From a18eeebae10c84b02a8a2f5c5e26e2c638330272 Mon Sep 17 00:00:00 2001 From: OMPRAKASH MISHRA Date: Tue, 10 Jun 2025 14:22:16 -0700 Subject: [PATCH 1/5] fix: pr open for manual deploys --- .github/workflows/pr-open.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 94da4896..967ff825 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -2,6 +2,7 @@ name: PR on: pull_request: + workflow_dispatch: concurrency: @@ -41,8 +42,8 @@ jobs: with: environment_name: dev command: plan - tag: ${{ github.event.number || 'latest' }} # this is the tag of the containers to deploy, defaults to test - app_env: ephermal-${{ github.event.number || 'latest' }} # ephermal, prefixed for easy clean up of PR resources in s3 and dynamodb generated by terraform + tag: ${{ github.event.number || 'latest' }} + app_env: ${{ github.event.number || 'latest' }} # ephermal, prefixed for easy clean up of PR resources in s3 and dynamodb generated by terraform secrets: inherit @@ -51,16 +52,16 @@ jobs: needs: builds uses: ./.github/workflows/.tests.yml with: - tag: ${{ github.event.number }} + tag: ${{ github.event.number || 'latest' }} deploy-to-dev: name: Deploy to Dev if: (github.event_name == 'workflow_dispatch') - needs: [builds, tests] + needs: [builds] uses: ./.github/workflows/.deploy_stack.yml with: environment_name: dev command: apply - tag: latest + tag: manual app_env: dev secrets: inherit results: From 83de0256da5df2bba2627723f6a168c560fc3559 Mon Sep 17 00:00:00 2001 From: OMPRAKASH MISHRA Date: Tue, 10 Jun 2025 14:36:17 -0700 Subject: [PATCH 2/5] fix: trivy permissions --- .github/workflows/.tests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml index 17aed439..adeb1b76 100644 --- a/.github/workflows/.tests.yml +++ b/.github/workflows/.tests.yml @@ -76,6 +76,9 @@ jobs: name: Trivy Security Scan if: ${{ ! github.event.pull_request.draft }} runs-on: ubuntu-24.04 + permissions: + contents: read # This is required for actions/checkout + security-events: write # This is required to upload SARIF results to the Security tab timeout-minutes: 1 steps: - uses: actions/checkout@v4 From 2ded8372de255c537d08d9cc1a1b61f8a059ef83 Mon Sep 17 00:00:00 2001 From: OMPRAKASH MISHRA Date: Tue, 10 Jun 2025 14:50:19 -0700 Subject: [PATCH 3/5] fix: add resume before deploy --- .github/workflows/pr-open.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 967ff825..7be7e4cf 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -53,10 +53,16 @@ jobs: uses: ./.github/workflows/.tests.yml with: tag: ${{ github.event.number || 'latest' }} + resume-resources-dev: + name: Resume Resources Dev + if: (github.event_name == 'workflow_dispatch') + needs: [builds] + uses: ./.github/workflows/resume-resources.yml + secrets: inherit deploy-to-dev: name: Deploy to Dev if: (github.event_name == 'workflow_dispatch') - needs: [builds] + needs: [resume-resources-dev] uses: ./.github/workflows/.deploy_stack.yml with: environment_name: dev From cfe720857a504989b2c19d449573a0057470d27b Mon Sep 17 00:00:00 2001 From: OMPRAKASH MISHRA Date: Tue, 10 Jun 2025 14:52:59 -0700 Subject: [PATCH 4/5] fix: permissions --- .github/workflows/pr-open.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 7be7e4cf..96d04e43 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -14,6 +14,7 @@ permissions: contents: write # This is required for actions/checkout packages: write pull-requests: write + security-events: write env: AWS_REGION: ca-central-1 jobs: @@ -46,7 +47,6 @@ jobs: app_env: ${{ github.event.number || 'latest' }} # ephermal, prefixed for easy clean up of PR resources in s3 and dynamodb generated by terraform secrets: inherit - tests: name: Tests needs: builds From 8b1a8dd9e91c02843b06ad3f667d73d77a2823db Mon Sep 17 00:00:00 2001 From: OMPRAKASH MISHRA Date: Tue, 10 Jun 2025 15:52:37 -0700 Subject: [PATCH 5/5] chore: docs --- GHA.md | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/GHA.md b/GHA.md index 1014a8f4..ea46b319 100644 --- a/GHA.md +++ b/GHA.md @@ -14,21 +14,29 @@ The workflows in this repository are organized into three main categories: ### `pr-open.yml` -**Trigger**: Pull request open or update +**Trigger**: +- Pull request open or update +- Manual workflow dispatch (for deploying to dev environment) -**Purpose**: Validates the proposed changes to ensure they meet quality standards and work as expected. +**Purpose**: Validates the proposed changes to ensure they meet quality standards and work as expected. Additionally allows manual deployment to the dev environment through workflow dispatch. **Steps**: -1. Builds container images for backend, frontend, and migrations, tagging them with the PR number +1. Builds container images for backend, frontend, and migrations, tagging them with: + - The PR number (for PR events) + - 'manual' tag (for workflow dispatch events) + - 'latest' tag + - 'pr-{number}' tag 2. Runs comprehensive tests on the codebase including: - Backend unit tests with a PostgreSQL service container - Frontend unit tests - Security scanning with Trivy 3. SonarCloud analysis for code quality -4. Creates a preview environment (when comments contain `/deploy`) -5. Runs end-to-end tests using Playwright +4. Plans infrastructure changes using Terraform/Terragrunt +5. For workflow dispatch events: + - Resumes any paused resources in the dev environment + - Deploys the stack to the dev environment for testing -**Outputs**: Container images tagged with PR number, test results, SonarCloud reports +**Outputs**: Container images with appropriate tags, test results, SonarCloud reports, and (for workflow dispatch) a deployed environment ### `pr-validate.yml` @@ -198,8 +206,10 @@ The workflows in this repository are organized into three main categories: The workflows use the following environment configurations: 1. **Development (dev)**: Used for continuous integration and feature testing + - Can be deployed manually via workflow dispatch on the PR workflow + - Serves as the target for merged PRs from the main branch 2. **Testing (test)**: Used for QA and acceptance testing -3. **Production (prod)**: Used for live production deployments +3. **Production (prod)**: Used for live production deployments via the release workflow ## Required Secrets @@ -223,6 +233,12 @@ GitHub Event (PR, Push, etc.) │ │ │ ├─── Test (calls .tests.yml) │ │ + │ ├─── Manual Workflow Dispatch─┐ + │ │ │ + │ │ ▼ + │ │ Resume Resources + │ │ │ + │ │ ▼ │ ├─── Deploy (calls .deploy_stack.yml) │ │ │ │ │ └─── Deploy Components (database, api, frontend) @@ -245,6 +261,10 @@ When customizing these workflows: 3. Test changes thoroughly in isolation before merging 4. Consider impacts on automated resource management 5. Update documentation when changing workflow behavior +6. When using manual workflow dispatch for deployments: + - Ensure proper resource resume/pause mechanisms are in place + - Use consistent tagging strategies between PR-based and manual deployments + - Consider adding validation steps after manual deployments to verify success ## Troubleshooting