Add input for git tag to deployment pipelines

bogsi17 · bogsi17 · commit 8fbea696499c · 2025-04-14T17:01:33.000+01:00
* We want to restrict the IAM role used by the Github workflows such that it can only be assumed from the main and release branches.
* This causes the problem that deployment workflows run from tags could not assume the role anymore
* To mitigate this issue, this PR allows to specify the git tag that shall be deployed in a dedicated field. While the workflow can be run from main or release, this still allows to deploy a specific git tag. If no value is set, it defaults to the regular behaviour.
diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
@@ -3,9 +3,13 @@ name: Build and push image
 on:
   workflow_dispatch:
   workflow_call:
+    inputs:
+      git-sha:
+        description: The git commit sha to build the image from.
+        type: string
 
 concurrency:
-  group: build-and-push-image-${{ github.sha }}
+  group: build-and-push-image-${{ inputs.git-sha || github.sha }}
 
 jobs:
   check-image-presence:
@@ -23,7 +27,7 @@ jobs:
           aws-region: eu-west-2
       - name: Check if dev image exists
         run: |
-          if aws ecr describe-images --repository-name mavis/webapp --image-ids imageTag=${{ github.sha }} > /dev/null 2>&1; then
+          if aws ecr describe-images --repository-name mavis/webapp --image-ids imageTag=${{ inputs.git-sha || github.sha }} > /dev/null 2>&1; then
             echo "Dev image with given tag already exists"
           else
             echo "Dev image does not exist. Build needed"
@@ -37,7 +41,7 @@ jobs:
       - name: Check if production image exists
         id: check-image
         run: |
-          if [ -e $BUILD_NEEDED ] && aws ecr describe-images --repository-name mavis/webapp --image-ids imageTag=${{ github.sha }} > /dev/null 2>&1; then
+          if [ -e $BUILD_NEEDED ] && aws ecr describe-images --repository-name mavis/webapp --image-ids imageTag=${{ inputs.git-sha || github.sha }} > /dev/null 2>&1; then
             echo "Production and dev images with given tag already exist. No build needed"
           else
             echo "At least one image does not exist. Build needed"
diff --git a/.github/workflows/deploy-application.yml b/.github/workflows/deploy-application.yml
@@ -59,6 +59,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.image_tag || github.sha }}
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
diff --git a/.github/workflows/deploy-infrastructure.yml b/.github/workflows/deploy-infrastructure.yml
@@ -4,6 +4,9 @@ run-name: Deploy infrastructure for ${{ inputs.environment }}
 on:
   workflow_dispatch:
     inputs:
+      git-sha:
+        description: The git commit sha of the commit to deploy.
+        type: string
       environment:
         description: Deployment environment
         required: true
@@ -22,6 +25,9 @@ on:
         type: string
   workflow_call:
     inputs:
+      git-sha:
+        description: The git commit sha of the commit to deploy.
+        type: string
       environment:
         description: Deployment environment
         required: true
@@ -48,6 +54,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.git_sha || github.sha }}
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -36,19 +36,41 @@ on:
           - web
           - good-job
         default: all
+      git_tag:
+        description: Git tag to deploy
+        required: false
+        type: string
 
 jobs:
+  determine-git-sha:
+    runs-on: ubuntu-latest
+    outputs:
+      git-sha: ${{ steps.get-git-sha.outputs.git-sha }}
+    steps:
+        - name: Get git sha
+          id: get-git-sha
+          run: |
+            if [ -z "${{ inputs.git_tag }}" ]; then
+                echo "No git tag provided. Using the latest commit sha"
+                echo "git-sha=${{ github.sha }}" >> $GITHUB_OUTPUT
+            else
+                echo "Git tag provided. Using the sha of the tagged commit"
+                echo "git-sha=$(git rev-parse ${{ inputs.git_tag }})" >> $GITHUB_OUTPUT
+            fi
   build-and-push-image:
     uses: ./.github/workflows/build-and-push-image.yml
+    with:
+      git-sha: ${{ determine-git-sha.outputs.git-sha || github.sha }}
   deploy-infrastructure:
     needs: build-and-push-image
     uses: ./.github/workflows/deploy-infrastructure.yml
     with:
       environment: ${{ inputs.environment }}
+      git-sha: ${{ determine-git-sha.outputs.git-sha || github.sha }}
   deploy-application:
     needs: deploy-infrastructure
     uses: ./.github/workflows/deploy-application.yml
     with:
       environment: ${{ inputs.environment }}
-      image_tag: ${{ github.sha }}
+      image_tag: ${{ determine-git-sha.outputs.git-sha || github.sha }}
       server_types: ${{ inputs.server_types }}
