bluebutton-web-server/.github/workflows/collectstatic.yml at master · CMSgov/bluebutton-web-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Build and Deploy Static Assets to Akamai

on:
  workflow_dispatch:
    inputs:
      environment:
        description: Environment to deploy to
        required: true
        type: choice
        options:
          - test
          # - sandbox
          # - prod

env:
  AWS_REGION: us-east-1
  TARGET_ENV: ${{ inputs.environment }}
  DJANGO_SECRET_KEY: ${{ vars.DJANGO_SECRET_KEY }}
  AWS_STORAGE_BUCKET_NAME: ${{ secrets.AWS_STORAGE_BUCKET_NAME }}

permissions:
  id-token: write
  contents: write
  actions: write

jobs:
  collect-and-deploy:
    name: Collect and Deploy (${{ inputs.environment }})
    runs-on: codebuild-bb-${{ inputs.environment }}-web-server-${{ github.run_id }}-${{ github.run_attempt }}
    environment: ${{ inputs.environment }}

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Python 3.12
        run: |
          pyenv install 3.12 --skip-existing || pyenv install 3.12.0 --skip-existing
          pyenv global 3.12 || pyenv global 3.12.0

      # Mask sensitive values BEFORE assuming the role so the configure-aws-credentials
      # action output is redacted. ::add-mask:: only affects subsequent log lines.
      - name: Pre-mask sensitive values
        env:
          ROLE_ARN: ${{ secrets.AWS_ROLE_ARN_TEST }}
          TEST_ROLE_ID: ${{ secrets.TEST_AWS_ROLE_ID_MASK }}
        run: |
          echo "::add-mask::${ROLE_ARN}"
          # Mask the account ID extracted from the ARN
          ACCOUNT_ID=$(echo "${ROLE_ARN}" | cut -d: -f5)
          echo "::add-mask::${ACCOUNT_ID}"
          # Mask the IAM role unique ID (AROA...) to prevent it from appearing in logs
          [[ -n "$TEST_ROLE_ID" ]] && echo "::add-mask::${TEST_ROLE_ID}"

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: 'npm'
          cache-dependency-path: static/bluebutton-css/package-lock.json

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN_TEST }}
          aws-region: ${{ env.AWS_REGION }}
          mask-aws-account-id: true

      # Post-creds: mask the runtime caller identity values (UserId, full ARN)
      - name: Post-mask caller identity
        run: |
          CALLER=$(aws sts get-caller-identity --output json)
          ROLE_ID=$(echo "$CALLER" | jq -r '.UserId' | cut -d: -f1)
          echo "::add-mask::${ROLE_ID}"
          FULL_USER_ID=$(echo "$CALLER" | jq -r '.UserId')
          echo "::add-mask::${FULL_USER_ID}"

      - name: Determine Akamai upload path
        id: akamai
        run: |
          case "${TARGET_ENV}" in
            test)    echo "path=/1197010/test.static.bluebutton.cms.gov/bbapi-static/" >> "$GITHUB_OUTPUT" ;;
            staging) echo "path=/1197010/staging.bluebutton.cms.gov/bbapi-static/" >> "$GITHUB_OUTPUT" ;;
            prod)    echo "path=/1197010/bluebutton.cms.gov/bbapi-static/" >> "$GITHUB_OUTPUT" ;;
          esac

      - name: Install Python dependencies
        run: |
          python -m venv venv
          source venv/bin/activate
          python -m pip install --upgrade pip setuptools wheel
          pip install -r requirements/requirements.txt

      - name: Compile and Build CSS assets
        working-directory: static/bluebutton-css
        run: |
          npm ci
          npm run gulp

      # these `find` commands are being left in to speed up the process
      # TODO - remove this, either after cleaning up static files or pointing the API to Akamai instead of S3
      - name: Collect static files
        run: |
          source venv/bin/activate
          find static/ -type f ! -name "*.css" -delete
          find static/ -empty -type d -delete
          python manage.py collectstatic --noinput

      - name: Setup Akamai SSH key
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.AKAMAI_SCP_SSH_KEY }}" > ~/.ssh/akamai_key
          chmod 600 ~/.ssh/akamai_key
          cat > ~/.ssh/config <<'EOF'
          Host bluebuttoncms.rsync.upload.akamai.com
            HostKeyAlgorithms +ssh-dss
            StrictHostKeyChecking no
            IdentityFile ~/.ssh/akamai_key
          EOF

      - name: Deploy to Akamai NetStorage
        run: |
          echo "Syncing static files to Akamai..."
          # Masking the updated path
          echo "::add-mask::${{ secrets.AKAMAI_SSH_USER }}@bluebuttoncms.rsync.upload.akamai.com:${{ steps.akamai.outputs.path }}"

          rsync -avz --delete \
            -e "ssh" \
            ./static/ \
            ${{ secrets.AKAMAI_SSH_USER }}@bluebuttoncms.rsync.upload.akamai.com:${{ steps.akamai.outputs.path }}

      - name: Cleanup SSH key
        if: always()
        run: rm -f ~/.ssh/akamai_key ~/.ssh/config