Update nginx.org-make-aws.yml

Author: eepifanova

.github/workflows/nginx.org-make-aws.yml

@@ -19,12 +19,20 @@ on:
       url_prod:
         required: false
         type: string
-        default: nginx.org/preview
+        default: nginx.org
       url_staging:
         required: false
         type: string
-        default: nginx.org/previews
-
+        default: staging.nginx.org
+      s3_bucket:
+        required: false
+        type: string
+        default: nginx-org-staging
+      aws_region:
+        required: false
+        type: string
+        default: eu-central-1
+  
 permissions:
   contents: read
   id-token: write
@@ -34,11 +42,12 @@ defaults:
     shell: 'bash -Eeo pipefail -x {0}'
 
 jobs:
-  build:
-    name: build
+  build-staging:
+    name: build-staging
     runs-on: ubuntu-latest
-    env:
-      AWS_REGION: eu-central-1
+    if: ${{ inputs.deployment_env == 'staging' }}
+    environment:
+      name: staging
 
     steps:
       - name: Install dependencies
@@ -49,56 +58,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Check prod access
-        if: ${{ inputs.deployment_env == 'prod' }}
-        run: |
-          if [ "$GITHUB_REF" != "refs/heads/main" ]; then
-            echo "Error: Production deployments are only allowed from the main branch."
-            exit 1
-          fi
-
-          if [ "$GITHUB_REPOSITORY_OWNER" != "nginx" ] && [ "$GITHUB_REPOSITORY_OWNER" != "nginxinc" ]; then
-            echo "Error: This workflow is only allowed in repositories owned by 'nginx' or 'nginxinc'."
-            exit 1
-          fi
-
-          ALLOWED="${{ secrets.ALLOWED_USERS }}"
-          for user in $ALLOWED; do
-            if [ "$GITHUB_ACTOR" == "$user" ]; then
-              echo "User $GITHUB_ACTOR is allowed to deploy to prod"
-              exit 0
-            fi
-          done
-
-          echo "User $GITHUB_ACTOR is NOT allowed to deploy to prod"
-          exit 1
-
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.deployment_env == 'prod' && secrets.AWS_ROLE_NAME_PROD || secrets.AWS_ROLE_NAME_STAGING }}
-          aws-region: ${{ env.AWS_REGION }}
-
-      - name: Determine S3 path
-        id: s3path
-        run: |
-          SAFE_REPO="${GITHUB_REPOSITORY//\//-}"
-          if [[ "${{ inputs.deployment_env }}" == "prod" ]]; then
-            BUCKET="nginx-org-prod"
-            PATH_PART="preview"
-            PUBLIC_URL="${{ inputs.url_prod }}"
-          else
-            BUCKET="nginx-org-staging"
-            PATH_PART="previews/${GITHUB_SHA}"
-            PUBLIC_URL="${{ inputs.url_staging }}/${GITHUB_SHA}/"
-          fi
-          echo "bucket=$BUCKET" >> $GITHUB_OUTPUT
-          echo "path=$PATH_PART" >> $GITHUB_OUTPUT
-          echo "s3_uri=s3://$BUCKET/$SAFE_REPO/$PATH_PART/" >> $GITHUB_OUTPUT
-          echo "public_url=$PUBLIC_URL" >> $GITHUB_OUTPUT
-          echo "safe_repo=$SAFE_REPO" >> $GITHUB_OUTPUT
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME_STAGING }}
+          aws-region: ${{ inputs.aws_region }}
 
-      - name: Build site
+      - name: Build
+        if: ${{ inputs.deployment_env == 'staging' }}
         run: |
           set -e
           make all
@@ -113,40 +80,98 @@ jobs:
             echo "Error: Build did not create www/ directory"
             exit 1
           fi
-          
+
       - name: Add deployment metadata
+        if: ${{ inputs.deployment_env == 'staging' }}
         run: |
           TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
           mkdir -p meta
           echo "$GITHUB_SHA deployed at $TIMESTAMP" > meta/.deployed.txt
-          {
-            echo "sha=$GITHUB_SHA"
-            echo "repo=$GITHUB_REPOSITORY"
-            echo "actor=$GITHUB_ACTOR"
-            echo "timestamp=$TIMESTAMP"
-          } > meta/.tags.txt
+          echo "actor=$GITHUB_ACTOR repo=$GITHUB_REPOSITORY" >> meta/.deployed.txt
           cp meta/.deployed.txt www/
-          cp meta/.tags.txt www/
-      
+
       - name: Sync www/ to S3
         run: |
-          aws s3 sync www/ s3://${{ steps.s3path.outputs.bucket }}/${{ steps.s3path.outputs.safe_repo }}/${{ steps.s3path.outputs.path }}/ --delete --exact-timestamps
+          aws s3 sync \
+          www/ \
+          s3://${{ inputs.s3_bucket }}/${{ github.repository.replace('/', '-') }}/staging/${GITHUB_SHA}/ \
+          --delete --exact-timestamps
 
-      - name: Show uploaded files
+      - name: Deployment summary
         run: |
-          aws s3 ls s3://${{ steps.s3path.outputs.bucket }}/${{ steps.s3path.outputs.safe_repo }}/${{ steps.s3path.outputs.path }}/ --recursive
+          {
+            echo "### Deployment staging to ${{ inputs.url_staging }}/${{ github.repository.replace('/', '-') }}/${GITHUB_SHA}"
+            echo "### It should be accessible in 5 minutes"
+          } >> $GITHUB_STEP_SUMMARY
+          
+  build-prod:
+    name: build-prod
+    runs-on: ubuntu-latest
+    if: ${{ inputs.deployment_env == 'prod' }}
+    environment:
+      name: prod
+
+    steps:
+    
+      - name: Check prod access
+        if: ${{ inputs.deployment_env == 'prod' }}
+        run: |
+          if [ "$GITHUB_REF" != "refs/heads/main" ]; then
+            echo "Error: Production deployments are only allowed from the main branch."
+            exit 1
+          fi
 
+          if [ "$GITHUB_REPOSITORY_OWNER" != "nginx" ] && [ "$GITHUB_REPOSITORY_OWNER" != "nginxinc" ]; then
+            echo "Error: This workflow is only allowed in repositories owned by 'nginx' or 'nginxinc'."
+            exit 1
+          fi
+
+          allowed=false
+          USER_LIST="${{ secrets.ALLOWED_USERS }}"
+          for user in $USER_LIST; do
+            if [ "$GITHUB_ACTOR" == "$user" ]; then
+              echo "User $GITHUB_ACTOR is allowed to deploy to prod"
+              allowed=true
+              break
+            fi
+          done
+
+          if [ "$allowed" != true ]; then
+            echo "User $GITHUB_ACTOR is NOT allowed to deploy to prod"
+            exit 1
+          fi
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME_STAGING }}
+          aws-region: ${{ inputs.aws_region }}
+        
+      
+      - name: Sync www/ to S3
+        run: |
+          aws s3 sync \
+          s3://${{ inputs.s3_bucket }}/${{ github.repository.replace('/', '-') }}/staging/${GITHUB_SHA}/ \
+          s3://${{ inputs.s3_bucket }}/${{ github.repository.replace('/', '-') }}/prod/ \
+          --delete --exact-timestamps
+
+      - name: Check prod deployment
+        run: |
+          DEPLOYED_URL="${{ inputs.url_staging }}/${{ github.repository.replace('/', '-') }}/${GITHUB_SHA}/.deployed.txt"
+          for i in {1..10}; do
+            DEPLOYED_SHA=$(curl -fsSL "$DEPLOYED_URL" 2>/dev/null | awk '{ print $1 }' || echo "")
+            if [ "$DEPLOYED_SHA" = "$GITHUB_SHA" ]; then
+              exit 0
+            else
+              sleep 60
+            fi
+          done
+          
+          echo "Error: wrong SHA while requesting $DEPLOYED_URL"
+          exit 1
+      
       - name: Deployment summary
         run: |
           {
-            echo "### Deployment Summary"
-            echo ""
-            echo "| Key             | Value |"
-            echo "|------------------|-------|"
-            echo "| deployment_env  | ${{ inputs.deployment_env }} |"
-            echo "| repository      | $GITHUB_REPOSITORY |"
-            echo "| actor           | $GITHUB_ACTOR |"
-            echo "| commit          | $GITHUB_SHA |"
-            echo "| S3 path         | ${{ steps.s3path.outputs.s3_uri }} |"
-            echo "| Public URL      | ${{ steps.s3path.outputs.public_url }} |"
+            echo "### prod is deployed by $GITHUB_ACTOR from $GITHUB_REPOSITORY/$GITHUB_SHA"
           } >> $GITHUB_STEP_SUMMARY