-
Notifications
You must be signed in to change notification settings - Fork 2
162 lines (159 loc) · 5.59 KB
/
reusable-copy-to-s3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: reusable copy to s3
on:
workflow_call:
inputs:
aws-region:
type: string
default: ap-southeast-2
required: false
description: |
the AWS region to use; e.g ap-southeast-2
aws-role-arn-to-assume:
type: string
required: true
description: |
an AWS role ARN to assume.
e.g: arn:aws:iam::ACCOUNT_ID:role/github-actions-ROLE_NAME
aws-role-duration-seconds:
type: string
required: false
default: 3600
description: |
the number of seconds to hold a session open for.
aws-role-session-name:
type: string
required: false
description: |
the name of the session to use for AssumeRole(WithWebIdentity)
cp-or-sync:
type: string
default: sync
required: false
description: |
the command to use, whether cp (copy) or sync
single-file:
type: boolean
default: false
required: false
description: |
single file copy (only for `cp`, no effect for `sync`)
direction:
type: string
default: to
required: true
description: |
the direction to copy, whether from or to
artifact-name:
type: string
required: true
description: |
the name of the GitHub Actions artifact to download
artifact-path:
type: string
required: true
description: |
the path in the GitHub Actions artifact to download
s3-bucket:
type: string
required: true
description: |
the AWS S3 bucket URI to use
jobs:
copy-to-s3:
runs-on: ubuntu-latest
steps:
- if: ${{ startsWith(github.repository, 'GeoNet/') == false }}
name: require GeoNet org
run: |
exit 1
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: get session name
id: get-session-name
env:
REPO: ${{ github.repository }}
AWS_ROLE_SESSION_NAME: ${{ inputs.aws-role-session-name }}
DIRECTION: ${{ inputs.direction }}
run: |
SESSION_NAME="$(echo "github-actions-$DIRECTION-$REPO" | sed 's,/,--,g' | tr '[[:upper:]]' '[[:lower:]]')"
if [ -n "$AWS_ROLE_SESSION_NAME" ]; then
SESSION_NAME="$AWS_ROLE_SESSION_NAME"
fi
echo "session-name=$SESSION_NAME" >> $GITHUB_OUTPUT
- name: validate
env:
REGEXP_S3_BUCKET: "^s3://[a-zA-Z0-9!_.*'()/-]+$"
CP_OR_SYNC: ${{ inputs.cp-or-sync }}
S3_BUCKET: ${{ inputs.s3-bucket }}
DIRECTION: ${{ inputs.direction }}
run: |
ERRORS=false
if ! echo "$CP_OR_SYNC" | grep -q -E '^(cp|sync)$'; then
echo "error: command must be either 'cp' or 'sync'" >/dev/stderr
ERRORS=true
fi
# tested with
# for BUCKET in $(aws-vault exec prod -- aws s3 ls | awk '{print "s3://" $3}'); do echo $BUCKET | grep -q -E $REGEXP_S3_BUCKET || echo "INVALID BUCKET $BUCKET"; done
if ! echo "$S3_BUCKET" | grep -q -E $REGEXP_S3_BUCKET; then
echo "error: not valid s3 bucket URI '$S3_BUCKET'" >/dev/stderr
ERRORS=true
fi
if ! echo "$DIRECTION" | grep -q -E '^(from|to)$'; then
echo "error: command must be either 'from' or 'to'" >/dev/stderr
ERRORS=true
fi
if [ "$ERRORS" = true ]; then
exit 1
fi
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
if: ${{ inputs.direction == 'to' }}
with:
name: ${{ inputs.artifact-name }}
path: ${{ inputs.artifact-path }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: ${{ inputs.aws-region }}
role-to-assume: ${{ inputs.aws-role-arn-to-assume }}
role-duration-seconds: ${{ inputs.aws-role-duration-seconds }}
role-session-name: ${{ steps.get-session-name.outputs.session-name }}
- name: copy or sync
env:
CP_OR_SYNC: ${{ inputs.cp-or-sync }}
LOCAL_SOURCE_DIR: ${{ inputs.artifact-path }}
S3_BUCKET: ${{ inputs.s3-bucket }}
DIRECTION: ${{ inputs.direction }}
run: |
ARGS=()
case "$CP_OR_SYNC" in
cp)
if [ ${{ inputs.single-file }} = false ]; then
ARGS+=(--recursive)
fi
;;
sync)
;;
*)
echo "Yer CI be propper haunted eh matey?"
esac
case "$DIRECTION" in
from)
echo "Copying from '$S3_BUCKET' to '$LOCAL_SOURCE_DIR'"
ARGS+=("$S3_BUCKET" "$LOCAL_SOURCE_DIR")
;;
to)
echo "Copying from '$LOCAL_SOURCE_DIR' to '$S3_BUCKET'"
ARGS+=("$LOCAL_SOURCE_DIR" "$S3_BUCKET")
;;
*)
echo "*ghostly ooooohhhh* this is the ghost of GitHub actions *ghostly ooooohhh*"
echo "how did you geeeettt heereeee???"
echo "*ghostly oooooohhh*"
esac
aws s3 "$CP_OR_SYNC" "${ARGS[@]}"
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ inputs.direction == 'from' }}
with:
name: ${{ inputs.artifact-name }}
path: ${{ inputs.artifact-path }}
retention-days: 1
overwrite: true