Change pipelines to use tags and secure them properly

This commit is contained in:
Adria Navarro 2023-06-06 11:12:29 +01:00
parent cfd7100c8c
commit 8d6e8967c5
6 changed files with 69 additions and 28 deletions

View File

@ -2,23 +2,29 @@ name: Budibase Deploy Production
on: on:
workflow_dispatch: workflow_dispatch:
inputs:
version:
description: Budibase release version. For example - 1.0.0
required: false
jobs: jobs:
release: release:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Fail if branch is not master - name: Fail if not a tag
if: github.ref != 'refs/heads/master'
run: | run: |
echo "Ref is not master, you must run this job from master." if [[ $GITHUB_REF != refs/tags/* ]]; then
exit 1 echo "Workflow Dispatch can only be run on tags"
exit 1
fi
- uses: actions/checkout@v2 - uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Fail if tag is not in master
run: |
if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then
echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch"
exit 1
fi
- name: Pull values.yaml from budibase-infra - name: Pull values.yaml from budibase-infra
run: | run: |
@ -31,11 +37,7 @@ jobs:
- name: Get the latest budibase release version - name: Get the latest budibase release version
id: version id: version
run: | run: |
if [ -z "${{ github.event.inputs.version }}" ]; then release_version=$(cat lerna.json | jq -r '.version')
release_version=$(cat lerna.json | jq -r '.version')
else
release_version=${{ github.event.inputs.version }}
fi
echo "RELEASE_VERSION=$release_version" >> $GITHUB_ENV echo "RELEASE_VERSION=$release_version" >> $GITHUB_ENV
- name: Configure AWS Credentials - name: Configure AWS Credentials

View File

@ -1,17 +1,30 @@
name: "deploy-preprod" name: "deploy-preprod"
on: on:
workflow_dispatch: workflow_dispatch:
inputs:
version:
description: Budibase release version. For example - 1.0.0
required: false
workflow_call: workflow_call:
jobs: jobs:
deploy-to-legacy-preprod-env: deploy-to-legacy-preprod-env:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Fail if not a tag
run: |
if [[ $GITHUB_REF != refs/tags/* ]]; then
echo "Workflow Dispatch can only be run on tags"
exit 1
fi
- uses: actions/checkout@v2 - uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Fail if tag is not in master
run: |
if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then
echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch"
exit 1
fi
- name: Get the latest budibase release version - name: Get the latest budibase release version
id: version id: version

View File

@ -22,6 +22,13 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Fail if not a tag
run: |
if [[ $GITHUB_REF != refs/tags/* ]]; then
echo "Workflow Dispatch can only be run on tags"
exit 1
fi
- uses: actions/checkout@v2 - uses: actions/checkout@v2
with: with:
submodules: true submodules: true

View File

@ -27,7 +27,7 @@ jobs:
token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
fetch-depth: 0 fetch-depth: 0
- name: Fail if tag is not master - name: Fail if tag is not in master
run: | run: |
if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then
echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch" echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch"

View File

@ -8,16 +8,24 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Fail if branch is not master - name: Fail if not a tag
if: github.ref != 'refs/heads/master'
run: | run: |
echo "Ref is not master, you must run this job from master." if [[ $GITHUB_REF != refs/tags/* ]]; then
exit 1 echo "Workflow Dispatch can only be run on tags"
exit 1
fi
- uses: actions/checkout@v2 - uses: actions/checkout@v2
with: with:
fetch_depth: 0 fetch_depth: 0
- name: Fail if tag is not in master
run: |
if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then
echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch"
exit 1
fi
- name: Use Node.js 14.x - name: Use Node.js 14.x
uses: actions/setup-node@v1 uses: actions/setup-node@v1
with: with:

View File

@ -15,13 +15,24 @@ jobs:
matrix: matrix:
node-version: [14.x] node-version: [14.x]
steps: steps:
- name: Fail if branch is not master - name: Fail if not a tag
if: github.ref != 'refs/heads/master'
run: | run: |
echo "Ref is not master, you must run this job from master." if [[ $GITHUB_REF != refs/tags/* ]]; then
exit 1 echo "Workflow Dispatch can only be run on tags"
exit 1
fi
- name: "Checkout" - name: "Checkout"
uses: actions/checkout@v2 uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Fail if tag is not in master
run: |
if ! git merge-base --is-ancestor ${{ github.sha }} origin/master; then
echo "Tag is not in master. This pipeline can only execute tags that are present on the master branch"
exit 1
fi
- name: Use Node.js ${{ matrix.node-version }} - name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1 uses: actions/setup-node@v1
with: with: