-
Notifications
You must be signed in to change notification settings - Fork 23
161 lines (145 loc) · 6.3 KB
/
workflow.pr.bicep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
---
name: PR Deployment
on: # yamllint disable-line rule:truthy
pull_request:
types:
- opened
- synchronize
- reopened
branches:
- main
concurrency:
group: pr-${{ github.event.pull_request.number }}
# By default, this workflow will cancel a previous run when a new one is queued.
# Depending on when the workflow was cancelled, it may leave orphaned environments
# that will be cleaned up after the PR is closed.
#
# To change this behavior and wait for the previous run to finish executing, set
# cancel-in-progress to false
cancel-in-progress: true
env:
KEY_VAULT_NAME: "kv-symphony-environments" #GitLeaksIgnore
LOCATION_NAME: "westus"
PR_ENVIRONMENT_DIRECTORY: "pr"
jobs:
Setup:
if: ${{ !github.event.pull_request.draft }}
runs-on: ubuntu-latest
outputs:
keyVaultName: ${{ steps.setValues.outputs.keyVaultName }}
locationName: ${{ steps.setValues.outputs.locationName }}
prEnvironmentDirectory: ${{ steps.setValues.outputs.prEnvironmentDirectory }}
environmentName: ${{ steps.setValues.outputs.environmentName }}
steps:
- name: Set Values
id: setValues
run: |
echo "keyVaultName=$KEY_VAULT_NAME" >> $GITHUB_OUTPUT
echo "locationName=$LOCATION_NAME" >> $GITHUB_OUTPUT
echo "prEnvironmentDirectory=$PR_ENVIRONMENT_DIRECTORY" >> $GITHUB_OUTPUT
suffix=$(uuidgen)
# create a 6 character hash of the suffix
suffixHash=$(echo -n "$suffix" | md5sum | cut -c1-6)
echo "environmentName=$suffixHash" >> $GITHUB_OUTPUT
Validate:
needs: Setup
uses: ./.github/workflows/template.bicep.validate.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
permissions:
actions: read
contents: read
security-events: write
# Right now, every new non-draft PR will trigger a new environment to be created.
# To change this behavior, you can add a label to the PR called "ready-to-deploy"
# and uncomment the following step. This will cause the workflow to only run when
# the label is present.
#
#
# CheckReadyToDeploy:
# needs: [Validate, Setup]
# runs-on: ubuntu-latest
# env:
# READY_TO_DEPLOY: ${{ contains(github.event.pull_request.labels.*.name, 'ready-to-deploy') }}
# steps:
# - name: Check if the ready-to-deploy label is present
# run: |
# if [ "$READY_TO_DEPLOY" = "true" ]; then
# echo "ready-to-deploy label present. Continuing..."
# else
# echo "ready-to-deploy label not present. Breaking..."
# exit 1
# fi
NewEnvironment:
needs: [Setup, Validate]
uses: ./.github/workflows/template.storeevent.yml
permissions:
pull-requests: write
with:
pipelineName: PR
eventName: NewEnvironment
eventGroupId: PR-${{ github.event.pull_request.number }}-${{ github.repository_id }}
data: Name=${{ needs.Setup.outputs.environmentName }} SHA=${{ github.event.pull_request.head.sha }} Location=${{ needs.Setup.outputs.locationName }} [email protected]=Edm.String
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
comment: |
Creating environment with name: "${{ needs.Setup.outputs.environmentName }}" using commit: "${{ github.event.pull_request.head.sha }}".
${{
contains(github.event.pull_request.labels.*.name, 'preserve-pr-environment') &&
format('The environment will not be destroyed after the workflow completes.\nTo delete it, use the [Destroy workflow](../actions/workflows/workflow.destroy.bicep.yml) on the current branch with "{0}" as the environment name.', needs.Setup.outputs.environmentName)
||
'The environment will be destroyed after the workflow completes.\nTo preserve it, add the "preserve-pr-environment" label to the PR.'
}}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
PreviewDeployBaseBranch:
needs: [Setup, NewEnvironment]
uses: ./.github/workflows/template.bicep.previewdeploy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.base_ref }} # First, deploy the base branch
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
PreviewDeployPRBranch:
needs: [Setup, PreviewDeployBaseBranch]
uses: ./.github/workflows/template.bicep.previewdeploy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
environmentDirectory: ${{ needs.Setup.outputs.prEnvironmentDirectory }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }} # Now, deploy the diff on top of it
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
Test:
needs: [Setup, PreviewDeployPRBranch]
permissions:
pull-requests: write
checks: write
uses: ./.github/workflows/template.bicep.test.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}
Destroy:
if: ${{ always() && !contains(github.event.pull_request.labels.*.name, 'preserve-pr-environment') }}
needs: [Setup, Test]
uses: ./.github/workflows/template.bicep.destroy.yml
with:
environmentName: ${{ needs.Setup.outputs.environmentName }}
locationName: ${{ needs.Setup.outputs.locationName }}
keyVaultName: ${{ needs.Setup.outputs.keyVaultName }}
branchName: ${{ github.head_ref }}
secrets:
azureEnviromentCredentials: ${{ secrets.AZURE_CREDENTIALS }}