10. Github Actions & CI‐CD

Templates

• Templates for Github Actions can be found here: ./github/workflows
• Template for ECS Task can be found here: ./ecs

CI/CD

The following workflows are part of a CI/CD setup:

• tests-n-cs.yaml:
  • Reusable Worfklow, it runs tests and code sniffer.
• pull-request.yaml:
  • Runs for every PR for master.
  • Call tests-n-cs.
  • Build Docker images
• ci-cd.yaml
  • Runs for every merge to master.
  • Calls tests-n-cs.
  • Builds Docker images
  • Uploads Docker images to AWS ECR
  • Deploys to AWS ECS

Examples

• AWS: 📁 gamewatch v1.0.0-rc-aws
• GCP: 📁 danieltrolezi/gamewatch

Requirements

To have this workflows running you need to:

1. Copy the workflow files to .github/workflows;
2. Create the resources described in the AWS list bellow.

AWS

• ECR Repository (Remember to add lifecycle policy)
• ECS Cluster: Creating an ECS cluster on AWS
• IAM User with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRPermissions",
            "Effect": "Allow",
            "Action": [
                "ecr:CompleteLayerUpload",
                "ecr:TagResource",
                "ecr:UploadLayerPart",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchCheckLayerAvailability",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:BatchGetImage"
            ],
            "Resource": "<repository_arn>"
        },
        {
            "Sid": "GetAuthTokenGlobalScope",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        },
        {
            "Sid": "ECSPermissions",
            "Effect": "Allow",
            "Action": [
                "ecs:RegisterTaskDefinition"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ECSClusterPermissions",
            "Effect": "Allow",
            "Action": [
                "ecs:UpdateService"
            ],
            "Resource": "<ecs_service_arn>"
        },
        {
            "Sid": "IAMRoles",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "<ecs_task_execution_role_arn>",
                "<ecs_task_role_arn>"
            ]
        }
    ]
}

Repository secrets and variables

Make sure to create the following secrets and variables for the repository:

Secrets:

AWS_ACCESS_KEY_ID       # IAM User's Access Key ID
AWS_SECRET_ACCESS_KEY   # IAM User's Secret Access Key
ECR_REPOSITORY_URI      # Complete URI of the Repository, including directories
ECS_TASK_EXEC_ROLE      # ECS Task Execution Role ARN (ECS Container Agent)
ECS_TASK_ROLE           # ECS Task Role ARN (Container)
SSM_NAMESPACE           # ARN w/o Parameter Name and no "/" at the end

Variables:

AWS_REGION              # ex: us-east-1
DOCKER_IMAGE_TAG        # ex: codelab92/laravel-app
ECS_CLUSTER             # ex: codelab92-c1
ECS_SERVICE_NAME        # ex: laravel-app

Repository Settings

Additionally, to enforce quality, you can protected the main branch of your repository by adding a RuleSet with the following options:

• If needed, add Repository admin in Bypass list
• Restrict deletions
• Require a pull request before merging
• Require status checks to pass
• Require branches to be up to date before merging
• Block force pushes

References

• https://docs.github.com/pt/actions/sharing-automations/reusing-workflows
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
• https://docs.aws.amazon.com/cli/latest/reference/ecs/update-service.html#options