GitHub 针对多个环境的操作
GitHub Actions for multiple Environments
我正在与 GitHub 一起在多个环境中部署基于容器的应用程序,我有两个环境,
- 开发
- 产品
我正在两个环境中构建应用程序,这是我的 yml 文件:
name: 'Manual - Build & Deploy - Enterprise'
on:
push:
branches-ignore:
- '**'
workflow_dispatch:
inputs:
git-ref:
description: Git Ref (Optional)
default: develop
required: false
account:
description: slb-dev, slb-prod
default: slb-dev
required: true
environment:
description: development (main, int, qs), production (v1_demo, v1_rosecity, demo)
default: main
required: false
microservice:
description: chroma, liquid, tenant, dashboard, lims, lims-simulator, client, logging, metrc
default: chroma
required: false
builddir:
description: MicroChromatographyService/MicroChromatographyService, MicroLiquidHandlingService/MicroLiquidHandlingService, MicroTenantService/MicroTenantService, MicroDashboardService/MicroDashboardService, LIMSIntegrationService/LIMSIntegrationService, LIMSSimulatorService/LIMSSimulatorService, IntegrationHubClientService/IntegrationHubClientService, PerkinElmer.LoggingService/PerkinElmer.LoggingService, MetRCReportService/MetRCReportService
default: MicroChromatographyService/MicroChromatographyService
required: false
jobs:
setup:
name: Setup ENV Variables
runs-on: ubuntu-latest
environment:
name: dev
url: https://dev.test.com
steps:
- name: Set Vars
id: setvars
run: |
echo "::set-output name=APP_NAME::${{ github.event.inputs.microservice }}"
echo "::set-output name=AWS_REGION::us-east-1"
echo "::set-output name=SHA8::${{ github.sha }} | cut -c1-8)"
echo "::set-output name=BUILD_DIR::${{ github.event.inputs.builddir }}"
echo "::set-output name=ECR_REPOSITORY::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_CLUSTER::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}"
echo "::set-output name=ECS_SERVICE::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_TASK_DEFINITION::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_TASK_DEFINITION_FILE::task-definition-${{ github.event.inputs.microservice }}.json"
echo "::set-output name=ECS_CONTAINER_NAME::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
outputs:
APP_NAME: ${{ steps.setvars.outputs.APP_NAME }}
AWS_REGION: ${{ steps.setvars.outputs.AWS_REGION }}
SHA8: ${{ steps.setvars.outputs.SHA8 }}
BUILD_DIR: ${{ steps.setvars.outputs.BUILD_DIR }}
ECR_REPOSITORY: ${{ steps.setvars.outputs.ECR_REPOSITORY }}
ECS_CLUSTER: ${{ steps.setvars.outputs.ECS_CLUSTER }}
ECS_SERVICE: ${{ steps.setvars.outputs.ECS_SERVICE }}
ECS_TASK_DEFINITION: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION }}
ECS_TASK_DEFINITION_FILE: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION_FILE }}
ECS_CONTAINER_NAME: ${{ steps.setvars.outputs.ECS_CONTAINER_NAME }}
DeployDev:
name: Deploy to Dev
needs: setup
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
id-token: write
environment:
name: dev
url: 'http://dev.myapp.com'
steps:
- name: Set Environments
run: |
if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
fi
if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
fi
- name: Clone Repository (Current branch)
uses: actions/checkout@v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout@v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
cd ${{ needs.setup.outputs.BUILD_DIR }}
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ needs.setup.outputs.ECS_SERVICE }}
cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
wait-for-service-stability: true
DeployProd:
name: Deploy to Production
needs: [DeployDev]
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
id-token: write
environment:
name: Production
url: 'http://www.myapp.com'
steps:
- name: Set Environments
run: |
if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
fi
if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
fi
- name: Clone Repository (Current branch)
uses: actions/checkout@v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout@v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
cd ${{ needs.setup.outputs.BUILD_DIR }}
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ needs.setup.outputs.ECS_SERVICE }}
cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
wait-for-service-stability: true
但是我收到错误:
尝试登录时,我不确定是什么原因造成的。我正在从 GitHub Secrets 调用凭据,它似乎在进行单独构建时有效,但是当我尝试在不同的环境中进行时,我收到此错误。
直到最近更新 aws 操作需要将 aws creds 配置为 github 回购密码。之后它将设置为 env vars 中的那些凭据,这使得它们可以在整个 github 操作中访问。
在你的yml文件中应该是这样的
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secret.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secret.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
注意 [IMP]:在最近的更新中,aws-actions 现在支持 OIDC 功能,这使我们能够使用角色而不是在我们现在考虑的 repo 中存储 creds一个不好的做法。参考文档 -> https://github.com/aws-actions/configure-aws-credentials#assuming-a-role
我对 OIDC 问题写了一个类似的答案,也许它可以帮助
我正在与 GitHub 一起在多个环境中部署基于容器的应用程序,我有两个环境,
- 开发
- 产品
我正在两个环境中构建应用程序,这是我的 yml 文件:
name: 'Manual - Build & Deploy - Enterprise'
on:
push:
branches-ignore:
- '**'
workflow_dispatch:
inputs:
git-ref:
description: Git Ref (Optional)
default: develop
required: false
account:
description: slb-dev, slb-prod
default: slb-dev
required: true
environment:
description: development (main, int, qs), production (v1_demo, v1_rosecity, demo)
default: main
required: false
microservice:
description: chroma, liquid, tenant, dashboard, lims, lims-simulator, client, logging, metrc
default: chroma
required: false
builddir:
description: MicroChromatographyService/MicroChromatographyService, MicroLiquidHandlingService/MicroLiquidHandlingService, MicroTenantService/MicroTenantService, MicroDashboardService/MicroDashboardService, LIMSIntegrationService/LIMSIntegrationService, LIMSSimulatorService/LIMSSimulatorService, IntegrationHubClientService/IntegrationHubClientService, PerkinElmer.LoggingService/PerkinElmer.LoggingService, MetRCReportService/MetRCReportService
default: MicroChromatographyService/MicroChromatographyService
required: false
jobs:
setup:
name: Setup ENV Variables
runs-on: ubuntu-latest
environment:
name: dev
url: https://dev.test.com
steps:
- name: Set Vars
id: setvars
run: |
echo "::set-output name=APP_NAME::${{ github.event.inputs.microservice }}"
echo "::set-output name=AWS_REGION::us-east-1"
echo "::set-output name=SHA8::${{ github.sha }} | cut -c1-8)"
echo "::set-output name=BUILD_DIR::${{ github.event.inputs.builddir }}"
echo "::set-output name=ECR_REPOSITORY::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_CLUSTER::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}"
echo "::set-output name=ECS_SERVICE::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_TASK_DEFINITION::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_TASK_DEFINITION_FILE::task-definition-${{ github.event.inputs.microservice }}.json"
echo "::set-output name=ECS_CONTAINER_NAME::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
outputs:
APP_NAME: ${{ steps.setvars.outputs.APP_NAME }}
AWS_REGION: ${{ steps.setvars.outputs.AWS_REGION }}
SHA8: ${{ steps.setvars.outputs.SHA8 }}
BUILD_DIR: ${{ steps.setvars.outputs.BUILD_DIR }}
ECR_REPOSITORY: ${{ steps.setvars.outputs.ECR_REPOSITORY }}
ECS_CLUSTER: ${{ steps.setvars.outputs.ECS_CLUSTER }}
ECS_SERVICE: ${{ steps.setvars.outputs.ECS_SERVICE }}
ECS_TASK_DEFINITION: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION }}
ECS_TASK_DEFINITION_FILE: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION_FILE }}
ECS_CONTAINER_NAME: ${{ steps.setvars.outputs.ECS_CONTAINER_NAME }}
DeployDev:
name: Deploy to Dev
needs: setup
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
id-token: write
environment:
name: dev
url: 'http://dev.myapp.com'
steps:
- name: Set Environments
run: |
if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
fi
if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
fi
- name: Clone Repository (Current branch)
uses: actions/checkout@v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout@v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
cd ${{ needs.setup.outputs.BUILD_DIR }}
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ needs.setup.outputs.ECS_SERVICE }}
cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
wait-for-service-stability: true
DeployProd:
name: Deploy to Production
needs: [DeployDev]
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
id-token: write
environment:
name: Production
url: 'http://www.myapp.com'
steps:
- name: Set Environments
run: |
if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
fi
if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
fi
- name: Clone Repository (Current branch)
uses: actions/checkout@v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout@v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
cd ${{ needs.setup.outputs.BUILD_DIR }}
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ needs.setup.outputs.ECS_SERVICE }}
cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
wait-for-service-stability: true
但是我收到错误:
直到最近更新 aws 操作需要将 aws creds 配置为 github 回购密码。之后它将设置为 env vars 中的那些凭据,这使得它们可以在整个 github 操作中访问。
在你的yml文件中应该是这样的
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secret.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secret.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
注意 [IMP]:在最近的更新中,aws-actions 现在支持 OIDC 功能,这使我们能够使用角色而不是在我们现在考虑的 repo 中存储 creds一个不好的做法。参考文档 -> https://github.com/aws-actions/configure-aws-credentials#assuming-a-role
我对 OIDC 问题写了一个类似的答案,也许它可以帮助