.github/workflows/cicd.yaml

name: build and publish to aws development

on:
  push:
    branches:
      - main

env:
  repo_name: 'vision-agent'
  aws_account_id: '970073041993'
  aws_region: 'us-east-2'
  cluster_name: 'llens-app-dev'
  namespace: 'datamanagement'

jobs:
  build:
    runs-on: ubuntu-latest
    environment: aws-development

    permissions:
      id-token: write
      contents: read

    outputs:
      image_tag: ${{ steps.sha_short.outputs.image_tag }}

    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::${{ env.aws_account_id }}:role/github-actions-role
          aws-region: ${{ env.aws_region }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registries: ${{ env.aws_account_id }}
          mask-password: 'true' # see: https://github.com/aws-actions/amazon-ecr-login#docker-credentials

      - name: Set short sha
        id: sha_short
        run: |
          echo "image_tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - uses: docker/setup-buildx-action@v3
      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          push: true
          tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.repo_name }}:${{ steps.sha_short.outputs.image_tag }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          provenance: false
          secrets: |
            AUTH_SECRET=${{ vars.AUTH_SECRET }}
            OPENAI_API_KEY=${{ vars.OPENAI_API_KEY }}

  db_migration:
    needs: build
    runs-on: ubuntu-latest
    environment: aws-development

    permissions:
      id-token: write
      contents: read

    steps:
      - uses: actions/checkout@v4
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install pnpm
        run: npm install -g pnpm@9.1.1

      - name: Install dependencies
        run: pnpm install

      - name: prisma migrate deploy
        env:
          POSTGRES_PRISMA_URL: ${{ vars.DB_MIGRATION_URL }}
          POSTGRES_URL_NON_POOLING: ${{ vars.DB_MIGRATION_URL }}
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.BASTION_SSH_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -H 3.142.222.176 >> ~/.ssh/known_hosts
          ssh -o StrictHostKeyChecking=no -fN -v -L localhost:5432:platform.db.app.dev.landing.ai:5432 ubuntu@ec2-3-142-222-176.us-east-2.compute.amazonaws.com
          pnpm prisma migrate deploy

  deploy_to_aws_development:
    needs: [build, db_migration]

    runs-on: ubuntu-latest
    environment: aws-development

    permissions:
      id-token: write
      contents: write

    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::${{ env.aws_account_id }}:role/github-actions-role
          aws-region: ${{ env.aws_region }}

      - name: kubeconfig
        run: |
          aws sts get-caller-identity
          aws eks update-kubeconfig --name ${{ env.cluster_name }} --region ${{ env.aws_region }}

      - name: install helm
        run: |
          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

      - name: helm upgrade --install
        env:
          IMAGE_TAG: ${{ needs.build.outputs.image_tag }}
        run: |
          helm upgrade --install --wait -n ${{ env.namespace }} ${{ env.repo_name }} -f chart/${{ vars.VALUES_FILE }} ./chart \
            --set image.tag=$IMAGE_TAG \
            --set env.AWS_BUCKET_NAME=${{ vars.AWS_BUCKET_NAME }} \
            --set env.AWS_REGION=${{ vars.AWS_REGION }} \
            --set env.NEXTAUTH_URL=${{ vars.NEXTAUTH_URL }} \
            --set env.AUTH_GITHUB_ID=${{ vars.AUTH_GITHUB_ID }} \
            --set env.AUTH_GITHUB_SECRET=${{ vars.AUTH_GITHUB_SECRET }} \
            --set env.AUTH_SECRET=${{ vars.AUTH_SECRET }} \
            --set env.AUTH_TRUST_HOST=${{ vars.AUTH_TRUST_HOST }} \
            --set env.AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }} \
            --set env.AWS_SECRET_ACCESS_KEY=${{ vars.AWS_SECRET_ACCESS_KEY }} \
            --set env.GOOGLE_CLIENT_ID=${{ vars.GOOGLE_CLIENT_ID }} \
            --set env.GOOGLE_SECRET=${{ vars.GOOGLE_SECRET }} \
            --set env.LOKI_AUTH_USER_PASSWORD=${{ vars.LOKI_AUTH_USER_PASSWORD }} \
            --set env.OPENAI_API_KEY=${{ vars.OPENAI_API_KEY }} \
            --set env.POSTGRES_PRISMA_URL=${{ vars.POSTGRES_PRISMA_URL }} \
            --set env.AGENT_HOST=${{ vars.AGENT_HOST }}