.github/workflows/ci.yml

name: Build and deploy

on:
  push:
    branches: '*'
    tags: 'v[0-9]+.[0-9]+.[0-9]+*'
  pull_request:
    branches: '*'
  workflow_dispatch:
    inputs:
      deploy:
        type: boolean
        default: false

env:
  NODE_VERSION: 18
  REGISTRY: ghcr.io
  IMAGE_NAME: object-object/discord-github-utils

jobs:
  build-image:
    runs-on: ubuntu-latest
    outputs:
      tag: ${{ fromJson(steps.meta.outputs.json).tags[0] }}
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract image metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build Docker image
        id: build
        uses: docker/build-push-action@v5
        with:
          context: .
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=docker,dest=/tmp/image.tar

      - name: Upload image artifact
        uses: actions/upload-artifact@v4
        with:
          name: docker-image
          path: /tmp/image.tar
          retention-days: 7

  build-aws-cdk:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: eifinger/setup-rye@v4
        with:
          enable-cache: true
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: object-Object/ci/setup@v0
        with:
          node-version: ${{ env.NODE_VERSION }}
          npm-packages: aws-cdk

      - name: Sync dependencies
        run: rye sync --no-lock --no-dev

      - name: Synth aws-cdk stack
        run: cdk synth --ci --no-lookups --strict

      - name: Upload synth artifact
        uses: actions/upload-artifact@v4
        with:
          name: aws-cdk-synth
          path: cdk.out

  # dummy "gate" job to restrict when the deployment jobs can run
  setup-deployments:
    needs:
      - build-image
      - build-aws-cdk
    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') || inputs.deploy
    runs-on: ubuntu-latest
    steps:
      - run: echo

  push-image:
    needs:
      - setup-deployments
      - build-image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    environment:
      name: docker
      url: https://${{ needs.build-image.outputs.tag }}
    outputs:
      digest: ${{ steps.digest.outputs.value }}
    steps:
      - uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Download image artifact
        uses: actions/download-artifact@v4
        with:
          name: docker-image
          path: /tmp

      - name: Load image
        run: docker load --input /tmp/image.tar

      - name: Push image
        run: docker image push --all-tags ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Get image digest
        id: digest
        run: echo "value=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ needs.build-image.outputs.tag }})" >> "$GITHUB_OUTPUT"

  deploy-aws-cdk:
    needs:
      - setup-deployments
      - build-aws-cdk
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    environment:
      name: prod-aws-cdk
    steps:
      - uses: actions/checkout@v4
      - uses: object-Object/ci/setup@v0
        with:
          node-version: ${{ env.NODE_VERSION }}
          npm-packages: aws-cdk
          role-to-assume: repo

      - name: Download synth artifact
        uses: actions/download-artifact@v4
        with:
          name: aws-cdk-synth
          path: cdk.out

      - name: Deploy stack
        run: cdk deploy --ci --no-lookups --require-approval=never --app=cdk.out --outputs-file=outputs.json

      - name: Upload outputs artifact
        uses: actions/upload-artifact@v4
        with:
          name: aws-cdk-outputs
          path: outputs.json

  deploy-codedeploy:
    needs:
      - setup-deployments
      - push-image
      - deploy-aws-cdk
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    environment:
      name: prod-codedeploy
      url: ${{ steps.deploy.outputs.deployment-url }}
    steps:
      - uses: actions/checkout@v4

      - name: Download outputs artifact
        uses: actions/download-artifact@v4
        with:
          name: aws-cdk-outputs

      - name: Parse outputs
        id: parse
        uses: object-Object/ci/parse-cdk-outputs@v0
        with:
          file: outputs.json

      - uses: object-Object/ci/setup@v0
        with:
          python-version-file: .python-version
          role-to-assume: ${{ steps.parse.outputs.ActionsCodeDeployRoleARN }}

      - name: Create runtime files
        working-directory: codedeploy
        run: |
          mkdir -p secrets

          cat <<END_OF_FILE > .env
          IMAGE="${{ needs.push-image.outputs.digest }}"
          TOKEN="${{ secrets.DISCORD_TOKEN }}"
          GITHUB__CLIENT_SECRET="${{ secrets.GH_APP_CLIENT_SECRET }}"
          DEPLOYMENT="{}"
          DEPLOYMENT__COMMIT_SHA="${{ github.sha }}"
          DEPLOYMENT__COMMIT_TIMESTAMP="$(git show --no-patch --format=%at ${{ github.sha }})"
          DEPLOYMENT__COMMIT_MESSAGE="$(git log --oneline --format=%B -n 1 ${{ github.sha }} | head -n 1)"
          END_OF_FILE

          cat <<END_OF_FILE > secrets/github__private_key
          ${{ secrets.GH_APP_PRIVATE_KEY }}
          END_OF_FILE

      - name: Deploy application
        id: deploy
        uses: object-Object/ci/deploy-codedeploy@v0
        with:
          path: codedeploy
          stack: ${{ steps.parse.outputs.stack-name }}
          application: ${{ steps.parse.outputs.ApplicationName }}
          deployment-group: ${{ steps.parse.outputs.DeploymentGroupName }}
          s3-bucket: ${{ steps.parse.outputs.ArtifactsBucketName }}