fix(ci): Secrets unavailable for deploy jobs (#4215)

Flagsmith · Jun 24, 2024 · d56ad08 · d56ad08
1 parent d6f14f8
commit d56ad08
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 7 deletions.
diff --git a/.github/actions/api-deploy-ecs/action.yml b/.github/actions/api-deploy-ecs/action.yml
@@ -50,7 +50,7 @@ runs:
 
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v1-node16
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         aws-access-key-id: ${{ inputs.aws_access_key_id }}
         aws-secret-access-key: ${{ inputs.aws_secret_access_key }}

diff --git a/.github/actions/task-processor-deploy-ecs/action.yml b/.github/actions/task-processor-deploy-ecs/action.yml
@@ -26,7 +26,7 @@ runs:
 
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v1-node16
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         aws-access-key-id: ${{ inputs.aws_access_key_id }}
         aws-secret-access-key: ${{ inputs.aws_secret_access_key }}

diff --git a/.github/workflows/.reusable-deploy-ecs.yml b/.github/workflows/.reusable-deploy-ecs.yml
@@ -33,11 +33,12 @@ jobs:
         uses: depot/setup-action@v1
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: eu-west-2
+          mask-aws-account-id: 'no'
 
       - name: Login to Amazon ECR
         id: login-ecr
@@ -61,7 +62,7 @@ jobs:
           build-args: CI_COMMIT_SHA=${{ github.sha }}
           secrets: |
             github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }}
-            sse_pgp_pkey=${{ secrets.SSE_PGP_PRIVATE_KEY }}
+            "sse_pgp_pkey=${{ secrets.SSE_PGP_PRIVATE_KEY }}"
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -85,7 +86,6 @@ jobs:
           aws_ecs_service_name: ${{ vars.AWS_ECS_SERVICE_NAME }}
           aws_vpc_subnet_id: ${{ vars.AWS_VPC_SUBNET_ID }}
           aws_ecs_security_group_id: ${{ vars.AWS_ECS_SECURITY_GROUP_ID }}
-          aws_ecr_repository_arn: ${{ vars.AWS_ECR_REPOSITORY_ARN }}
           aws_identity_migration_event_bus_name: ${{ vars.AWS_IDENTITY_MIGRATION_EVENT_BUS_NAME }}
           aws_identity_migration_event_bus_rule_id: ${{ vars.AWS_IDENTITY_MIGRATION_EVENT_BUS_RULE_ID }}
           aws_identity_migration_task_role_arn: ${{ vars.AWS_IDENTITY_MIGRATION_TASK_ROLE_ARN }}

diff --git a/.github/workflows/api-deploy-production-ecs.yml b/.github/workflows/api-deploy-production-ecs.yml
@@ -14,3 +14,4 @@ jobs:
     uses: ./.github/workflows/.reusable-deploy-ecs.yml
     with:
       environment: production
+    secrets: inherit
diff --git a/.github/workflows/api-deploy-staging-ecs.yml b/.github/workflows/api-deploy-staging-ecs.yml
@@ -15,3 +15,4 @@ jobs:
     uses: ./.github/workflows/.reusable-deploy-ecs.yml
     with:
       environment: staging
+    secrets: inherit
diff --git a/Dockerfile b/Dockerfile
@@ -167,8 +167,8 @@ FROM api-runtime-private as saas-api
 RUN --mount=type=secret,id=sse_pgp_pkey \
   apt-get update && apt-get install -y gnupg && \
   gpg --import /run/secrets/sse_pgp_pkey && \
-  mv /root/.gnupg /app/; \
-  chown -R nobody /app/.gnupg
+  mv /root/.gnupg/ /app/ && \
+  chown -R nobody /app/.gnupg/
 
 ARG PYTHON_SITE_DIR
 COPY --from=build-python-private ${PYTHON_SITE_DIR} ${PYTHON_SITE_DIR}