Skip to content

v1.0.1+build.2

v1.0.1+build.2 #47

Workflow file for this run

---
name: release
on:
release:
types: [released]
env:
AWS_DEFAULT_REGION: us-east-1
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# COPY_REGIONS_KMS_MAP: "us-east-2:alias/cool-amis,
# us-west-1:alias/cool-amis,
# us-west-2:alias/cool-amis"
PIP_CACHE_DIR: ~/.cache/pip
RUN_TMATE: ${{ secrets.RUN_TMATE }}
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v4
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
release:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
- arm64
- x86_64
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ steps.setup-env.outputs.python-version }}
- uses: actions/cache@v4
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
packer${{ steps.setup-env.outputs.packer-version }}-\
tf-${{ steps.setup-env.outputs.terraform-version }}-"
with:
path: |
${{ env.PIP_CACHE_DIR }}
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements.txt') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- uses: hashicorp/setup-packer@v3
with:
version: ${{ steps.setup-env.outputs.packer-version }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install --upgrade \
--requirement requirements.txt
- name: Install ansible roles
run: ansible-galaxy install --force --role-file ansible/requirements.yml
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# - name: Add copy regions to packer configuration
# run: |
# echo $COPY_REGIONS_KMS_MAP | \
# ./patch_packer_config.py variables.pkr.hcl
- name: Assume AWS build role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME_PRODUCTION }}
role-duration-seconds: 3600
# When called by Packer, Ansible will find /usr/bin/python3 and
# use it; therefore, we must ensure that /usr/bin/python3 points
# to the version of Python that we installed in the
# actions/setup-python step above. This can hose other tasks
# that are expecting to find the system Python at that location,
# though, so we undo this change after running Packer.
- name: Create a /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3 /usr/bin/python3-default
sudo ln -s ${{ env.pythonLocation }}/bin/python3 \
/usr/bin/python3
- name: Install Packer plugins
run: packer init .
- name: Create machine image
env:
# Since we are using the default value of 15 seconds for
# AWS_POLL_DELAY_SECONDS, this corresponds to a timeout of
# an hour and a half. We need such a long timeout because
# it can take almost an hour to create this AMI.
AWS_MAX_ATTEMPTS: 360
run: |
packer build -only amazon-ebs.${{ matrix.architecture }} \
-timestamp-ui \
-var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \
-var is_prerelease=${{ github.event.release.prerelease }} \
-var release_tag=${{ github.event.release.tag_name }} \
-var release_url=${{ github.event.release.html_url }} \
.
- name: Remove /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3-default /usr/bin/python3
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE