empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 01:15:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
05d38abc35
fleet/.github/workflows/dogfood-deploy.yml
StepSecurity Bot 2154c13865
Pin actions to commit SHA (#10204) 
## Summary

This pull request is created by [Secure
Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass.
Please merge the Pull Request to incorporate the requested changes.
Please tag @zwass on your message if you have any questions related to
the PR. You can also engage with the
[StepSecurity](https://github.com/step-security) team by tagging
@step-security-bot.

## Security Fixes

### Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security
risk. GitHub's Security Hardening guide recommends pinning actions to
full length commit.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)


## Feedback
For bug reports, feature requests, and general feedback; please create
an issue in
[step-security/secure-repo](https://github.com/step-security/secure-repo).
To create such PRs, please visit https://app.stepsecurity.io/securerepo.


Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2023-02-28 17:55:38 -08:00

94 lines
3.6 KiB
YAML
Raw Blame History

name: Deploy Dogfood Environment
on:
workflow_dispatch:
inputs:
DOCKER_IMAGE:
description: 'The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.28.0)'
required: true
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
working-directory: infrastructure/dogfood/terraform/aws
env:
AWS_REGION: us-east-2
ECR_REPOSITORY: fleet-test
AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role
TF_ACTIONS_WORKING_DIR: infrastructure/dogfood/terraform/aws
TF_WORKSPACE: fleet
TF_VAR_fleet_backend_cpu: 512
TF_VAR_fleet_backend_mem: 4096
TF_VAR_redis_instance: cache.t3.micro
TF_VAR_fleet_min_capacity: 2
TF_VAR_fleet_max_capacity: 5
TF_VAR_fleet_image: ${{ github.event.inputs.DOCKER_IMAGE || 'fleetdm/fleet:main' }}
TF_VAR_logging_debug: true
TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }}
TF_VAR_cloudwatch_log_retention: 30
TF_VAR_rds_backup_retention_period: 30
TF_VAR_extra_security_group_cidrs: '["10.255.1.0/24", "10.255.2.0/24", "10.255.3.0/24"]'
permissions:
id-token: write
contents: read # This is required for actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
jobs:
deploy:
name: Deploy Fleet Dogfood Environment
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- id: fail-on-main
run: "false"
if: ${{ github.ref == 'main' }}
- uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
with:
role-to-assume: ${{env.AWS_IAM_ROLE}}
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: 1.0.4
terraform_wrapper: false
- name: Terraform Init
id: init
run: terraform init
- name: Terraform fmt
id: fmt
run: terraform fmt -check
continue-on-error: true
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Plan
id: plan
run: terraform plan -no-color
continue-on-error: true
# first we'll scale everything down and create the new task definitions
- name: Terraform Apply Scale Down
id: apply_scale_down
run: terraform apply -auto-approve
env:
TF_VAR_fleet_min_capacity: 0
TF_VAR_fleet_max_capacity: 0
- name: Run migration task
id: run_migrate
run: |
CLUSTER_NAME=$(terraform output -raw ecs_cluster_name)
FAMILY=$(terraform output -raw migrate_task_definition_family)
REVISION=$(terraform output -raw fleet-migration-task-revision)
SUBNET=$(terraform output -raw private_subnet)
SECURITY_GROUP=$(terraform output -raw backend_security_group_id)
echo $CLUSTER_NAME $FAMILY $REVISION $SUBNET $SECURITY_GROUP
aws ecs run-task --cluster "${CLUSTER_NAME}" --task-definition "${FAMILY}":"${REVISION}" --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=["${SUBNET}"],securityGroups=["${SECURITY_GROUP}"]}"
- name: Terraform Apply Scale Up
id: apply_scale_up
run: terraform apply -auto-approve
Reference in New Issue View Git Blame Copy Permalink