Skip to content

10. Github Actions & CI‐CD

Jump to bottom
Daniel Trolezi edited this page Sep 20, 2024 · 17 revisions

This repository uses Github Actions.

Workflows

Templates can be found here: ./github/workflows

CI/CD

The following workflows are part of a CI/CD setup:

  • tests-n-cs.yaml:
    • Reusable Worfklow, it runs tests and code sniffer.
  • pull-request.yaml:
    • Runs for every PR for master.
    • Call tests-n-cs.
    • Build Docker images
  • ci-cd.yaml
    • Runs for every merge to master.
    • Calls tests-n-cs.
    • Builds Docker images
    • Uploads Docker images to AWS ECR
    • Deploys to AWS ECS

Requirements

Bellow is the list of requirements to have this setup working.

AWS

  • ECR Repository
    • Remember to add lifecycle policy
  • ECS cluster
    • [DOC - WIP]
  • IAM User with the following permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRPermissions",
            "Effect": "Allow",
            "Action": [
                "ecr:CompleteLayerUpload",
                "ecr:TagResource",
                "ecr:UploadLayerPart",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchCheckLayerAvailability",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:BatchGetImage"
            ],
            "Resource": "<ecr_repository_uri>"
        },
        {
            "Sid": "GetAuthTokenGlobalScope",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        },
        {
            "Sid": "ECSPermissions",
            "Effect": "Allow",
            "Action": [
                "ecs:RegisterTaskDefinition"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ECSClusterPermissions",
            "Effect": "Allow",
            "Action": [
                "ecs:UpdateService",
                "ecs:DescribeServices"
            ],
            "Resource": "<ecs_cluster_arn>"
        },
        {
            "Sid": "IAMRoles",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "<ecs_task_execution_role>"
            ]
        }
    ]
}

Environment secrets and variables

Make sure to create the following secrets and variables for the repository:

Secrets:

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
ECR_REPOSITORY_URI 
ECS_TASK_EXEC_ROLE      # Role ARN
SSM_NAMESPACE           # ARN w/o Parameter Name

Variables:

AWS_REGION
DOCKER_IMAGE_TAG
ECS_CLUSTER             # Cluster name
ECS_SERVICE_NAME

Repository Settings

Additionally, to enforce quality, you can protected the main branch of you repository by adding a RuleSet with the following options:

  • If needed, add Repository admin in Bypass list
  • Restrict deletions
  • Require a pull request before merging
  • Require status checks to pass
  • Require branches to be up to date before merging
  • Block force pushes

References

Clone this wiki locally