Convert to GitHub Actions

.dockerignore

@@ -3,7 +3,7 @@
 
 # Whitelist required files
 !.env.encrypted
-!codeship/*
+!scripts/*
 !lambda/*
 !server/*
 !u2fsimulator/*

.github/workflows/test-deploy-publish.yml

@@ -0,0 +1,69 @@
+name: Test, Deploy, Publish
+
+on:
+  push:
+
+jobs:
+  tests:
+    name: Tests
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
+      STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+      PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }}
+      PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Test
+        run: docker-compose -f actions-services.yml run --rm test ./scripts/test.sh
+
+  deploy:
+    name: Deploy to AWS Lambda
+    needs: tests
+    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop'
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      STG_AWS_ACCESS_KEY_ID: ${{ vars.STG_AWS_ACCESS_KEY_ID }}
+      STG_AWS_SECRET_ACCESS_KEY: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+      STG_LAMBDA_ROLE: ${{ vars.STG_LAMBDA_ROLE }}
+      STG_API_KEY_TABLE: ${{ vars.STG_API_KEY_TABLE }}
+      STG_WEBAUTHN_TABLE: ${{ vars.STG_WEBAUTHN_TABLE }}
+      PRD_AWS_ACCESS_KEY_ID: ${{ vars.PRD_AWS_ACCESS_KEY_ID }}
+      PRD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRD_AWS_SECRET_ACCESS_KEY }}
+      PRD_LAMBDA_ROLE: ${{ vars.PRD_LAMBDA_ROLE }}
+      PRD_API_KEY_TABLE: ${{ vars.PRD_API_KEY_TABLE }}
+      PRD_WEBAUTHN_TABLE: ${{ vars.PRD_WEBAUTHN_TABLE }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Deploy
+        run: docker-compose -f actions-services.yml run --rm app ./scripts/deploy.sh
+
+  build-and-publish:
+    name: Build and Publish
+    needs: tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ vars.IMAGE_NAME }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -8,10 +8,8 @@ bootstrap
 dockercfg
 
 # credentials and other env files
-aws.env
 *.aes
-local.env
-.env
+*.env
 .cert/
 
 # dev tools metadata

actions-services.yml

@@ -0,0 +1,44 @@
+version: "3"
+
+services:
+  test:
+    build: .
+    environment:
+      AWS_ENDPOINT: dynamo:8000
+      AWS_DISABLE_SSL: "true"
+      API_KEY_TABLE: ApiKey
+      WEBAUTHN_TABLE: WebAuthn
+      LAMBDA_ROLE: placeholder
+      AWS_REGION: $AWS_REGION
+      GITHUB_REF_NAME: $GITHUB_REF_NAME
+      STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID
+      STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY
+      PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID
+      PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY
+    depends_on:
+      - dynamo
+
+  app:
+    build: .
+    working_dir: /src
+    environment:
+      AWS_REGION: $AWS_REGION
+      GITHUB_REF_NAME: $GITHUB_REF_NAME
+      STG_AWS_ACCESS_KEY_ID: $STG_AWS_ACCESS_KEY_ID
+      STG_AWS_SECRET_ACCESS_KEY: $STG_AWS_SECRET_ACCESS_KEY
+      STG_LAMBDA_ROLE: $STG_LAMBDA_ROLE
+      STG_API_KEY_TABLE: $STG_API_KEY_TABLE
+      STG_WEBAUTHN_TABLE: $STG_WEBAUTHN_TABLE
+      PRD_AWS_ACCESS_KEY_ID: $PRD_AWS_ACCESS_KEY_ID
+      PRD_AWS_SECRET_ACCESS_KEY: $PRD_AWS_SECRET_ACCESS_KEY
+      PRD_LAMBDA_ROLE: $PRD_LAMBDA_ROLE
+      PRD_API_KEY_TABLE: $PRD_API_KEY_TABLE
+      PRD_WEBAUTHN_TABLE: $PRD_WEBAUTHN_TABLE
+
+  dynamo:
+    image: amazon/dynamodb-local
+    environment:
+      AWS_ACCESS_KEY_ID: abc123
+      AWS_SECRET_ACCESS_KEY: abc123
+      AWS_DEFAULT_REGION: us-east-1
+    command: "-jar DynamoDBLocal.jar -sharedDb"

codeship/deploy.sh → scripts/deploy.sh

@@ -11,7 +11,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 "$DIR"/build.sh
 
 # export appropriate env vars
-if [ "${CI_BRANCH}" == "develop" ];
+if [ "${GITHUB_REF_NAME}" == "develop" ];
 then
   STAGE="dev"
   export AWS_ACCESS_KEY_ID="${STG_AWS_ACCESS_KEY_ID}"
@@ -21,7 +21,7 @@ then
   export LAMBDA_ROLE="${STG_LAMBDA_ROLE}"
   export API_KEY_TABLE="${STG_API_KEY_TABLE}"
   export WEBAUTHN_TABLE="${STG_WEBAUTHN_TABLE}"
-elif [ "${CI_BRANCH}" == "main" ];
+elif [ "${GITHUB_REF_NAME}" == "main" ];
 then
   STAGE="production"
   export AWS_ACCESS_KEY_ID="${PRD_AWS_ACCESS_KEY_ID}"
@@ -32,7 +32,7 @@ then
   export API_KEY_TABLE="${PRD_API_KEY_TABLE}"
   export WEBAUTHN_TABLE="${PRD_WEBAUTHN_TABLE}"
 else
-    echo "deployments only happen from develop and main branches (branch: ${CI_BRANCH})"
+    echo "deployments only happen from develop and main branches (branch: ${GITHUB_REF_NAME})"
     exit 1
 fi
 

codeship/test.sh → scripts/test.sh

@@ -7,7 +7,7 @@ set -e
 set -x
 
 # export appropriate AWS credentials for `serverless info`
-if [ "${CI_BRANCH}" == "main" ];
+if [ "${GITHUB_REF_NAME}" == "main" ];
 then
   STAGE="production"
   export AWS_ACCESS_KEY_ID="${PRD_AWS_ACCESS_KEY_ID}"