diff --git a/.github/workflows/ci-workflows.yml b/.github/workflows/ci-workflows.yml index 75773a9..de53f7e 100644 --- a/.github/workflows/ci-workflows.yml +++ b/.github/workflows/ci-workflows.yml @@ -43,18 +43,27 @@ jobs: runs-on: ubuntu-latest needs: build-test - env: - POSTGRES_USER: tinyurl_ci - POSTGRES_PASSWORD: ci_smoke_postgres_pass - SPRING_DATASOURCE_USERNAME: tinyurl_appuser_ci - SPRING_DATASOURCE_PASSWORD: ci_smoke_appuser_pass - SPRING_FLYWAY_USER: tinyurl_ci - SPRING_FLYWAY_PASSWORD: ci_smoke_postgres_pass - steps: - name: Checkout repository uses: actions/checkout@v4 + - name: Generate ephemeral CI credentials + run: | + PG_PASS=$(openssl rand -hex 16) + APP_PASS=$(openssl rand -hex 16) + echo "POSTGRES_USER=tinyurl_ci" >> $GITHUB_ENV + echo "POSTGRES_PASSWORD<> $GITHUB_ENV + echo "$PG_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + echo "SPRING_DATASOURCE_USERNAME=tinyurl_appuser_ci" >> $GITHUB_ENV + echo "SPRING_DATASOURCE_PASSWORD<> $GITHUB_ENV + echo "$APP_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + echo "SPRING_FLYWAY_USER=tinyurl_ci" >> $GITHUB_ENV + echo "SPRING_FLYWAY_PASSWORD<> $GITHUB_ENV + echo "$PG_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: Validate docker compose configuration run: docker compose config >/dev/null @@ -63,18 +72,27 @@ jobs: runs-on: ubuntu-latest needs: compose-validate - env: - POSTGRES_USER: tinyurl_ci - POSTGRES_PASSWORD: ci_smoke_postgres_pass - SPRING_DATASOURCE_USERNAME: tinyurl_appuser_ci - SPRING_DATASOURCE_PASSWORD: ci_smoke_appuser_pass - SPRING_FLYWAY_USER: tinyurl_ci - SPRING_FLYWAY_PASSWORD: ci_smoke_postgres_pass - steps: - name: Checkout repository uses: actions/checkout@v4 + - name: Generate ephemeral CI credentials + run: | + PG_PASS=$(openssl rand -hex 16) + APP_PASS=$(openssl rand -hex 16) + echo "POSTGRES_USER=tinyurl_ci" >> $GITHUB_ENV + echo "POSTGRES_PASSWORD<> $GITHUB_ENV + echo "$PG_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + echo "SPRING_DATASOURCE_USERNAME=tinyurl_appuser_ci" >> $GITHUB_ENV + echo "SPRING_DATASOURCE_PASSWORD<> $GITHUB_ENV + echo "$APP_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + echo "SPRING_FLYWAY_USER=tinyurl_ci" >> $GITHUB_ENV + echo "SPRING_FLYWAY_PASSWORD<> $GITHUB_ENV + echo "$PG_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: Build and start stack run: docker compose up -d --build diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index aae7039..100a701 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -43,17 +43,26 @@ jobs: needs: build-test runs-on: ubuntu-latest - env: - POSTGRES_USER: tinyurl_ci - POSTGRES_PASSWORD: ci_smoke_postgres_pass - SPRING_DATASOURCE_USERNAME: tinyurl_appuser_ci - SPRING_DATASOURCE_PASSWORD: ci_smoke_appuser_pass - SPRING_FLYWAY_USER: tinyurl_ci - SPRING_FLYWAY_PASSWORD: ci_smoke_postgres_pass - steps: - uses: actions/checkout@v4 + - name: Generate ephemeral CI credentials + run: | + PG_PASS=$(openssl rand -hex 16) + APP_PASS=$(openssl rand -hex 16) + echo "POSTGRES_USER=tinyurl_ci" >> $GITHUB_ENV + echo "POSTGRES_PASSWORD<> $GITHUB_ENV + echo "$PG_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + echo "SPRING_DATASOURCE_USERNAME=tinyurl_appuser_ci" >> $GITHUB_ENV + echo "SPRING_DATASOURCE_PASSWORD<> $GITHUB_ENV + echo "$APP_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + echo "SPRING_FLYWAY_USER=tinyurl_ci" >> $GITHUB_ENV + echo "SPRING_FLYWAY_PASSWORD<> $GITHUB_ENV + echo "$PG_PASS" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: Build and start stack run: docker compose up -d --build @@ -99,8 +108,12 @@ jobs: RDS_ENDPOINT=$(aws ssm get-parameter \ --name "/tinyurl/cicd/rds-endpoint" \ --query "Parameter.Value" --output text) - echo "EC2_INSTANCE_ID=$EC2_INSTANCE_ID" >> $GITHUB_ENV - echo "RDS_ENDPOINT=$RDS_ENDPOINT" >> $GITHUB_ENV + echo "EC2_INSTANCE_ID<> $GITHUB_ENV + echo "$EC2_INSTANCE_ID" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + echo "RDS_ENDPOINT<> $GITHUB_ENV + echo "$RDS_ENDPOINT" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV - name: Log in to GHCR uses: docker/login-action@v3 @@ -110,17 +123,21 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image + env: + IMAGE_TAG: ${{ github.sha }} run: | - docker build -t ghcr.io/buffden/tinyurl-api:${{ github.sha }} tinyurl/ - docker push ghcr.io/buffden/tinyurl-api:${{ github.sha }} + docker build -t ghcr.io/buffden/tinyurl-api:$IMAGE_TAG tinyurl/ + docker push ghcr.io/buffden/tinyurl-api:$IMAGE_TAG - name: Deploy via SSM RunCommand + env: + IMAGE_TAG: ${{ github.sha }} run: | COMMAND_ID=$(aws ssm send-command \ --instance-ids "$EC2_INSTANCE_ID" \ --document-name "AWS-RunShellScript" \ --parameters "commands=[ - \"export IMAGE_TAG=${{ github.sha }}\", + \"export IMAGE_TAG=$IMAGE_TAG\", \"export RDS_ENDPOINT=$RDS_ENDPOINT\", \"cd /app\", \"docker compose -f docker-compose.prod.yml pull\",