core/.github/workflows/deploy-lambda.yml at master · mirrorfm/core · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# Builds Docker images for all Lambda functions and pushes to ECR.
# Terraform (triggered at the end) updates the Lambda functions.
#
# Cloud-only: to-www, from-github (always active)
# Fallback: from-youtube, from-discogs, to-spotify, manage-playlists (for k3s failover)
#
# Requires GitHub secrets:
#   AWS_ACCESS_KEY_ID
#   AWS_SECRET_ACCESS_KEY

name: Deploy Lambda

on:
  push:
    branches: [master]
  workflow_dispatch:

concurrency:
  group: deploy-lambda
  cancel-in-progress: true

env:
  AWS_REGION: eu-west-1

jobs:
  build-cloud:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        function: [to-www, from-github]
    steps:
      - uses: actions/checkout@v5

      - name: Check if function changed
        id: check
        run: |
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
          else
            CHANGED=$(git diff --name-only HEAD~1 HEAD -- functions/${{ matrix.function }}/ || echo "functions/${{ matrix.function }}/")
            if [ -n "$CHANGED" ]; then
              echo "changed=true" >> "$GITHUB_OUTPUT"
            else
              echo "changed=false" >> "$GITHUB_OUTPUT"
            fi
          fi

      - name: Configure AWS credentials
        if: steps.check.outputs.changed == 'true'
        uses: aws-actions/configure-aws-credentials@v5
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Get AWS account ID
        if: steps.check.outputs.changed == 'true'
        id: aws
        run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT"

      - name: Login to ECR
        if: steps.check.outputs.changed == 'true'
        run: aws ecr get-login-password | docker login --username AWS --password-stdin ${{ steps.aws.outputs.account_id }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com

      - name: Build and push to ECR
        if: steps.check.outputs.changed == 'true'
        run: |
          IMAGE=${{ steps.aws.outputs.account_id }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ matrix.function }}:latest
          docker buildx build --platform linux/arm64 --provenance=false --output type=docker \
            -t ${{ matrix.function }} functions/${{ matrix.function }}
          docker tag ${{ matrix.function }}:latest $IMAGE
          docker push $IMAGE
          echo "Pushed ${{ matrix.function }}"

  build-fallback:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - name: Set up QEMU for arm64 builds
        uses: docker/setup-qemu-action@v4
        with:
          platforms: arm64

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v5
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Get AWS account ID
        id: aws
        run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT"

      - name: Login to ECR
        run: aws ecr get-login-password | docker login --username AWS --password-stdin ${{ steps.aws.outputs.account_id }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com

      - name: Build and push fallback images to ECR
        run: |
          ACCOUNT_ID=${{ steps.aws.outputs.account_id }}
          for func in from-youtube from-discogs to-spotify manage-playlists; do
            echo "=== Building ${func} ==="
            IMAGE=${ACCOUNT_ID}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${func}:latest
            docker buildx build --platform linux/arm64 --provenance=false --output type=docker \
              -t ${func} -f functions/${func}/Dockerfile.aws functions/${func}
            docker tag ${func}:latest ${IMAGE}
            docker push ${IMAGE}
            echo "Pushed ${func}"
          done

  apply-terraform:
    needs: [build-cloud, build-fallback]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - name: Trigger Terraform apply
        run: gh workflow run terraform.yml
        env:
          GH_TOKEN: ${{ github.token }}