Skip to content

permissions

permissions #6

Workflow file for this run

name: Deploy lambdas to S3 and ECR
on:
push:
branches:
- ci_deploy_lambdas
jobs:
deploy-lambda-s3:
strategy:
matrix:
path:
- access_counts
# - es/indexer
# - pkgevents
# - pkgpush
# - pkgselect
# - preview
# - s3hash
# - s3select
# - status_reports
# - tabular_preview
# - transcode
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Build zip
run: |
BUILDER_IMAGE=quiltdata/lambda:build-3.8
docker pull $BUILDER_IMAGE
touch ./out.zip # 🤦‍♂️
docker run --rm \
--entrypoint /build_zip.sh \
-v "$PWD/lambdas/${{ matrix.path }}":/lambda/function:z \
-v "$PWD/lambdas/shared":/lambda/shared:z \
-v "$PWD/out.zip":/out.zip:z \
-v "$PWD/lambdas/build_zip.sh":/build_zip.sh:z \
$BUILDER_IMAGE
- name: Configure AWS credentials from Prod account
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::730278974607:role/github/GitHub-Quilt
aws-region: us-east-1
- name: Upload zips to Prod S3
run: |
regions=$(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text)
lambda_name=$(basename "$(pwd)")
s3_key="$lambda_name/${{ github.sha }}.zip"
echo "Uploading to $primary_region..."
aws s3 cp --acl public-read ./out.zip "s3://quilt-lambda-$primary_region/$s3_key"
for region in $regions
do
if [ "$region" != "$primary_region" ]
then
echo "Copying to $region..."
aws s3 cp --acl public-read "s3://quilt-lambda-$primary_region/$s3_key" "s3://quilt-lambda-$region/$s3_key" --region "$region" --source-region "$primary_region"
fi
done
echo "Deployed $s3_key"
- name: Configure AWS credentials from GovCloud account
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws-us-gov:iam::313325871032:role/github/GitHub-Quilt
aws-region: us-gov-east-1
- name: Upload zips to GovCloud S3
run: |
regions=$(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text)
lambda_name=$(basename "$(pwd)")
s3_key="$lambda_name/${{ github.sha }}.zip"
echo "Uploading to $primary_region..."
aws s3 cp --acl public-read ./out.zip "s3://quilt-lambda-$primary_region/$s3_key"
for region in $regions
do
if [ "$region" != "$primary_region" ]
then
echo "Copying to $region..."
aws s3 cp --acl public-read "s3://quilt-lambda-$primary_region/$s3_key" "s3://quilt-lambda-$region/$s3_key" --region "$region" --source-region "$primary_region"
fi
done
echo "Deployed $s3_key"
deploy-lambda-ecr:
strategy:
matrix:
path:
- molecule
- thumbnail
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Docker image
run: |
echo TODO