From 95794fb3e53ecc1fc618d6e50572ef5848e2fd26 Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Tue, 22 Apr 2025 18:56:27 +0800
Subject: [PATCH 1/4] use GitHub Actions environments to simplify deploy
 configuration

---
 .github/workflows/test-deploy-publish.yml | 66 ++++++++++++-----------
 actions-services.yml                      | 41 --------------
 docker-compose.yml                        |  7 ++-
 scripts/build.sh                          | 10 ----
 scripts/deploy.sh                         | 29 +---------
 scripts/test.sh                           | 31 -----------
 6 files changed, 41 insertions(+), 143 deletions(-)
 delete mode 100644 actions-services.yml
 delete mode 100755 scripts/build.sh
 delete mode 100755 scripts/test.sh

diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml
index 704d2fa..31824dd 100644
--- a/.github/workflows/test-deploy-publish.yml
+++ b/.github/workflows/test-deploy-publish.yml
@@ -16,40 +16,49 @@ jobs:
     name: Tests
     runs-on: ubuntu-latest
     env:
-      AWS_REGION: ${{ vars.AWS_REGION }}
-      STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
-      STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
-      PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }}
-      PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: us-east-1
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          check-latest: true
+
       - name: Test
-        run: docker compose -f actions-services.yml run --rm test ./scripts/test.sh
+        run: go test ./...
 
   lint:
     name: Lint and Vulnerability Scan
     runs-on: ubuntu-latest
     timeout-minutes: ${{ fromJSON(vars.DEFAULT_JOB_TIMEOUT_MINUTES) }}
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-        check-latest: true
-    - name: golangci-lint
-      uses: golangci/golangci-lint-action@v6
-      with:
-        version: latest
-    - name: govulncheck
-      run: |
-        go install golang.org/x/vuln/cmd/govulncheck@latest
-        govulncheck ./...
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          check-latest: true
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+
+      - name: govulncheck
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
 
   deploy:
     name: Deploy to AWS Lambda
     needs: [ 'tests', 'lint' ]
     if: github.ref_name == 'main' || github.ref_name == 'develop'
+    environment: ${{ github.ref_name }}
     runs-on: ubuntu-latest
     concurrency:
       group: deploy-${{ github.ref }}-${{ matrix.region }}
@@ -58,23 +67,18 @@ jobs:
       matrix:
         region: [ us-east-1, us-west-2 ]
     env:
-      AWS_REGION: ${{ vars.AWS_REGION }}
-      STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
-      STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
-      STG_LAMBDA_ROLE: ${{ vars.STG_LAMBDA_ROLE }}
-      STG_API_KEY_TABLE: ${{ vars.STG_API_KEY_TABLE }}
-      STG_WEBAUTHN_TABLE: ${{ vars.STG_WEBAUTHN_TABLE }}
-      PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }}
-      PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }}
-      PRD_LAMBDA_ROLE: ${{ vars.PRD_LAMBDA_ROLE }}
-      PRD_API_KEY_TABLE: ${{ vars.PRD_API_KEY_TABLE }}
-      PRD_WEBAUTHN_TABLE: ${{ vars.PRD_WEBAUTHN_TABLE }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      LAMBDA_ROLE: ${{ vars.LAMBDA_ROLE }}
+      API_KEY_TABLE: ${{ vars.API_KEY_TABLE }}
+      WEBAUTHN_TABLE: ${{ vars.WEBAUTHN_TABLE }}
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
       - name: Deploy
-        run: docker compose -f actions-services.yml run --rm app ./scripts/deploy.sh ${{ matrix.region }}
+        run: docker compose run app ./scripts/deploy.sh ${{ matrix.region }}
 
   build-and-publish:
     name: Build and Publish
diff --git a/actions-services.yml b/actions-services.yml
deleted file mode 100644
index 39a5895..0000000
--- a/actions-services.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-services:
-  test:
-    build: .
-    environment:
-      AWS_ENDPOINT: http://dynamo:8000
-      API_KEY_TABLE: ApiKey
-      WEBAUTHN_TABLE: WebAuthn
-      LAMBDA_ROLE: placeholder
-      AWS_REGION: localhost
-      GITHUB_REF_NAME: $GITHUB_REF_NAME
-      STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID
-      STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY
-      PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID
-      PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY
-    depends_on:
-      - dynamo
-
-  app:
-    build: .
-    working_dir: /src
-    environment:
-      AWS_REGION: $AWS_REGION
-      GITHUB_REF_NAME: $GITHUB_REF_NAME
-      STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID
-      STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY
-      STG_LAMBDA_ROLE: $STG_LAMBDA_ROLE
-      STG_API_KEY_TABLE: $STG_API_KEY_TABLE
-      STG_WEBAUTHN_TABLE: $STG_WEBAUTHN_TABLE
-      PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID
-      PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY
-      PRD_LAMBDA_ROLE: $PRD_LAMBDA_ROLE
-      PRD_API_KEY_TABLE: $PRD_API_KEY_TABLE
-      PRD_WEBAUTHN_TABLE: $PRD_WEBAUTHN_TABLE
-
-  dynamo:
-    image: amazon/dynamodb-local
-    environment:
-      AWS_ACCESS_KEY_ID: abc123
-      AWS_SECRET_ACCESS_KEY: abc123
-      AWS_DEFAULT_REGION: us-east-1
-    command: "-jar DynamoDBLocal.jar -sharedDb"
diff --git a/docker-compose.yml b/docker-compose.yml
index 52b47ae..84234ca 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,7 +7,8 @@ services:
     volumes:
       - ./.cert/:/cert/
     env_file:
-      - local.env
+      - path: ./local.env
+        required: false
 
   dynamo:
     image: amazon/dynamodb-local
@@ -26,6 +27,7 @@ services:
     ports:
       - 8080
     environment:
+      AWS_REGION: localhost
       AWS_ENDPOINT: http://dynamo:8000
       AWS_DEFAULT_REGION: localhost
       AWS_ACCESS_KEY_ID: abc123
@@ -46,7 +48,8 @@ services:
   sls:
     build: .
     env_file:
-      - local.env
+      - path: ./local.env
+        required: false
     volumes:
       - .:/src
     command: ["bash"]
diff --git a/scripts/build.sh b/scripts/build.sh
deleted file mode 100755
index 6be0ce2..0000000
--- a/scripts/build.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-# Exit script with error if any step fails.
-set -e
-
-# Echo out all commands for monitoring progress
-set -x
-
-# When using the provided.al2 runtime, the binary must be named "bootstrap" and be in the root directory
-CGO_ENABLED=0 go build -tags lambda.norpc -ldflags="-s -w" -o bootstrap ./lambda
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 827ac37..033f264 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -7,34 +7,7 @@ set -e
 set -x
 
 # Build binaries
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-"$DIR"/build.sh
-
-# export appropriate env vars
-if [ "${GITHUB_REF_NAME}" == "develop" ];
-then
-  STAGE="dev"
-  export AWS_ACCESS_KEY_ID="${STG_AWS_ACCESS_KEY_ID}"
-  set +x
-  export AWS_SECRET_ACCESS_KEY="${STG_AWS_SECRET_ACCESS_KEY}"
-  set -x
-  export LAMBDA_ROLE="${STG_LAMBDA_ROLE}"
-  export API_KEY_TABLE="${STG_API_KEY_TABLE}"
-  export WEBAUTHN_TABLE="${STG_WEBAUTHN_TABLE}"
-elif [ "${GITHUB_REF_NAME}" == "main" ];
-then
-  STAGE="production"
-  export AWS_ACCESS_KEY_ID="${PRD_AWS_ACCESS_KEY_ID}"
-  set +x
-  export AWS_SECRET_ACCESS_KEY="${PRD_AWS_SECRET_ACCESS_KEY}"
-  set -x
-  export LAMBDA_ROLE="${PRD_LAMBDA_ROLE}"
-  export API_KEY_TABLE="${PRD_API_KEY_TABLE}"
-  export WEBAUTHN_TABLE="${PRD_WEBAUTHN_TABLE}"
-else
-    echo "deployments only happen from develop and main branches (branch: ${GITHUB_REF_NAME})"
-    exit 1
-fi
+CGO_ENABLED=0 go build -tags lambda.norpc -ldflags="-s -w" -o bootstrap ./lambda
 
 # Print the Serverless version in the logs
 serverless --version
diff --git a/scripts/test.sh b/scripts/test.sh
deleted file mode 100755
index dff9050..0000000
--- a/scripts/test.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-# Exit script with error if any step fails.
-set -e
-
-# Echo commands to console
-set -x
-
-# export appropriate AWS credentials for `serverless info`
-if [ "${GITHUB_REF_NAME}" == "main" ];
-then
-  STAGE="production"
-  export AWS_ACCESS_KEY_ID="${PRD_AWS_ACCESS_KEY_ID}"
-  set +x
-  export AWS_SECRET_ACCESS_KEY="${PRD_AWS_SECRET_ACCESS_KEY}"
-  set -x
-else
-  STAGE="dev"
-  export AWS_ACCESS_KEY_ID="${STG_AWS_ACCESS_KEY_ID}"
-  set +x
-  export AWS_SECRET_ACCESS_KEY="${STG_AWS_SECRET_ACCESS_KEY}"
-  set -x
-fi
-
-go test ./...
-
-# Print the Serverless version in the logs
-serverless --version
-
-# Validate Serverless config
-serverless info --stage "${STAGE}"

From b9883ffdbbbb9087703a2d0e12d25840f3c6222f Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Tue, 22 Apr 2025 19:11:25 +0800
Subject: [PATCH 2/4] revert back to run tests in docker compose

---
 .github/workflows/test-deploy-publish.yml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml
index 31824dd..e8a33f8 100644
--- a/.github/workflows/test-deploy-publish.yml
+++ b/.github/workflows/test-deploy-publish.yml
@@ -23,13 +23,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-          check-latest: true
-
       - name: Test
-        run: go test ./...
+        run: docker compose run app go test ./...
 
   lint:
     name: Lint and Vulnerability Scan

From 2d2c7b89feda0113a3c20fe89d4f253c4beaf4a2 Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Tue, 22 Apr 2025 19:14:08 +0800
Subject: [PATCH 3/4] no need to push a Docker image for every branch

---
 .github/workflows/test-deploy-publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml
index e8a33f8..8675093 100644
--- a/.github/workflows/test-deploy-publish.yml
+++ b/.github/workflows/test-deploy-publish.yml
@@ -78,6 +78,7 @@ jobs:
   build-and-publish:
     name: Build and Publish
     needs: [ 'tests', 'lint' ]
+    if: github.ref_name == 'main' || github.ref_name == 'develop'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

From 926684aa943a73243036838e44cf81f9f64d8b51 Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Tue, 22 Apr 2025 19:23:06 +0800
Subject: [PATCH 4/4] don't need IMAGE_NAME

---
 .github/workflows/test-deploy-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml
index 8675093..48f09b9 100644
--- a/.github/workflows/test-deploy-publish.yml
+++ b/.github/workflows/test-deploy-publish.yml
@@ -102,7 +102,7 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: |
-            ${{ vars.IMAGE_NAME }}
+            ${{ vars.DOCKER_ORG }}/${{ github.event.repository.name }}
             ghcr.io/${{ github.repository }}
           tags: |
             type=ref,event=branch