Update workflow permissions #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release to Production | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
permissions: | |
id-token: write # This is required for Az CLI Login | |
contents: read # This is required for actions/checkout | |
concurrency: # This is required to prevent multiple runs of the same workflow from running at the same time. | |
group: ${{ github.workflow }} | |
jobs: | |
apps-ci: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: frasermolyneux/actions/dotnet-web-ci@main | |
with: | |
dotnet-project: "web-app" | |
dotnet-version: 7.0.x | |
src-folder: "src" | |
- uses: frasermolyneux/actions/dotnet-func-ci@main | |
with: | |
dotnet-project: "func-app" | |
dotnet-version: 7.0.x | |
src-folder: "src" | |
terraform-plan-and-apply-dev: | |
environment: Development | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: frasermolyneux/actions/terraform-plan-and-apply@main | |
with: | |
terraform-folder: "terraform" | |
terraform-var-file: "tfvars/dev.tfvars" | |
terraform-backend-file: "backends/dev.backend.hcl" | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- id: terraform-output | |
shell: bash | |
run: | | |
cd terraform | |
echo "web_apps=$(terraform output -json web_apps)" >> $GITHUB_OUTPUT | |
echo "func_apps=$(terraform output -json func_apps)" >> $GITHUB_OUTPUT | |
env: | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
ARM_USE_OIDC: true | |
outputs: | |
web_apps: ${{ steps.terraform-output.outputs.web_apps }} | |
func_apps: ${{ steps.terraform-output.outputs.func_apps }} | |
app-service-deploy-dev: | |
environment: Development | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
web_app: ${{ fromJSON(needs.terraform-plan-and-apply-dev.outputs.web_apps) }} | |
needs: [apps-ci, terraform-plan-and-apply-dev] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: frasermolyneux/actions/deploy-app-service@main | |
with: | |
web-artifact-name: "web-app" | |
web-app-name: ${{ matrix.web_app.name }} | |
resource-group-name: ${{ matrix.web_app.resource_group_name }} | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
func-app-deploy-dev: | |
environment: Development | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
func_app: ${{ fromJSON(needs.terraform-plan-and-apply-dev.outputs.func_apps) }} | |
needs: [apps-ci, terraform-plan-and-apply-dev] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: frasermolyneux/actions/deploy-function-app@main | |
with: | |
function-app-artifact-name: "func-app" | |
function-app-name: ${{ matrix.func_app.name }} | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
terraform-plan-and-apply-prd: | |
environment: Production | |
runs-on: ubuntu-latest | |
needs: [terraform-plan-and-apply-dev, app-service-deploy-dev, func-app-deploy-dev] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: frasermolyneux/actions/terraform-plan-and-apply@main | |
with: | |
terraform-folder: "terraform" | |
terraform-var-file: "tfvars/prd.tfvars" | |
terraform-backend-file: "backends/prd.backend.hcl" | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- id: terraform-output | |
shell: bash | |
run: | | |
cd terraform | |
echo "web_apps=$(terraform output -json web_apps)" >> $GITHUB_OUTPUT | |
echo "func_apps=$(terraform output -json func_apps)" >> $GITHUB_OUTPUT | |
env: | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
ARM_USE_OIDC: true | |
outputs: | |
web_apps: ${{ steps.terraform-output.outputs.web_apps }} | |
func_apps: ${{ steps.terraform-output.outputs.func_apps }} | |
app-service-deploy-prd: | |
environment: Production | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
web_app: ${{ fromJSON(needs.terraform-plan-and-apply-prd.outputs.web_apps) }} | |
needs: [apps-ci, terraform-plan-and-apply-prd] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: frasermolyneux/actions/deploy-app-service@main | |
with: | |
web-artifact-name: "web-app" | |
web-app-name: ${{ matrix.web_app.name }} | |
resource-group-name: ${{ matrix.web_app.resource_group_name }} | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
func-app-deploy-prd: | |
environment: Production | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
func_app: ${{ fromJSON(needs.terraform-plan-and-apply-prd.outputs.func_apps) }} | |
needs: [apps-ci, terraform-plan-and-apply-prd] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: frasermolyneux/actions/deploy-function-app@main | |
with: | |
function-app-artifact-name: "func-app" | |
function-app-name: ${{ matrix.func_app.name }} | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |