $TIMESTAMP" > meta/.deployed.txt
echo "actor=$GITHUB_ACTOR repo=$GITHUB_REPOSITORY" >> meta/.deployed.txt
cp meta/.deployed.txt www/
- name: Compute safe repo name
id: vars
run: |
echo "safe_repo=${GITHUB_REPOSITORY//\//-}" >> "$GITHUB_OUTPUT"
- name: Sync www/ to S3
run: |
aws s3 sync \
www/ \
s3://${{ inputs.s3_bucket }}/${{ steps.vars.outputs.safe_repo }}/staging/${GITHUB_SHA}/ \
--delete --exact-timestamps
- name: Deployment summary
run: |
{
echo "### Deployment Summary"
echo ""
echo "| Key | Value |"
echo "|------------------|-------|"
echo "| deployment_env | ${{ inputs.deployment_env }} |"
echo "| repository | $GITHUB_REPOSITORY |"
echo "| actor | $GITHUB_ACTOR |"
echo "| commit | $GITHUB_SHA |"
echo "| Public URL | https://${{ inputs.url_staging }}/${GITHUB_SHA} |"
} >> $GITHUB_STEP_SUMMARY
build-prod:
name: build-prod
runs-on: ubuntu-latest
if: ${{ inputs.deployment_env == 'prod' }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
aws-region: ${{ inputs.aws_region }}
- name: Compute safe repo name
id: vars
run: |
echo "safe_repo=${GITHUB_REPOSITORY//\//-}" >> "$GITHUB_OUTPUT"
- name: Sync www/ to S3
run: |
aws s3 sync \
s3://${{ inputs.s3_bucket }}/${{ steps.vars.outputs.safe_repo }}/staging/${GITHUB_SHA}/ \
s3://${{ inputs.s3_bucket }}/${{ steps.vars.outputs.safe_repo }}/prod/ \
--delete --exact-timestamps
- name: Check prod deployment
run: |
DEPLOYED_URL="${{ inputs.url_staging }}/${{ steps.vars.outputs.safe_repo }}/${GITHUB_SHA}/.deployed.txt"
for i in {1..10}; do
DEPLOYED_SHA=$(curl -fsSL "$DEPLOYED_URL" 2>/dev/null | awk '{ print $1 }' || echo "")
if [ "$DEPLOYED_SHA" = "$GITHUB_SHA" ]; then
exit 0
else
sleep 60
fi
done
echo "Error: wrong SHA while requesting $DEPLOYED_URL"
exit 1
- name: Deployment summary
run: |
{
echo "### Deployment Summary"
echo ""
echo "| Key | Value |"
echo "|------------------|-------|"
echo "| deployment_env | ${{ inputs.deployment_env }} |"
echo "| repository | $GITHUB_REPOSITORY |"
echo "| actor | $GITHUB_ACTOR |"
echo "| commit | $GITHUB_SHA |"
echo "| Public URL | https://${{ inputs.url_staging }}/preview |"
} >> $GITHUB_STEP_SUMMARY