Add GitHub Actions workflow

CMeeg · Mar 3, 2024 · 3b88a3b · 3b88a3b
1 parent e5bdda0
commit 3b88a3b
Show file tree

Hide file tree

Showing 2 changed files with 122 additions and 8 deletions.
diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml
@@ -0,0 +1,103 @@
+on:
+  workflow_dispatch:
+  push:
+    # Run when commits are pushed to main branch
+    branches:
+      - main
+
+# GitHub Actions workflow to deploy to Azure using azd
+
+# Set up permissions for deploying with secretless Azure federated credentials
+# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  init:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Set environment'
+        id: set_env
+        run: |
+          Write-Output "Running on branch $env:GITHUB_REF"
+          if ($env:GITHUB_REF -eq "refs/heads/main") {
+            Add-Content $env:GITHUB_OUTPUT "APP_ENV=production"
+          } else {
+            Add-Content $env:GITHUB_OUTPUT "APP_ENV=unknown"
+          }
+        shell: pwsh
+        env:
+            GITHUB_REF: ${{ github.ref }}
+
+      - name: 'Show target environment'
+        run: echo "`APP_ENV` is set to '${{ steps.set_env.outputs.APP_ENV }}'"
+        shell: pwsh
+
+    outputs:
+      APP_ENV: ${{ steps.set_env.outputs.APP_ENV }}
+
+  deploy:
+    needs: [init]
+    if: needs.init.outputs.APP_ENV != 'unknown'
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ needs.init.outputs.APP_ENV }}
+    env:
+      AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+      AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+      APP_ENV: ${{ needs.init.outputs.APP_ENV }}
+      MIN_LOG_LEVEL: ${{ vars.MIN_LOG_LEVEL }}
+      SERVICE_WEB_APP_CONTAINER_CPU_CORE_COUNT: ${{ vars.SERVICE_WEB_APP_CONTAINER_CPU_CORE_COUNT }}
+      SERVICE_WEB_APP_CONTAINER_MEMORY: ${{ vars.SERVICE_WEB_APP_CONTAINER_MEMORY }}
+      SERVICE_WEB_APP_CONTAINER_MIN_REPLICAS: ${{ vars.SERVICE_WEB_APP_CONTAINER_MIN_REPLICAS }}
+      SERVICE_WEB_APP_CONTAINER_MAX_REPLICAS: ${{ vars.SERVICE_WEB_APP_CONTAINER_MAX_REPLICAS }}
+      SERVICE_WEB_APP_CUSTOM_DOMAIN_NAME: ${{ vars.SERVICE_WEB_APP_CUSTOM_DOMAIN_NAME }}
+      SERVICE_WEB_APP_CUSTOM_DOMAIN_CERT_ID: ${{ vars.SERVICE_WEB_APP_CUSTOM_DOMAIN_CERT_ID }}
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v3
+
+      - name: 'Install azd'
+        uses: Azure/setup-azd@v0.1.0
+
+      - name: 'Install Nodejs'
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+
+      - name: 'Log in with Azure (federated credentials)'
+        if: ${{ env.AZURE_CLIENT_ID != '' }}
+        run: |
+          azd auth login `
+            --client-id "$Env:AZURE_CLIENT_ID" `
+            --federated-credential-provider "github" `
+            --tenant-id "$Env:AZURE_TENANT_ID"
+        shell: pwsh
+
+      - name: 'Log in with Azure (client credentials)'
+        if: ${{ env.AZURE_CREDENTIALS != '' }}
+        run: |
+          $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
+          Write-Host "::add-mask::$($info.clientSecret)"
+
+          azd auth login `
+            --client-id "$($info.clientId)" `
+            --client-secret "$($info.clientSecret)" `
+            --tenant-id "$($info.tenantId)"
+        shell: pwsh
+
+      - name: 'Create `.env` file'
+        run: npm run env:init
+        shell: pwsh
+
+      - name: 'Provision infrastructure'
+        run: azd provision --no-prompt
+        shell: pwsh
+
+      - name: 'Deploy application'
+        run: azd deploy --no-prompt
+        shell: pwsh
diff --git a/README.md b/README.md
@@ -222,7 +222,7 @@ You don't need to do anything specific to add the workflow in GitHub Actions, th
    * Click `New environment`, name it `production`, and click `Configure environment`
    * Add protection rules if you wish, though it's not required
 
-> You can read more about creating environments in the [GitHub documentation](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). Note that there are limitations with Environments in GitHub if you are using a Free acount and your repository is private.
+> You can read more about creating environments in the [GitHub documentation](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment). Note that there are limitations with Environments in GitHub if you are using a Free account and your repository is private.
 
 #### Setup permissions in Azure
 
@@ -252,15 +252,19 @@ You don't need to do anything specific to add the workflow in GitHub Actions, th
      * Click `Add` -> `Add role assignment`
      * Select `Privileged administrator roles` -> `Contributor`
      * Click `Next`
-     * Click `Select members` and select your Service principal
+     * On the `Members` tab, click `Select members`
+     * Search for and select the Service principal you created in the previous step
      * Click `Review + assign` and complete the Role assignment
    * Assign the `Role Based Access Control Administrator` role
      * Click `Add` -> `Add role assignment`
      * Select `Privileged administrator roles` -> `Role Based Access Control Administrator`
      * Click `Next`
-     * Click `Select members` and select your Service principal
+     * On the `Members` tab, click `Select members`
+     * Search for and select the Service principal you created in the previous step
      * Click `Next`
-     * Select `Constrain roles` and only allow assignment of the `AcrPull` role
+     * On the `Conditions` tab, click `Select roles and principals`
+     * Click `Configure` on `Constrain roles` and only allow assignment of the `AcrPull` role
+     * Click `Save` x 2
      * Click `Review + assign` and complete the Role assignment
 
 #### Add Environment variables
@@ -285,15 +289,22 @@ You don't need to do anything specific to add the workflow in GitHub Actions, th
 
 💡 If you add additional environment variables for use in your app and want to override them in this environment then you can come back here later to add or change anything as needed.
 
-TODO: Test the below - hopefully this isn't the case as it is an extra step that is a bit of a pain!
-
-> If you add environment variables to `.env.template` you must also make sure you edit the `Create .env file` step of the `deploy` job in `.github/workflows/azure-dev.yml` to make them available as environment variables when `npm run env:init` is executed in the pipeline.
+> If you add additional environment variables to use in your app (i.e. in `.env.local.template`) or infrastructure (i.e. in `main.parameters.json`) you must also make sure you add them to the `env` of the `deploy` job in `.github/workflows/azure-dev.yml` to make them available as environment variables when the steps are executed in the pipeline.
 >
 > GitHub Actions doesn't automatically make environment variables available to scripts so they need to be added explicitly to this step (this is something you don't need to do in the AZDO pipeline, which does expose its environment variables to scripts implicitly).
 
 #### Run the pipeline
 
-TODO: Write this
+The pipeline is designed to run automatically by pushing commits to the `main` branch.
+
+You can also run the pipeline manually:
+
+* Go to your [GitHub](https://github.com/) repo
+* Click on `Actions`
+* In the left sidebar, click on the `azure-dev.yml` workflow
+* Click `Run workflow`
+* Select the `main` branch
+* Click `Run workflow`
 
 ### Azure DevOps Pipelines