.github/workflows/cd.yml

name: CD

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  deploy:
    name: 🚀 CD Workflow
    runs-on: ubuntu-latest
    env:
      AWS_INSTANCE_SG_ID: ${{ secrets.SECURITY_GROUP_ID }}
    timeout-minutes: 5
    steps:
      - name: 📦 Checkout code
        uses: actions/checkout@v4

      - name: ⚙️ Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Get IP Addresses
        id: ip
        uses: candidob/get-runner-ip@v1.0.0  

      - name: ⚙️ Whitelist runner ip address
        id: whitelist-ip
        run: |
          aws ec2 authorize-security-group-ingress \
            --group-id $AWS_INSTANCE_SG_ID \
            --protocol tcp \
            --port 22 \
            --cidr ${{ steps.ip.outputs.ipv4}}/32

      - name: 🔐 Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: 🏗️ Build, tag and push Image to Amazon ECR
        env:
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: unext-backend-ecr
          IMAGE_TAG: ${{ github.sha }}
          GIT_SECRET_PRIVATE_KEY: ${{ secrets.GIT_SECRET_PRIVATE_KEY }}
          GIT_SECRET_PASSWORD: ${{ secrets.GIT_SECRET_PASSWORD }}
        run: |
          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG \
          --build-arg GIT_SECRET_PRIVATE_KEY="$GIT_SECRET_PRIVATE_KEY" \
          --build-arg GIT_SECRET_PASSWORD="$GIT_SECRET_PASSWORD" \
          --no-cache --progress=plain .
          docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG

      - name: 🚀 Deploy and start container
        uses: appleboy/ssh-action@v1.0.3

        with:
          host: ${{ secrets.HOSTNAME }}
          username: ${{ secrets.USERNAME }}
          key: ${{ secrets.SECRET_SSH_KEY }}
          script: |
            aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.${{ secrets.ECR_REGISTRY }}
            docker pull ${{ secrets.AWS_ACCOUNT_ID }}.${{ secrets.ECR_REGISTRY }}/unext-backend-ecr:${{ github.sha }}
            docker stop unext-backend
            docker rm unext-backend
            docker run -d --name unext-backend -p ${{ secrets.PORT }}:${{ secrets.PORT }} ${{ secrets.AWS_ACCOUNT_ID }}.${{ secrets.ECR_REGISTRY }}/unext-backend-ecr:${{ github.sha }}

      - name: 🏗️ Revoke runner ip address
        if: ${{ always() && steps.whitelist-ip.conclusion == 'success' }}
        run: |
          aws ec2 revoke-security-group-ingress \
            --group-id $AWS_INSTANCE_SG_ID \
            --protocol tcp \
            --port 22 \
            --cidr ${{ steps.ip.outputs.ipv4 }}/32