feat(nx-fly-deployment-action): add support for env and secrets

closed COD-212

Author: hakalb

.github/workflows/fly-deployment.yml

@@ -89,6 +89,8 @@ jobs:
           main-branch-name: main
           set-environment-variables-for-job: true
 
+      # TODO: Fetch all tenants and make a deployment for each with their `TENANT_ID`
+      # TODO: Alternatively, create a new input with multi-tenant values
       - name: Run Deployment to Fly
         id: deployment
         uses: ./packages/nx-fly-deployment-action
@@ -97,3 +99,8 @@ jobs:
           fly-org: ${{ vars.FLY_ORG }}
           fly-region: ${{ vars.FLY_REGION }}
           token: ${{ steps.generate-token.outputs.token }}
+          env: |
+            TENANT_ID=default
+          secrets: |
+            INFISICAL_CLIENT_ID=${{ secrets.INFISICAL_READ_CLIENT_ID }}
+            INFISICAL_CLIENT_SECRET=${{ secrets.INFISICAL_READ_CLIENT_SECRET }}

packages/nx-fly-deployment-action/README.md

@@ -56,11 +56,40 @@ This action will manage deployments to [Fly.io](https://fly.io) of your [Nx](htt
     token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
-### Outputs
+### Determine environment
+
+The environment to deploy to is determined by the event type and branch name.
+
+**Pull requests** are deployed to a **preview** environment.
+
+**Push events** on the `main` branch are deployed to the **production** environment.
+
+> [!TIP]
+> The environment is also set in the `DEPLOY_ENV` environment variable for the deployed applications
+
+## Inputs
+
+See [action.yaml](action.yml) for descriptions of the inputs.
+
+### Additional input details
+
+`secrets`
 
-The action will output the following variables:
+The secrets are passed to the deployed applications as Fly secrets. All secrets are passed to all applications.
+
+Provide the secrets as multiline key/value strings.
+
+```yaml
+- uses: ./packages/nx-fly-deployment-action
+  with:
+    secrets: |
+      SECRET_KEY1=secret-value1
+      SECRET_KEY2=secret-value2
+```
+
+> [!NOTE]
+> The same pattern also applies to `env` input.
+
+### Outputs
 
-- `environment`: The environment used for deployment.
-- `destroyed`: A list of project names that were destroyed.
-- `skipped`: A list of project names that were skipped for some reason.
-- `deployed`: JSON object containing the deployed project names and their urls.
+See [action.yaml](action.yml) for descriptions of the outputs.

packages/nx-fly-deployment-action/action.yml

@@ -20,6 +20,16 @@ inputs:
     description: >
       The main branch name.
       Defaults to the default branch of the repository.
+  env:
+    description: >
+      A multiline string of environment variables to set for the application.
+      Each variable should be on a new line in the format of `KEY=VALUE`.
+      Defaults to an empty string.
+  secrets:
+    description: >
+      A multiline string of secrets to pass to the deployed applications.
+      Each secret should be on a new line in the format of `KEY=VALUE`.
+      Defaults to an empty string.
   token:
     description: >
       The token to use for repository authentication.

packages/nx-fly-deployment-action/src/lib/__snapshots__/schemas.spec.ts.snap

@@ -2,10 +2,18 @@
 
 exports[`Fly Deployment Action schema validation > validates all schemas against fixtures > ActionInputsSchema transformed shape 1`] = `
 {
+  "env": [
+    "ENV_KEY1=env-value1",
+    "ENV_KEY2=env-value2",
+  ],
   "flyApiToken": "fly-token",
   "flyOrg": "company",
   "flyRegion": "sea",
   "mainBranch": "main",
+  "secrets": [
+    "SECRET_KEY1=secret-value1",
+    "SECRET_KEY2=secret-value2",
+  ],
   "token": "github-token",
 }
 `;
@@ -46,6 +54,10 @@ exports[`Fly Deployment Action schema validation > validates all schemas against
     "token": "fly-token",
   },
   "mainBranch": "main",
+  "secrets": {
+    "SECRET_KEY1": "secret-value1",
+    "SECRET_KEY2": "secret-value2",
+  },
   "token": "github-token",
 }
 `;

packages/nx-fly-deployment-action/src/lib/fly-deployment.spec.ts

@@ -278,10 +278,12 @@ describe('flyDeployment', () => {
   const setupTest = (configOverride?: Partial<ActionInputs>): ActionInputs => {
     return {
       ...{
+        env: [],
         flyApiToken: 'fly-api-token',
         flyOrg: 'fly-org',
         flyRegion: '',
         mainBranch: '',
+        secrets: [],
         token: 'token'
       },
       ...configOverride
@@ -303,10 +305,12 @@ describe('flyDeployment', () => {
       const config = setupTest();
 
       expect(config).toEqual({
+        env: [],
         flyApiToken: 'fly-api-token',
         flyOrg: 'fly-org',
         flyRegion: '',
         mainBranch: '',
+        secrets: [],
         token: 'token'
       } satisfies ActionInputs);
 
@@ -435,6 +439,64 @@ describe('flyDeployment', () => {
         ]
       } satisfies ActionOutputs);
     });
+
+    it('should deploy apps to preview with environment variables', async () => {
+      setContext('pr-opened');
+      setupMocks();
+      const config = setupTest({
+        env: ['ENV_KEY1=env-value1', 'ENV_KEY2=env-value2']
+      });
+      await flyDeployment(config, true);
+
+      expect(getMockFly().deploy).toHaveBeenCalledWith({
+        app: 'app-one-config-pr-1',
+        config: '/apps/app-one/fly.toml',
+        environment: 'preview',
+        env: {
+          ENV_KEY1: 'env-value1',
+          ENV_KEY2: 'env-value2'
+        }
+      } satisfies DeployAppOptions);
+
+      expect(getMockFly().deploy).toHaveBeenCalledWith({
+        app: 'app-two-config-pr-1',
+        config: '/apps/app-two/src/fly.toml',
+        environment: 'preview',
+        env: {
+          ENV_KEY1: 'env-value1',
+          ENV_KEY2: 'env-value2'
+        }
+      } satisfies DeployAppOptions);
+    });
+
+    it('should deploy apps to preview with the same secrets', async () => {
+      setContext('pr-opened');
+      setupMocks();
+      const config = setupTest({
+        secrets: ['SECRET_KEY1=secret-value1', 'SECRET_KEY2=secret-value2']
+      });
+      await flyDeployment(config, true);
+
+      expect(getMockFly().deploy).toHaveBeenCalledWith({
+        app: 'app-one-config-pr-1',
+        config: '/apps/app-one/fly.toml',
+        environment: 'preview',
+        secrets: {
+          SECRET_KEY1: 'secret-value1',
+          SECRET_KEY2: 'secret-value2'
+        }
+      } satisfies DeployAppOptions);
+
+      expect(getMockFly().deploy).toHaveBeenCalledWith({
+        app: 'app-two-config-pr-1',
+        config: '/apps/app-two/src/fly.toml',
+        environment: 'preview',
+        secrets: {
+          SECRET_KEY1: 'secret-value1',
+          SECRET_KEY2: 'secret-value2'
+        }
+      } satisfies DeployAppOptions);
+    });
   });
 
   describe('destroy preview', () => {
@@ -594,6 +656,76 @@ describe('flyDeployment', () => {
         ]
       } satisfies ActionOutputs);
     });
+
+    it('should deploy apps to production with environment variables', async () => {
+      setContext('push-main-branch');
+      setupMocks();
+      const config = setupTest({
+        env: [
+          'ENV_KEY1=env"fnutt',
+          'ENV_KEY2=env space',
+          'ENV_KEY3=env\\backslash'
+        ]
+      });
+      await flyDeployment(config, true);
+
+      expect(getMockFly().deploy).toHaveBeenCalledWith({
+        app: 'app-one-config',
+        config: '/apps/app-one/fly.toml',
+        environment: 'production',
+        env: {
+          ENV_KEY1: 'env"fnutt',
+          ENV_KEY2: 'env space',
+          ENV_KEY3: 'env\\backslash'
+        }
+      } satisfies DeployAppOptions);
+
+      expect(getMockFly().deploy).toHaveBeenCalledWith({
+        app: 'app-two-config',
+        config: '/apps/app-two/src/fly.toml',
+        environment: 'production',
+        env: {
+          ENV_KEY1: 'env"fnutt',
+          ENV_KEY2: 'env space',
+          ENV_KEY3: 'env\\backslash'
+        }
+      } satisfies DeployAppOptions);
+    });
+
+    it('should deploy apps to production with the same secrets', async () => {
+      setContext('push-main-branch');
+      setupMocks();
+      const config = setupTest({
+        secrets: [
+          'SECRET_KEY1=secret"fnutt',
+          'SECRET_KEY2=secret space',
+          'SECRET_KEY3=secret\\backslash'
+        ]
+      });
+      await flyDeployment(config, true);
+
+      expect(getMockFly().deploy).toHaveBeenCalledWith({
+        app: 'app-one-config',
+        config: '/apps/app-one/fly.toml',
+        environment: 'production',
+        secrets: {
+          SECRET_KEY1: 'secret"fnutt',
+          SECRET_KEY2: 'secret space',
+          SECRET_KEY3: 'secret\\backslash'
+        }
+      } satisfies DeployAppOptions);
+
+      expect(getMockFly().deploy).toHaveBeenCalledWith({
+        app: 'app-two-config',
+        config: '/apps/app-two/src/fly.toml',
+        environment: 'production',
+        secrets: {
+          SECRET_KEY1: 'secret"fnutt',
+          SECRET_KEY2: 'secret space',
+          SECRET_KEY3: 'secret\\backslash'
+        }
+      } satisfies DeployAppOptions);
+    });
   });
 
   describe('error handling', () => {

packages/nx-fly-deployment-action/src/lib/fly-deployment.ts

@@ -50,6 +50,8 @@ export async function flyDeployment(
 
     core.startGroup('Get deployment configuration');
     const config = await getDeploymentConfig(inputs);
+    // Add environment variables to context
+    context.env = config.env;
     core.endGroup();
 
     core.startGroup('Initialize Fly client');
@@ -73,6 +75,7 @@ export async function flyDeployment(
     );
     const deployEnv = getDeployEnv(github.context, config.mainBranch);
     if (deployEnv.environment) {
+      // Add target environment to context
       context.environment = deployEnv.environment;
     } else {
       throw new Error(deployEnv.reason);
@@ -130,6 +133,9 @@ export async function flyDeployment(
       return ActionOutputsSchema.parse(results);
     }
 
+    // Add secrets to context available for deployment
+    context.secrets = config.secrets;
+
     // Create deployments based on affected projects
     core.startGroup('Analyze affected projects to deploy');
     const projectNames = await getDeployableProjects();
@@ -232,7 +238,9 @@ export async function flyDeployment(
             ? getPreviewAppName(configAppName, Number(context.pullRequest))
             : configAppName,
         config: resolvedFlyConfig,
-        environment: context.environment
+        env: context.env,
+        environment: context.environment,
+        secrets: context.secrets
       };
       core.info(`Deploy '${options.app}' to '${options.environment}'...`);
       try {

packages/nx-fly-deployment-action/src/lib/main.spec.ts

@@ -19,6 +19,7 @@ vi.mock('./fly-deployment');
 describe('main', () => {
   const getBooleanInputMock = vi.spyOn(core, 'getBooleanInput');
   const getInputMock = vi.spyOn(core, 'getInput');
+  const getMultilineInputMock = vi.spyOn(core, 'getMultilineInput');
   const setFailedMock = vi.spyOn(core, 'setFailed');
   const setOutputMock = vi.spyOn(core, 'setOutput');
 
@@ -31,6 +32,7 @@ describe('main', () => {
     // Default mock values
     getBooleanInputMock.mockImplementation(() => true);
     getInputMock.mockImplementation((name: string) => name);
+    getMultilineInputMock.mockImplementation(() => []);
   });
 
   it('should run without exceptions', async () => {
@@ -47,10 +49,12 @@ describe('main', () => {
     await main.run();
 
     expect(flyDeploymentMock).toHaveBeenCalledWith({
-      mainBranch: 'main-branch',
+      env: [],
       flyApiToken: 'fly-api-token',
       flyOrg: 'fly-org',
       flyRegion: 'fly-region',
+      mainBranch: 'main-branch',
+      secrets: [],
       token: 'token'
     } satisfies ActionInputs);
     expect(runMock).toHaveReturned();
@@ -68,10 +72,12 @@ describe('main', () => {
     await main.run();
 
     expect(flyDeploymentMock).toHaveBeenCalledWith({
+      env: [],
       flyApiToken: '',
       flyOrg: '',
       flyRegion: '',
       mainBranch: '',
+      secrets: [],
       token: 'token'
     } satisfies ActionInputs);
     expect(runMock).toHaveReturned();

packages/nx-fly-deployment-action/src/lib/main.ts

@@ -12,10 +12,12 @@ import {
 export async function run(): Promise<void> {
   try {
     const inputs = ActionInputsSchema.parse({
+      env: core.getMultilineInput('env'),
       flyApiToken: core.getInput('fly-api-token'),
       flyOrg: core.getInput('fly-org'),
       flyRegion: core.getInput('fly-region'),
       mainBranch: core.getInput('main-branch'),
+      secrets: core.getMultilineInput('secrets'),
       token: core.getInput('token', { required: true })
     } satisfies ActionInputs);
 

packages/nx-fly-deployment-action/src/lib/schemas/__fixtures__/action-inputs.json

@@ -3,5 +3,7 @@
   "flyOrg": "company",
   "flyRegion": "sea",
   "mainBranch": "main",
+  "env": ["ENV_KEY1=env-value1", "ENV_KEY2=env-value2"],
+  "secrets": ["SECRET_KEY1=secret-value1", "SECRET_KEY2=secret-value2"],
   "token": "github-token"
 }

packages/nx-fly-deployment-action/src/lib/schemas/__fixtures__/deployment-config.json

@@ -6,5 +6,9 @@
     "region": "sea"
   },
   "mainBranch": "main",
+  "secrets": {
+    "SECRET_KEY1": "secret-value1",
+    "SECRET_KEY2": "secret-value2"
+  },
   "token": "github-token"
 }