diff --git a/.github/workflows/deploy_to_aws.yml b/.github/workflows/deploy_to_aws.yml new file mode 100644 index 000000000..98cb95e65 --- /dev/null +++ b/.github/workflows/deploy_to_aws.yml @@ -0,0 +1,144 @@ +name: Deploy to AWS + +on: + workflow_call: + inputs: + repository: + description: "Repository in format owner/repo" + required: true + type: string + refspec: + description: "Commit ref" + required: true + type: string + docker_tag: + description: "Commit short SHA" + required: true + type: string + stack_name: + required: true + type: string + pulumi_working_dir: + required: true + type: string + pulumi_region: + required: true + type: string + pulumi_cmd: + required: true + description: "Options: up or preview" + type: string + domain: + required: true + type: string + staking_app_github_url: + required: true + type: string + staking_app_enable_auth: + required: true + type: string + staking_app_basic_auth_username: + required: true + type: string + secrets: + PULUMI_ACCESS_TOKEN: + required: true + AWS_ACCESS_KEY_ID: + required: true + AWS_SECRET_ACCESS_KEY: + required: true + ECR_URL: + required: true + ROUTE53_ZONE_ID: + required: true + IAM_SERVER_SSM_ARN: + required: true + PAGERDUTY_INTEGRATION_ENDPOINT: + required: true + PASSPORT_VC_SECRETS_ARN: + required: true + STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY: + required: true + STAKING_APP_BASIC_AUTH_PASSWORD: + required: true + STAKING_DATADOG_CLIENT_TOKEN_STAGING: + required: true + STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION: + required: true + STAKING_MAINNET_RPC_URL: + required: true + STAKING_OP_SEPOLIA_RPC_URL: + required: true + STAKING_OP_RPC_URL: + required: true + CLOUDFLARE_API_TOKEN: + required: true # required only for production + CLOUDFLARE_ZONE_ID: + required: true # required only for production + STAKING_WALLET_CONNECT_PROJECT_ID: + required: true + STAKING_INTERCOM_APP_ID: + required: true + STAKING_ARBITRUM_RPC_URL: + required: true + + +jobs: + deploy_to_aws: + name: Deploy to AWS + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.refspec }} + - name: Use Node.js + uses: actions/setup-node@v2 + with: + cache: "yarn" + cache-dependency-path: infra/yarn.lock + # Update the pulumi stack with new image + - run: | + npm install + cd aws + pulumi stack select -c ${{ inputs.stack_name }} + pulumi config -s ${{ inputs.stack_name }} set aws:region ${{ inputs.pulumi_region }} --non-interactive + working-directory: infra + env: + PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + - uses: pulumi/actions@v3 + id: pulumi + with: + command: ${{ inputs.pulumi_cmd }} # preview or up + stack-name: ${{ inputs.stack_name }} + upsert: false + work-dir: ${{ inputs.pulumi_working_dir }} + env: + PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-west-2 + DOCKER_GTC_PASSPORT_IAM_IMAGE: ${{secrets.ECR_URL}}:${{ inputs.docker_tag }} + ROUTE_53_ZONE: ${{ secrets.ROUTE53_ZONE_ID }} + ROUTE_53_DOMAIN: ${{ inputs.domain }} + DOMAIN: ${{ inputs.domain }} + IAM_SERVER_SSM_ARN: ${{ secrets.IAM_SERVER_SSM_ARN }} + PAGERDUTY_INTEGRATION_ENDPOINT: ${{ secrets.PAGERDUTY_INTEGRATION_ENDPOINT }} + PASSPORT_VC_SECRETS_ARN: ${{ secrets.PASSPORT_VC_SECRETS_ARN }} + + STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY: ${{ secrets.STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY }} + STAKING_APP_BASIC_AUTH_PASSWORD: ${{ secrets.STAKING_APP_BASIC_AUTH_PASSWORD }} + + STAKING_APP_GITHUB_URL: ${{ inputs.staking_app_github_url }} + STAKING_APP_ENABLE_AUTH: ${{ inputs.staking_app_enable_auth }} + STAKING_APP_BASIC_AUTH_USERNAME: ${{ inputs.staking_app_basic_auth_username }} + + STAKING_DATADOG_CLIENT_TOKEN_STAGING: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_STAGING }} + STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION }} + STAKING_MAINNET_RPC_URL: ${{ secrets.STAKING_MAINNET_RPC_URL }} + STAKING_OP_SEPOLIA_RPC_URL: ${{ secrets.STAKING_OP_SEPOLIA_RPC_URL }} + STAKING_OP_RPC_URL: ${{ secrets.STAKING_OP_RPC_URL }} + + # cloudflare config : just for production + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} + CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }} diff --git a/.github/workflows/deploy_to_branch.yml b/.github/workflows/deploy_to_branch.yml new file mode 100644 index 000000000..c244a9173 --- /dev/null +++ b/.github/workflows/deploy_to_branch.yml @@ -0,0 +1,38 @@ +name: Deploy to Branch (Release Frontend) + +on: + workflow_call: + inputs: + refspec: + required: true + type: string + owner: + required: true + type: string + repo: + required: true + type: string + destination_branch: + required: true + type: string + + +permissions: write-all +jobs: + deploy_to_branch: + name: Deploy to Branch + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + token: ${{ secrets.github_token }} + ref: main + fetch-depth: 0 + - name: Push to Branch + run: | + git fetch + git checkout -b ${{ inputs.destination_branch }} + git reset --hard ${{ inputs.refspec }} + git reset HEAD -- .github/workflows + git remote set-url origin https://${{ secrets.github_token }}@github.com/${{ inputs.owner }}/${{ inputs.repo }}.git + git push origin ${{ inputs.destination_branch }} -f diff --git a/.github/workflows/dockerize.yml b/.github/workflows/dockerize.yml new file mode 100644 index 000000000..297eb754f --- /dev/null +++ b/.github/workflows/dockerize.yml @@ -0,0 +1,104 @@ +name: Dockerize + +on: + workflow_call: + inputs: + repository: + description: "Repository in format owner/repo" + required: true + type: string + refspec: + description: "Commit ref" + required: true + type: string + docker_tag: + description: "Commit short SHA" + required: true + type: string + ecr_repository: + required: true + type: string + secrets: + aws_access_key_id_staging: + required: true + aws_secret_access_key_staging: + required: true + aws_access_key_id_production: + required: true + aws_secret_access_key_production: + required: true + +jobs: + dockerize: + name: Dockerize + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + repository: ${{ inputs.repository }} + ref: ${{ inputs.refspec }} + + # configure AWS credentials + - name: Configure Staging AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.aws_access_key_id_staging }} + aws-secret-access-key: ${{ secrets.aws_secret_access_key_staging }} + aws-region: us-west-2 + + # login to docker for AWS + - name: Login to Staging Amazon ECR + id: login-ecr-staging + uses: aws-actions/amazon-ecr-login@v1 + + # build, tag, and push to ECR + - name: Build, tag, and push image to Staging Amazon ECR + env: + ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} + IMAGE_TAG: ${{ inputs.docker_tag }} + run: | + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f iam/Dockerfile . + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Configure Production AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.aws_access_key_id_production }} + aws-secret-access-key: ${{ secrets.aws_secret_access_key_production }} + aws-region: us-east-1 + + - name: Login to Amazon ECR Production + id: login-ecr-production + uses: aws-actions/amazon-ecr-login@v1 + + - name: Tag and push image to Production Amazon ECR + env: + ECR_REGISTRY_STAGING: ${{ steps.login-ecr-staging.outputs.registry }} + ECR_REGISTRY_PRODUCTION: ${{ steps.login-ecr-production.outputs.registry }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} + IMAGE_TAG: ${{ inputs.docker_tag }} + run: | + docker tag $ECR_REGISTRY_STAGING/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY_PRODUCTION/$ECR_REPOSITORY:$IMAGE_TAG + docker push $ECR_REGISTRY_PRODUCTION/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Configure Oregon Production AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.aws_access_key_id_production }} + aws-secret-access-key: ${{ secrets.aws_secret_access_key_production }} + aws-region: us-west-2 + + - name: Login to Oregon Amazon ECR Production + id: login-ecr-production-us-west-2 + uses: aws-actions/amazon-ecr-login@v1 + + - name: Tag and push Oregon image to Production Amazon ECR + env: + ECR_REGISTRY_STAGING: ${{ steps.login-ecr-staging.outputs.registry }} + ECR_REGISTRY_PRODUCTION: ${{ steps.login-ecr-production-us-west-2.outputs.registry }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} + IMAGE_TAG: ${{ inputs.docker_tag }} + run: | + docker tag $ECR_REGISTRY_STAGING/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY_PRODUCTION/$ECR_REPOSITORY:$IMAGE_TAG + docker push $ECR_REGISTRY_PRODUCTION/$ECR_REPOSITORY:$IMAGE_TAG diff --git a/.github/workflows/iam-cd-review.yml b/.github/workflows/iam-cd-review.yml index 54927f136..ccaeb0a59 100644 --- a/.github/workflows/iam-cd-review.yml +++ b/.github/workflows/iam-cd-review.yml @@ -108,3 +108,5 @@ jobs: STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_APP_WALLET_CONNECT_PROJECT_ID_REVIEW }} STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_REVIEW }} + + STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }} \ No newline at end of file diff --git a/.github/workflows/iam-promote-production.yml b/.github/workflows/iam-promote-production.yml index 6db936d55..6f1205b56 100644 --- a/.github/workflows/iam-promote-production.yml +++ b/.github/workflows/iam-promote-production.yml @@ -123,3 +123,5 @@ jobs: STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_APP_WALLET_CONNECT_PROJECT_ID_PRODUCTION }} STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_PRODUCTION }} + + STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }} \ No newline at end of file diff --git a/.github/workflows/iam-promote-staging.yml b/.github/workflows/iam-promote-staging.yml index b5ceda4bf..3300fb790 100644 --- a/.github/workflows/iam-promote-staging.yml +++ b/.github/workflows/iam-promote-staging.yml @@ -124,3 +124,5 @@ jobs: STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_APP_WALLET_CONNECT_PROJECT_ID_STAGING }} STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_STAGING }} + + STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }} \ No newline at end of file diff --git a/.github/workflows/release_and_deploy.yml b/.github/workflows/release_and_deploy.yml new file mode 100644 index 000000000..de222ea60 --- /dev/null +++ b/.github/workflows/release_and_deploy.yml @@ -0,0 +1,342 @@ +name: Release and Deploy + +on: + workflow_call: + inputs: + refspec: + required: true + type: string + repo_owner: + required: true + type: string + repo_name: + required: true + type: string + staging_frontend_branch: + required: true + type: string + production_frontend_branch: + required: true + type: string + staging_domain: + required: true + type: string + production_domain: + required: true + type: string + ecr_repository: + required: true + type: string + +jobs: + test: + name: Test + permissions: write-all + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + repository: ${{ inputs.repo_owner }}/${{ inputs.repo_name }} + ref: ${{ inputs.refspec }} + fetch-depth: 0 + + - name: Use Node.js 20 + uses: actions/setup-node@v3 + with: + node-version: 20 + cache: "yarn" + + - name: Install Packages + run: yarn install + + - name: Run Tests + run: | + yarn test + + - name: Run Linter + run: | + yarn lint + + - name: Version + # https://github.com/marketplace/actions/git-semantic-version + id: version + uses: paulhatch/semantic-version@v5.0.2 + with: + tag_prefix: "v" + major_pattern: "(MAJOR)" + minor_pattern: "(MINOR)" + + - name: Release + # https://github.com/ncipollo/release-action + uses: ncipollo/release-action@v1 + with: + generateReleaseNotes: true + allowUpdates: true + token: ${{ secrets.github_token }} + tag: ${{ steps.version.outputs.version_tag }} + commit: ${{ inputs.refspec }} + draft: true + + - name: Store Commit SHA + id: sha + shell: bash + run: | + echo "sha_short=$(git rev-parse --short ${{ inputs.refspec }})" >> $GITHUB_OUTPUT + + outputs: + version_tag: ${{ steps.version.outputs.version_tag }} + commit_sha: ${{ steps.sha.outputs.sha_short }} + + dockerize: + name: Dockerize + needs: [test] + uses: gitcoinco/passport/.github/workflows/dockerize.yml@main + with: + repository: ${{ inputs.repo_owner }}/${{ inputs.repo_name }} + refspec: ${{ inputs.refspec }} + docker_tag: ${{ needs.test.outputs.commit_sha }} + ecr_repository: ${{ inputs.ecr_repository }} + secrets: inherit + + preview_staging_backend: + name: Preview Pulumi changes for Staging Backend - AWS Infra + needs: [test, dockerize] + uses: gitcoinco/passport/.github/workflows/deploy_to_aws.yml@main + with: + repository: ${{ inputs.repo_owner }}/${{ inputs.repo_name }} + refspec: ${{ inputs.refspec }} + docker_tag: ${{ needs.test.outputs.commit_sha }} + domain: ${{ inputs.staging_domain }} + stack_name: gitcoin/staging + pulumi_working_dir: infra/aws + pulumi_region: us-west-2 + pulumi_cmd: preview + + staking_app_github_url: ${{ vars.STAKING_APP_GITHUB_URL_STAGING }} + staking_app_enable_auth: ${{ vars.STAKING_APP_ENABLE_AUTH_STAGING }} + staking_app_basic_auth_username: ${{ vars.STAKING_APP_BASIC_AUTH_USERNAME_STAGING }} + + + secrets: + PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGING }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGING }} + ECR_URL: ${{secrets.ECR_URL_STAGING}} + ROUTE53_ZONE_ID: ${{ secrets.ROUTE53_ZONE_ID_STAGING }} + IAM_SERVER_SSM_ARN: ${{ secrets.IAM_SERVER_SSM_ARN_STAGING }} + PAGERDUTY_INTEGRATION_ENDPOINT: ${{ secrets.PAGERDUTY_INTEGRATION_ENDPOINT }} + PASSPORT_VC_SECRETS_ARN: ${{ secrets.PASSPORT_VC_SECRETS_ARN_STAGING }} + + STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY: ${{ secrets.STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY_STAGING }} + STAKING_APP_BASIC_AUTH_PASSWORD: ${{ secrets.STAKING_APP_BASIC_AUTH_PASSWORD_STAGING }} + STAKING_DATADOG_CLIENT_TOKEN_STAGING: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_STAGING }} + STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION }} + STAKING_MAINNET_RPC_URL: ${{ secrets.STAKING_MAINNET_RPC_URL }} + STAKING_OP_SEPOLIA_RPC_URL: ${{ secrets.STAKING_OP_SEPOLIA_RPC_URL }} + STAKING_OP_RPC_URL: ${{ secrets.STAKING_OP_RPC_URL }} + + STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_WALLET_CONNECT_PROJECT_ID_STAGING }} + STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_STAGING }} + STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }} + + # cloudflare config : just for production + CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }} + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} + + wait_for_staging_approval: + name: Staging Approval Pending + needs: [test, dockerize, preview_staging_backend] + runs-on: ubuntu-latest + environment: staging + steps: + - name: Approve Release to Staging (check pulumi preview) + run: | + echo "Approved Staging Release for: " ${{ needs.test.outputs.version_tag }} + echo "Ref" ${{ inputs.refspec }} + + deploy_staging_frontend: + name: Staging Frontend + permissions: write-all + needs: [test, dockerize, preview_staging_backend, wait_for_staging_approval] + uses: gitcoinco/passport/.github/workflows/deploy_to_branch.yml@main + with: + owner: ${{ inputs.repo_owner }} + repo: ${{ inputs.repo_name }} + refspec: ${{ inputs.refspec }} + destination_branch: ${{ inputs.staging_frontend_branch }} + + deploy_staging_backend: + name: Staging Backend + needs: [test, dockerize, preview_staging_backend, wait_for_staging_approval] + uses: gitcoinco/passport/.github/workflows/deploy_to_aws.yml@main + with: + repository: ${{ inputs.repo_owner }}/${{ inputs.repo_name }} + refspec: ${{ inputs.refspec }} + docker_tag: ${{ needs.test.outputs.commit_sha }} + domain: ${{ inputs.staging_domain }} + stack_name: gitcoin/staging + pulumi_working_dir: infra/aws + pulumi_region: us-west-2 + pulumi_cmd: up + + staking_app_github_url: ${{ vars.STAKING_APP_GITHUB_URL_STAGING }} + staking_app_enable_auth: ${{ vars.STAKING_APP_ENABLE_AUTH_STAGING }} + staking_app_basic_auth_username: ${{ vars.STAKING_APP_BASIC_AUTH_USERNAME_STAGING }} + + secrets: + PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGING }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGING }} + ECR_URL: ${{secrets.ECR_URL_STAGING}} + ROUTE53_ZONE_ID: ${{ secrets.ROUTE53_ZONE_ID_STAGING }} + IAM_SERVER_SSM_ARN: ${{ secrets.IAM_SERVER_SSM_ARN_STAGING }} + PAGERDUTY_INTEGRATION_ENDPOINT: ${{ secrets.PAGERDUTY_INTEGRATION_ENDPOINT }} + PASSPORT_VC_SECRETS_ARN: ${{ secrets.PASSPORT_VC_SECRETS_ARN_STAGING }} + + STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY: ${{ secrets.STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY_STAGING }} + STAKING_APP_BASIC_AUTH_PASSWORD: ${{ secrets.STAKING_APP_BASIC_AUTH_PASSWORD_STAGING }} + STAKING_DATADOG_CLIENT_TOKEN_STAGING: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_STAGING }} + STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION }} + STAKING_MAINNET_RPC_URL: ${{ secrets.STAKING_MAINNET_RPC_URL }} + STAKING_OP_SEPOLIA_RPC_URL: ${{ secrets.STAKING_OP_SEPOLIA_RPC_URL }} + STAKING_OP_RPC_URL: ${{ secrets.STAKING_OP_RPC_URL }} + + STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_WALLET_CONNECT_PROJECT_ID_STAGING }} + STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_STAGING }} + STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }} + + # cloudflare config : just for production + CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }} + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} + + preview_production_backend: + name: Preview Pulumi changes for Production Backend - AWS Infra + needs: [test, dockerize, preview_staging_backend, wait_for_staging_approval, deploy_staging_frontend, deploy_staging_backend] + uses: gitcoinco/passport/.github/workflows/deploy_to_aws.yml@main + with: + repository: ${{ inputs.repo_owner }}/${{ inputs.repo_name }} + refspec: ${{ inputs.refspec }} + docker_tag: ${{ needs.test.outputs.commit_sha }} + domain: passport-iam.gitcoin.co + stack_name: gitcoin/production + pulumi_working_dir: infra/aws + pulumi_region: us-west-2 + pulumi_cmd: preview + + staking_app_github_url: ${{ vars.STAKING_APP_GITHUB_URL_PRODUCTION }} + staking_app_enable_auth: ${{ vars.STAKING_APP_ENABLE_AUTH_PRODUCTION }} + staking_app_basic_auth_username: ${{ vars.STAKING_APP_BASIC_AUTH_USERNAME_PRODUCTION }} + + secrets: + PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_PRODUCTION }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_PRODUCTION }} + ECR_URL: ${{secrets.AWS_ECR_URL_PRODUCTION}} + ROUTE53_ZONE_ID: ${{ secrets.ROUTE53_ZONE_ID_PRODUCTION }} + IAM_SERVER_SSM_ARN: ${{ secrets.AWS_IAM_SERVER_SSM_ARN_PRODUCTION }} + PAGERDUTY_INTEGRATION_ENDPOINT: ${{ secrets.PAGERDUTY_INTEGRATION_ENDPOINT }} + PASSPORT_VC_SECRETS_ARN: ${{ secrets.AWS_PASSPORT_VC_SECRETS_ARN_PRODUCTION }} + + STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY: ${{ secrets.STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY_PRODUCTION }} + STAKING_APP_BASIC_AUTH_PASSWORD: ${{ secrets.STAKING_APP_BASIC_AUTH_PASSWORD_PRODUCTION }} + STAKING_DATADOG_CLIENT_TOKEN_STAGING: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_STAGING }} + STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION }} + STAKING_MAINNET_RPC_URL: ${{ secrets.STAKING_MAINNET_RPC_URL }} + STAKING_OP_SEPOLIA_RPC_URL: ${{ secrets.STAKING_OP_SEPOLIA_RPC_URL }} + STAKING_OP_RPC_URL: ${{ secrets.STAKING_OP_RPC_URL }} + + STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_WALLET_CONNECT_PROJECT_ID_PRODUCTION }} + STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_PRODUCTION }} + STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }} + + # cloudflare config : just for production + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} + CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }} + + wait_for_production_approval: + name: Production Approval Pending + needs: [test, dockerize, preview_staging_backend, wait_for_staging_approval, deploy_staging_frontend, deploy_staging_backend, preview_production_backend] + runs-on: ubuntu-latest + environment: production + steps: + - name: Approve Release to Production + run: | + echo "Approved Production Release for: " ${{ needs.test.outputs.version_tag }} + echo "Ref" ${{ inputs.refspec }} + + deploy_production_frontend: + name: Production Frontend + permissions: write-all + needs: [test, dockerize, preview_staging_backend, wait_for_staging_approval, deploy_staging_frontend, deploy_staging_backend, preview_production_backend, wait_for_production_approval] + uses: gitcoinco/passport/.github/workflows/deploy_to_branch.yml@main + with: + owner: ${{ inputs.repo_owner }} + repo: ${{ inputs.repo_name }} + refspec: ${{ inputs.refspec }} + destination_branch: ${{ inputs.production_frontend_branch }} + + deploy_production_backend: + name: Production Backend - AWS Infra + needs: [test, dockerize, preview_staging_backend, wait_for_staging_approval, deploy_staging_frontend, deploy_staging_backend, preview_production_backend, wait_for_production_approval] + uses: gitcoinco/passport/.github/workflows/deploy_to_aws.yml@main + with: + repository: ${{ inputs.repo_owner }}/${{ inputs.repo_name }} + refspec: ${{ inputs.refspec }} + docker_tag: ${{ needs.test.outputs.commit_sha }} + domain: passport-iam.gitcoin.co + stack_name: gitcoin/production + pulumi_working_dir: infra/aws + pulumi_region: us-west-2 + pulumi_cmd: up + + staking_app_github_url: ${{ vars.STAKING_APP_GITHUB_URL_PRODUCTION }} + staking_app_enable_auth: ${{ vars.STAKING_APP_ENABLE_AUTH_PRODUCTION }} + staking_app_basic_auth_username: ${{ vars.STAKING_APP_BASIC_AUTH_USERNAME_PRODUCTION }} + + secrets: + PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_PRODUCTION }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_PRODUCTION }} + ECR_URL: ${{secrets.AWS_ECR_URL_PRODUCTION}} + ROUTE53_ZONE_ID: ${{ secrets.ROUTE53_ZONE_ID_PRODUCTION }} + IAM_SERVER_SSM_ARN: ${{ secrets.AWS_IAM_SERVER_SSM_ARN_PRODUCTION }} + PAGERDUTY_INTEGRATION_ENDPOINT: ${{ secrets.PAGERDUTY_INTEGRATION_ENDPOINT }} + PASSPORT_VC_SECRETS_ARN: ${{ secrets.AWS_PASSPORT_VC_SECRETS_ARN_PRODUCTION }} + + STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY: ${{ secrets.STAKING_APP_GITHUB_ACCESS_TOKEN_FOR_AMPLIFY_PRODUCTION }} + STAKING_APP_BASIC_AUTH_PASSWORD: ${{ secrets.STAKING_APP_BASIC_AUTH_PASSWORD_PRODUCTION }} + STAKING_DATADOG_CLIENT_TOKEN_STAGING: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_STAGING }} + STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION: ${{ secrets.STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION }} + STAKING_MAINNET_RPC_URL: ${{ secrets.STAKING_MAINNET_RPC_URL }} + STAKING_OP_SEPOLIA_RPC_URL: ${{ secrets.STAKING_OP_SEPOLIA_RPC_URL }} + STAKING_OP_RPC_URL: ${{ secrets.STAKING_OP_RPC_URL }} + + STAKING_WALLET_CONNECT_PROJECT_ID: ${{ secrets.STAKING_WALLET_CONNECT_PROJECT_ID_PRODUCTION }} + STAKING_INTERCOM_APP_ID: ${{ secrets.STAKING_APP_INTERCOM_APP_ID_PRODUCTION }} + STAKING_ARBITRUM_RPC_URL: ${{ secrets.STAKING_ARBITRUM_RPC_URL }} + + # cloudflare config : just for production + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} + CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }} + + release: + needs: [deploy_production_backend, deploy_production_frontend, test] + permissions: write-all + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + repository: ${{ inputs.repo_owner }}/${{ inputs.repo_name }} + ref: ${{ inputs.refspec }} + fetch-depth: 0 + + - name: Release + # https://github.com/ncipollo/release-action + uses: ncipollo/release-action@v1 + with: + omitBodyDuringUpdate: true + allowUpdates: true + token: ${{ secrets.github_token }} + tag: ${{ needs.test.outputs.version_tag }} + commit: ${{ inputs.refspec }} + draft: false diff --git a/.github/workflows/release_and_deploy_passport.yml b/.github/workflows/release_and_deploy_passport.yml index f568feaab..b0fb6291b 100644 --- a/.github/workflows/release_and_deploy_passport.yml +++ b/.github/workflows/release_and_deploy_passport.yml @@ -43,7 +43,7 @@ jobs: needs: [ref] name: Deploy permissions: write-all - uses: gitcoinco/gh-workflows/.github/workflows/release_and_deploy.yml@main + uses: gitcoinco/passport/.github/workflows/release_and_deploy.yml@main with: refspec: ${{ needs.ref.outputs.refspec }} repo_owner: gitcoinco diff --git a/.github/workflows/release_and_deploy_template.yml b/.github/workflows/release_and_deploy_template.yml new file mode 100644 index 000000000..9360c666a --- /dev/null +++ b/.github/workflows/release_and_deploy_template.yml @@ -0,0 +1,56 @@ +name: Release and Deploy This Repo + +## To use this in a new repo +## 1. Copy this file +## 2. Configure secrets shown below + # PULUMI_ACCESS_TOKEN + # AWS_ACCESS_KEY_ID_PRODUCTION + # AWS_ACCESS_KEY_ID_STAGING + # AWS_SECRET_ACCESS_KEY_PRODUCTION + # AWS_SECRET_ACCESS_KEY_STAGING + # ECR_URL_PRODUCTION + # ECR_URL_STAGING + # ROUTE53_ZONE_ID_PRODUCTION + # ROUTE53_ZONE_ID_STAGING + # IAM_SERVER_SSM_ARN_PRODUCTION + # IAM_SERVER_SSM_ARN_STAGING +## 3. Update input values ("with") below +## 4. Create an environment called "production" and add Required Reviewers + +on: + workflow_dispatch: + inputs: + commit: + description: "Leave blank to use current HEAD, or provide an override commit SHA" + type: string + required: false + +jobs: + ref: + name: Load Commit Ref + runs-on: ubuntu-latest + steps: + - id: ref + shell: bash + # Default to HEAD of the branch from + # which this workflow was triggered + run: | + echo "refspec=${{ inputs.commit || github.sha }}" >> $GITHUB_OUTPUT + outputs: + refspec: ${{ steps.ref.outputs.refspec }} + + deploy_passport: + needs: [ref] + name: Deploy + permissions: write-all + uses: gitcoinco/passport/.github/workflows/release_and_deploy.yml@main + with: + refspec: ${{ needs.ref.outputs.refspec }} + repo_owner: gitcoinco + repo_name: passport + staging_frontend_branch: test_frontend_build_staging + production_frontend_branch: test_frontend_build_prod + staging_domain: iam.staging.passport.gitcoin.co + production_domain: passport-iam.gitcoin.co + ecr_repository: passport + secrets: inherit diff --git a/infra/aws/index.ts b/infra/aws/index.ts index af890041d..66ee20c65 100644 --- a/infra/aws/index.ts +++ b/infra/aws/index.ts @@ -14,6 +14,7 @@ const dockerGtcPassportIamImage = `${process.env["DOCKER_GTC_PASSPORT_IAM_IMAGE" const opSepoliaRpcUrl = `${process.env["STAKING_OP_SEPOLIA_RPC_URL"]}`; const opRpcUrl = `${process.env["STAKING_OP_RPC_URL"]}`; const mainnetRpcUrl = `${process.env["STAKING_MAINNET_RPC_URL"]}`; +const arbitrumRpcUrl = `${process.env["STAKING_ARBITRUM_RPC_URL"]}`; const dataDogClientTokenReview = `${process.env["STAKING_DATADOG_CLIENT_TOKEN_REVIEW"]}`; const dataDogClientTokenStaging = `${process.env["STAKING_DATADOG_CLIENT_TOKEN_STAGING"]}`; const dataDogClientTokenProduction = `${process.env["STAKING_DATADOG_CLIENT_TOKEN_PRODUCTION"]}`; @@ -104,6 +105,8 @@ const stakingEnvVars = Object({ NEXT_PUBLIC_ENABLE_OP_SEPOLIA: "on", NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID: walletConnectProjectId, NEXT_PUBLIC_INTERCOM_APP_ID: stakingIntercomAppId, + NEXT_PUBLIC_ENABLE_ARBITRUM_MAINNET: "on", + NEXT_PUBLIC_ARBITRUM_RPC_URL: arbitrumRpcUrl, }, staging: { NEXT_PUBLIC_CERAMIC_CACHE_ENDPOINT: "https://api.staging.scorer.gitcoin.co/ceramic-cache", @@ -119,6 +122,8 @@ const stakingEnvVars = Object({ NEXT_PUBLIC_ENABLE_OP_SEPOLIA: "on", NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID: walletConnectProjectId, NEXT_PUBLIC_INTERCOM_APP_ID: stakingIntercomAppId, + NEXT_PUBLIC_ENABLE_ARBITRUM_MAINNET: "on", + NEXT_PUBLIC_ARBITRUM_RPC_URL:arbitrumRpcUrl, }, production: { NEXT_PUBLIC_CERAMIC_CACHE_ENDPOINT: "https://api.scorer.gitcoin.co/ceramic-cache", @@ -134,6 +139,8 @@ const stakingEnvVars = Object({ NEXT_PUBLIC_ENABLE_OP_SEPOLIA: "off", NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID: walletConnectProjectId, NEXT_PUBLIC_INTERCOM_APP_ID: stakingIntercomAppId, + NEXT_PUBLIC_ENABLE_ARBITRUM_MAINNET: "on", + NEXT_PUBLIC_ARBITRUM_RPC_URL: arbitrumRpcUrl, }, });