feat(infra): added env var for Amplify & update github workflows to u…

…se local files (#2508)
gitcoinco · May 27, 2024 · c7ac5b9 · c7ac5b9
1 parent f385008
commit c7ac5b9
Show file tree

Hide file tree

Showing 10 changed files with 698 additions and 1 deletion.
diff --git a/.github/workflows/deploy_to_aws.yml b/.github/workflows/deploy_to_aws.yml
@@ -0,0 +1,144 @@
+name: Deploy to AWS
+
+on:
+  workflow_call:
+    inputs:
+      repository:
+        description: "Repository in format owner/repo"
+        required: true
+        type: string
+      refspec:
+        description: "Commit ref"
+        required: true
+        type: string
+      docker_tag:
+        description: "Commit short SHA"
+        required: true
+        type: string
+      stack_name:
+        required: true
+        type: string
+      pulumi_working_dir:
+        required: true
+        type: string
+      pulumi_region:
+        required: true
+        type: string
+      pulumi_cmd: 
+        required: true
+        description: "Options: up or preview"
+        type: string
+      domain:
+        required: true
+        type: string
+      staking_app_github_url:
+        required: true
+        type: string
+      staking_app_enable_auth:
+        required: true
+        type: string
+      staking_app_basic_auth_username:
+        required: true
+        type: string
+    secrets:
+      PULUMI_ACCESS_TOKEN:
+        required: true
+      AWS_ACCESS_KEY_ID:
+        required: true
+      AWS_SECRET_ACCESS_KEY:
+        required: true
+      ECR_URL:
+        required: true
+      ROUTE53_ZONE_ID:
+        required: true
+      IAM_SERVER_SSM_ARN:
+        required: true
+      PAGERDUTY_INTEGRATION_ENDPOINT:
+        required: true
+      PASSPORT_VC_SECRETS_ARN:
+        required: true
+      STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY:
+        required: true
+      STAKING_APP_BASIC_AUTH_PASSWORD:
+        required: true
+      STAKING_DATADOG_CLIENT_TOKEN_STAGING: 
+        required: true
+      STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION:
+        required: true
+      STAKING_MAINNET_RPC_URL:
+        required: true
+      STAKING_OP_SEPOLIA_RPC_URL:
+        required: true
+      STAKING_OP_RPC_URL:
+        required: true
+      CLOUDFLARE_API_TOKEN:
+        required: true # required only for production
+      CLOUDFLARE_ZONE_ID:
+        required: true # required only for production
+      STAKING_WALLET_CONNECT_PROJECT_ID:
+        required: true
+      STAKING_INTERCOM_APP_ID:
+        required: true
+      STAKING_ARBITRUM_RPC_URL: 
+        required: true
+
+
+jobs:
+  deploy_to_aws:
+    name: Deploy to AWS
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.refspec }}
+      - name: Use Node.js
+        uses: actions/setup-node@v2
+        with:
+          cache: "yarn"
+          cache-dependency-path: infra/yarn.lock
+      # Update the pulumi stack with new image
+      - run: |
+          npm install
+          cd aws
+          pulumi stack select -c ${{ inputs.stack_name }}
+          pulumi config -s ${{ inputs.stack_name }} set aws:region ${{ inputs.pulumi_region }} --non-interactive
+        working-directory: infra
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+      - uses: pulumi/actions@v3
+        id: pulumi
+        with:
+          command: ${{ inputs.pulumi_cmd }} # preview or up
+          stack-name: ${{ inputs.stack_name }}
+          upsert: false
+          work-dir: ${{ inputs.pulumi_working_dir }}
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: us-west-2
+          DOCKER_GTC_PASSPORT_IAM_IMAGE: ${{secrets.ECR_URL}}:${{ inputs.docker_tag }}
+          ROUTE_53_ZONE: ${{ secrets.ROUTE53_ZONE_ID }}
+          ROUTE_53_DOMAIN: ${{ inputs.domain }}
+          DOMAIN: ${{ inputs.domain }}
+          IAM_SERVER_SSM_ARN: ${{ secrets.IAM_SERVER_SSM_ARN }}
+          PAGERDUTY_INTEGRATION_ENDPOINT: ${{ secrets.PAGERDUTY_INTEGRATION_ENDPOINT }}
+          PASSPORT_VC_SECRETS_ARN: ${{ secrets.PASSPORT_VC_SECRETS_ARN }}
+
+          STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY: ${{ secrets.STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY }}
+          STAKING_APP_BASIC_AUTH_PASSWORD: ${{ secrets.STAKING_APP_BASIC_AUTH_PASSWORD }}
+
+          STAKING_APP_GITHUB_URL: ${{ inputs.staking_app_github_url }}
+          STAKING_APP_ENABLE_AUTH: ${{ inputs.staking_app_enable_auth }}
+          STAKING_APP_BASIC_AUTH_USERNAME: ${{ inputs.staking_app_basic_auth_username }}
+
+          STAKING_DATADOG_CLIENT_TOKEN_STAGING: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_STAGING }}
+          STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION }}
+          STAKING_MAINNET_RPC_URL: ${{ secrets.STAKING_MAINNET_RPC_URL }}
+          STAKING_OP_SEPOLIA_RPC_URL: ${{ secrets.STAKING_OP_SEPOLIA_RPC_URL }}
+          STAKING_OP_RPC_URL: ${{ secrets.STAKING_OP_RPC_URL }}
+
+          # cloudflare config : just for production
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
diff --git a/.github/workflows/deploy_to_branch.yml b/.github/workflows/deploy_to_branch.yml
@@ -0,0 +1,38 @@
+name: Deploy to Branch (Release Frontend)
+
+on:
+  workflow_call:
+    inputs:
+      refspec:
+        required: true
+        type: string
+      owner:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      destination_branch:
+        required: true
+        type: string
+
+
+permissions: write-all
+jobs:
+  deploy_to_branch:
+    name: Deploy to Branch
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.github_token }}
+          ref: main
+          fetch-depth: 0
+      - name: Push to Branch
+        run: |
+          git fetch
+          git checkout -b ${{ inputs.destination_branch }} 
+          git reset --hard ${{ inputs.refspec }}
+          git reset HEAD -- .github/workflows
+          git remote set-url origin https://${{ secrets.github_token }}@github.com/${{ inputs.owner }}/${{ inputs.repo }}.git
+          git push origin ${{ inputs.destination_branch }} -f
diff --git a/.github/workflows/dockerize.yml b/.github/workflows/dockerize.yml
@@ -0,0 +1,104 @@
+name: Dockerize
+
+on:
+  workflow_call:
+    inputs:
+      repository:
+        description: "Repository in format owner/repo"
+        required: true
+        type: string
+      refspec:
+        description: "Commit ref"
+        required: true
+        type: string
+      docker_tag:
+        description: "Commit short SHA"
+        required: true
+        type: string
+      ecr_repository:
+        required: true
+        type: string
+    secrets:
+      aws_access_key_id_staging:
+        required: true
+      aws_secret_access_key_staging:
+        required: true
+      aws_access_key_id_production:
+        required: true
+      aws_secret_access_key_production:
+        required: true
+
+jobs:
+  dockerize:
+    name: Dockerize
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.refspec }}
+
+      # configure AWS credentials
+      - name: Configure Staging AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id_staging }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key_staging }}
+          aws-region: us-west-2
+
+      # login to docker for AWS
+      - name: Login to Staging Amazon ECR
+        id: login-ecr-staging
+        uses: aws-actions/amazon-ecr-login@v1
+
+      # build, tag, and push to ECR
+      - name: Build, tag, and push image to Staging Amazon ECR
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }}
+          ECR_REPOSITORY: ${{ inputs.ecr_repository }}
+          IMAGE_TAG: ${{ inputs.docker_tag }}
+        run: |
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f iam/Dockerfile .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+      - name: Configure Production AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id_production }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key_production }}
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR Production
+        id: login-ecr-production
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Tag and push image to Production Amazon ECR
+        env:
+          ECR_REGISTRY_STAGING: ${{ steps.login-ecr-staging.outputs.registry }}
+          ECR_REGISTRY_PRODUCTION: ${{ steps.login-ecr-production.outputs.registry }}
+          ECR_REPOSITORY: ${{ inputs.ecr_repository }}
+          IMAGE_TAG: ${{ inputs.docker_tag }}
+        run: |
+          docker tag $ECR_REGISTRY_STAGING/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY_PRODUCTION/$ECR_REPOSITORY:$IMAGE_TAG
+          docker push $ECR_REGISTRY_PRODUCTION/$ECR_REPOSITORY:$IMAGE_TAG
+
+      - name: Configure Oregon Production AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id_production }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key_production }}
+          aws-region: us-west-2
+
+      - name: Login to Oregon Amazon ECR Production
+        id: login-ecr-production-us-west-2
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Tag and push Oregon image to Production Amazon ECR
+        env:
+          ECR_REGISTRY_STAGING: ${{ steps.login-ecr-staging.outputs.registry }}
+          ECR_REGISTRY_PRODUCTION: ${{ steps.login-ecr-production-us-west-2.outputs.registry }}
+          ECR_REPOSITORY: ${{ inputs.ecr_repository }}
+          IMAGE_TAG: ${{ inputs.docker_tag }}
+        run: |
+          docker tag $ECR_REGISTRY_STAGING/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY_PRODUCTION/$ECR_REPOSITORY:$IMAGE_TAG
+          docker push $ECR_REGISTRY_PRODUCTION/$ECR_REPOSITORY:$IMAGE_TAG
diff --git a/.github/workflows/iam-cd-review.yml b/.github/workflows/iam-cd-review.yml
@@ -108,3 +108,5 @@ jobs:
 
           STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_APP_WALLET_CONNECT_PROJECT_ID_REVIEW }}
           STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_REVIEW }}
+
+          STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }}
diff --git a/.github/workflows/iam-promote-production.yml b/.github/workflows/iam-promote-production.yml
@@ -123,3 +123,5 @@ jobs:
 
           STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_APP_WALLET_CONNECT_PROJECT_ID_PRODUCTION }}
           STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_PRODUCTION }}
+
+          STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }}
diff --git a/.github/workflows/iam-promote-staging.yml b/.github/workflows/iam-promote-staging.yml
@@ -124,3 +124,5 @@ jobs:
 
           STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_APP_WALLET_CONNECT_PROJECT_ID_STAGING }}
           STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_STAGING }}
+
+          STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }}