diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml index 704d2fa..48f09b9 100644 --- a/.github/workflows/test-deploy-publish.yml +++ b/.github/workflows/test-deploy-publish.yml @@ -16,40 +16,44 @@ jobs: name: Tests runs-on: ubuntu-latest env: - AWS_REGION: ${{ vars.AWS_REGION }} - STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }} - STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }} - PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }} - PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }} + AWS_REGION: us-east-1 + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout code uses: actions/checkout@v4 + - name: Test - run: docker compose -f actions-services.yml run --rm test ./scripts/test.sh + run: docker compose run app go test ./... lint: name: Lint and Vulnerability Scan runs-on: ubuntu-latest timeout-minutes: ${{ fromJSON(vars.DEFAULT_JOB_TIMEOUT_MINUTES) }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 - with: - go-version-file: 'go.mod' - check-latest: true - - name: golangci-lint - uses: golangci/golangci-lint-action@v6 - with: - version: latest - - name: govulncheck - run: | - go install golang.org/x/vuln/cmd/govulncheck@latest - govulncheck ./... + - name: Checkout code + uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + check-latest: true + + - name: golangci-lint + uses: golangci/golangci-lint-action@v6 + with: + version: latest + + - name: govulncheck + run: | + go install golang.org/x/vuln/cmd/govulncheck@latest + govulncheck ./... deploy: name: Deploy to AWS Lambda needs: [ 'tests', 'lint' ] if: github.ref_name == 'main' || github.ref_name == 'develop' + environment: ${{ github.ref_name }} runs-on: ubuntu-latest concurrency: group: deploy-${{ github.ref }}-${{ matrix.region }} @@ -58,27 +62,23 @@ jobs: matrix: region: [ us-east-1, us-west-2 ] env: - AWS_REGION: ${{ vars.AWS_REGION }} - STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }} - STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }} - STG_LAMBDA_ROLE: ${{ vars.STG_LAMBDA_ROLE }} - STG_API_KEY_TABLE: ${{ vars.STG_API_KEY_TABLE }} - STG_WEBAUTHN_TABLE: ${{ vars.STG_WEBAUTHN_TABLE }} - PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }} - PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }} - PRD_LAMBDA_ROLE: ${{ vars.PRD_LAMBDA_ROLE }} - PRD_API_KEY_TABLE: ${{ vars.PRD_API_KEY_TABLE }} - PRD_WEBAUTHN_TABLE: ${{ vars.PRD_WEBAUTHN_TABLE }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + LAMBDA_ROLE: ${{ vars.LAMBDA_ROLE }} + API_KEY_TABLE: ${{ vars.API_KEY_TABLE }} + WEBAUTHN_TABLE: ${{ vars.WEBAUTHN_TABLE }} steps: - name: Checkout code uses: actions/checkout@v4 + - name: Deploy - run: docker compose -f actions-services.yml run --rm app ./scripts/deploy.sh ${{ matrix.region }} + run: docker compose run app ./scripts/deploy.sh ${{ matrix.region }} build-and-publish: name: Build and Publish needs: [ 'tests', 'lint' ] + if: github.ref_name == 'main' || github.ref_name == 'develop' runs-on: ubuntu-latest steps: - name: Checkout code @@ -102,7 +102,7 @@ jobs: uses: docker/metadata-action@v5 with: images: | - ${{ vars.IMAGE_NAME }} + ${{ vars.DOCKER_ORG }}/${{ github.event.repository.name }} ghcr.io/${{ github.repository }} tags: | type=ref,event=branch diff --git a/actions-services.yml b/actions-services.yml deleted file mode 100644 index 39a5895..0000000 --- a/actions-services.yml +++ /dev/null @@ -1,41 +0,0 @@ -services: - test: - build: . - environment: - AWS_ENDPOINT: http://dynamo:8000 - API_KEY_TABLE: ApiKey - WEBAUTHN_TABLE: WebAuthn - LAMBDA_ROLE: placeholder - AWS_REGION: localhost - GITHUB_REF_NAME: $GITHUB_REF_NAME - STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID - STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY - PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID - PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY - depends_on: - - dynamo - - app: - build: . - working_dir: /src - environment: - AWS_REGION: $AWS_REGION - GITHUB_REF_NAME: $GITHUB_REF_NAME - STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID - STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY - STG_LAMBDA_ROLE: $STG_LAMBDA_ROLE - STG_API_KEY_TABLE: $STG_API_KEY_TABLE - STG_WEBAUTHN_TABLE: $STG_WEBAUTHN_TABLE - PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID - PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY - PRD_LAMBDA_ROLE: $PRD_LAMBDA_ROLE - PRD_API_KEY_TABLE: $PRD_API_KEY_TABLE - PRD_WEBAUTHN_TABLE: $PRD_WEBAUTHN_TABLE - - dynamo: - image: amazon/dynamodb-local - environment: - AWS_ACCESS_KEY_ID: abc123 - AWS_SECRET_ACCESS_KEY: abc123 - AWS_DEFAULT_REGION: us-east-1 - command: "-jar DynamoDBLocal.jar -sharedDb" diff --git a/docker-compose.yml b/docker-compose.yml index 52b47ae..84234ca 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,7 +7,8 @@ services: volumes: - ./.cert/:/cert/ env_file: - - local.env + - path: ./local.env + required: false dynamo: image: amazon/dynamodb-local @@ -26,6 +27,7 @@ services: ports: - 8080 environment: + AWS_REGION: localhost AWS_ENDPOINT: http://dynamo:8000 AWS_DEFAULT_REGION: localhost AWS_ACCESS_KEY_ID: abc123 @@ -46,7 +48,8 @@ services: sls: build: . env_file: - - local.env + - path: ./local.env + required: false volumes: - .:/src command: ["bash"] diff --git a/scripts/build.sh b/scripts/build.sh deleted file mode 100755 index 6be0ce2..0000000 --- a/scripts/build.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env bash - -# Exit script with error if any step fails. -set -e - -# Echo out all commands for monitoring progress -set -x - -# When using the provided.al2 runtime, the binary must be named "bootstrap" and be in the root directory -CGO_ENABLED=0 go build -tags lambda.norpc -ldflags="-s -w" -o bootstrap ./lambda diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 827ac37..033f264 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -7,34 +7,7 @@ set -e set -x # Build binaries -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -"$DIR"/build.sh - -# export appropriate env vars -if [ "${GITHUB_REF_NAME}" == "develop" ]; -then - STAGE="dev" - export AWS_ACCESS_KEY_ID="${STG_AWS_ACCESS_KEY_ID}" - set +x - export AWS_SECRET_ACCESS_KEY="${STG_AWS_SECRET_ACCESS_KEY}" - set -x - export LAMBDA_ROLE="${STG_LAMBDA_ROLE}" - export API_KEY_TABLE="${STG_API_KEY_TABLE}" - export WEBAUTHN_TABLE="${STG_WEBAUTHN_TABLE}" -elif [ "${GITHUB_REF_NAME}" == "main" ]; -then - STAGE="production" - export AWS_ACCESS_KEY_ID="${PRD_AWS_ACCESS_KEY_ID}" - set +x - export AWS_SECRET_ACCESS_KEY="${PRD_AWS_SECRET_ACCESS_KEY}" - set -x - export LAMBDA_ROLE="${PRD_LAMBDA_ROLE}" - export API_KEY_TABLE="${PRD_API_KEY_TABLE}" - export WEBAUTHN_TABLE="${PRD_WEBAUTHN_TABLE}" -else - echo "deployments only happen from develop and main branches (branch: ${GITHUB_REF_NAME})" - exit 1 -fi +CGO_ENABLED=0 go build -tags lambda.norpc -ldflags="-s -w" -o bootstrap ./lambda # Print the Serverless version in the logs serverless --version diff --git a/scripts/test.sh b/scripts/test.sh deleted file mode 100755 index dff9050..0000000 --- a/scripts/test.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bash - -# Exit script with error if any step fails. -set -e - -# Echo commands to console -set -x - -# export appropriate AWS credentials for `serverless info` -if [ "${GITHUB_REF_NAME}" == "main" ]; -then - STAGE="production" - export AWS_ACCESS_KEY_ID="${PRD_AWS_ACCESS_KEY_ID}" - set +x - export AWS_SECRET_ACCESS_KEY="${PRD_AWS_SECRET_ACCESS_KEY}" - set -x -else - STAGE="dev" - export AWS_ACCESS_KEY_ID="${STG_AWS_ACCESS_KEY_ID}" - set +x - export AWS_SECRET_ACCESS_KEY="${STG_AWS_SECRET_ACCESS_KEY}" - set -x -fi - -go test ./... - -# Print the Serverless version in the logs -serverless --version - -# Validate Serverless config -serverless info --stage "${STAGE}"