previewuse/github-actions.example.yml at main · getlark/previewuse · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Example GitHub Actions workflow. Save as .github/workflows/preview.yml.
#
# Uses OIDC to assume an AWS role — set AWS_ROLE_ARN in repo settings. Configure
# the role with permissions to launch / terminate EC2, manage Route53 records
# in your hosted zone, and read/write the S3 bucket from PREVIEW_S3_BUCKET.
#
# Required secrets:
#   AWS_ROLE_ARN              (IAM role for OIDC)
#   PREVIEW_SSH_PRIVATE_KEY   (base64-encoded SSH private key)
#   PREVIEW_KEY_NAME          (EC2 key pair; or set in preview.config.sh)
#   ...plus any secrets listed in PREVIEW_FORWARD_ENV

name: Preview environments

on:
  pull_request:
    types: [opened, synchronize, reopened, closed, labeled]

permissions:
  id-token: write
  contents: read
  pull-requests: write

jobs:
  deploy:
    if: github.event.action != 'closed'
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: us-east-1
      - name: Deploy preview
        env:
          PREVIEW_SSH_PRIVATE_KEY: ${{ secrets.PREVIEW_SSH_PRIVATE_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # Forward any secrets listed in PREVIEW_FORWARD_ENV here, e.g.
          # STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
        run: bash scripts/deploy.sh "${{ github.head_ref }}"

  teardown:
    if: github.event.action == 'closed'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: us-east-1
      - name: Teardown preview
        run: bash scripts/teardown.sh "${{ github.head_ref }}"