ci: add app CI workflows

.github/actions/get-app-version/action.yaml

@@ -0,0 +1,39 @@
+name: Get app version
+
+inputs:
+  project-path:
+    description: The root path of the app project
+    required: true
+  ref:
+    description: The commit reference to use as a starting point for the version
+    required: true
+    default: "HEAD"
+
+outputs:
+  version:
+    description: The app version
+    value: ${{ steps.get-version.outputs.version }}
+
+runs:
+  using: "composite"
+  steps:
+    - id: get-version
+      shell: bash
+      run: |
+        LATEST_APP_COMMIT=$(git rev-list -1 --abbrev-commit ${{ inputs.ref }} -- ${{ inputs.project-path }})
+
+        COMMIT_RELEASE_VERSION=$(git describe --tags --abbrev=0 $LATEST_APP_COMMIT 2>/dev/null) || true
+
+        LATEST_RELEASE=$(git describe --tags --abbrev=0 ${{ inputs.reference }} 2>/dev/null) || true
+
+        if [[ $COMMIT_RELEASE_VERSION == $LATEST_RELEASE ]]; then
+          TAG=$(git describe --tags --exact-match $LATEST_APP_COMMIT 2>/dev/null) || true
+
+          if [[ -n $TAG ]]; then
+            echo "version=release/$TAG" >> $GITHUB_OUTPUT
+          else
+            echo "version=$LATEST_APP_COMMIT" >> $GITHUB_OUTPUT
+          fi
+        else
+          echo "version=release/$LATEST_RELEASE" >> $GITHUB_OUTPUT
+        fi

.github/workflows/ci.yaml

@@ -11,11 +11,54 @@ jobs:
     name: Orchestrator
     runs-on: ubuntu-latest
     outputs:
+      should-build-app: ${{ steps.changed-api-files.outputs.any_changed == 'true' || steps.changed-selfserve-files.outputs.any_changed == 'true' || steps.changed-internal-files.outputs.any_changed == 'true' || null }}
+      should-build-docker: ${{ steps.changed-api-docker-files.outputs.any_changed == 'true' || steps.changed-selfserve-docker-files.outputs.any_changed == 'true' || steps.changed-internal-docker-files.outputs.any_changed == 'true' || null }}
+      should-build-api: ${{ steps.changed-api-files.outputs.any_changed == 'true' || null }}
+      should-build-selfserve: ${{ steps.changed-selfserve-files.outputs.any_changed == 'true' || null }}
+      should-build-internal: ${{ steps.changed-internal-files.outputs.any_changed == 'true' || null }}
+      should-build-api-docker: ${{ steps.changed-api-docker-files.outputs.any_changed == 'true' || steps.changed-api-files.outputs.any_changed == 'true' || null }}
+      should-build-selfserve-docker: ${{ steps.changed-selfserve-docker-files.outputs.any_changed == 'true' || steps.changed-selfserve-files.outputs.any_changed == 'true' || null }}
+      should-build-internal-docker: ${{ steps.changed-internal-docker-files.outputs.any_changed == 'true' || steps.changed-internal-files.outputs.any_changed == 'true' || null }}
       should-build-docs: ${{ steps.changed-website-files.outputs.any_changed == 'true' || null }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - uses: tj-actions/changed-files@v42
+        id: changed-api-files
+        with:
+          files: |
+            app/api/**
+          # since_last_remote_commit: true
+      - uses: tj-actions/changed-files@v42
+        id: changed-selfserve-files
+        with:
+          files: |
+            app/selfserve/**
+          # since_last_remote_commit: true
+      - uses: tj-actions/changed-files@v42
+        id: changed-internal-files
+        with:
+          files: |
+            app/internal/**
+      - uses: tj-actions/changed-files@v42
+        id: changed-api-docker-files
+        with:
+          files: |
+            infra/docker/api/**
+          # since_last_remote_commit: true
+      - uses: tj-actions/changed-files@v42
+        id: changed-selfserve-docker-files
+        with:
+          files: |
+            infra/docker/selfserve/**
+          # since_last_remote_commit: true
+      - uses: tj-actions/changed-files@v42
+        id: changed-internal-docker-files
+        with:
+          files: |
+            infra/docker/internal/**
+          # since_last_remote_commit: true
       - uses: tj-actions/changed-files@v42
         id: changed-website-files
         with:
@@ -34,3 +77,93 @@ jobs:
       deploy: false
     permissions:
       contents: write
+
+  get-app-versions:
+    name: Get latest app version
+    needs:
+      - orchestrator
+    runs-on: ubuntu-latest
+    outputs:
+      api: ${{ steps.api-version.outputs.version }}
+      selfserve: ${{ steps.selfserve-version.outputs.version }}
+      internal: ${{ steps.internal-version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+      - id: api-version
+        uses: ./.github/actions/get-app-version
+        with:
+          project-path: app/api
+      - id: selfserve-version
+        uses: ./.github/actions/get-app-version
+        with:
+          project-path: app/selfserve
+      - id: internal-version
+        uses: ./.github/actions/get-app-version
+        with:
+          project-path: app/internal
+      - name: Add to summary
+        run: |
+          echo "#### App versions:" >> $GITHUB_STEP_SUMMARY
+          echo "**API**: \`${{ steps.api-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Selfserve**: \`${{ steps.selfserve-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Internal**: \`${{ steps.internal-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+
+  app:
+    name: App
+    concurrency:
+      group: app-${{ matrix.project }}-${{ needs.get-app-versions.outputs[matrix.project] }}
+    needs:
+      - orchestrator
+      - get-app-versions
+    if: ${{ needs.orchestrator.outputs.should-build-app || needs.orchestrator.outputs.should-build-docker }}
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - api
+          - selfserve
+          - internal
+        exclude:
+          - project: ${{ (needs.orchestrator.outputs.should-build-api || needs.orchestrator.outputs.should-build-api-docker) && 'ignored' || 'api' }}
+          - project: ${{ (needs.orchestrator.outputs.should-build-selfserve || needs.orchestrator.outputs.should-build-selfserve-docker) && 'ignored' || 'selfserve' }}
+          - project: ${{ (needs.orchestrator.outputs.should-build-internal || needs.orchestrator.outputs.should-build-internal-docker) && 'ignored' || 'internal' }}
+    uses: ./.github/workflows/php.yaml
+    with:
+      project: ${{ matrix.project }}
+      should-upload-artefact: ${{ !!needs.orchestrator.outputs[format('should-build-{0}-docker', matrix.project)] }}
+      artefact-name: app-${{ matrix.project}}-${{ needs.get-app-versions.outputs[matrix.project] }}
+      retention-days: 1
+    permissions:
+      contents: read
+
+  docker:
+    name: Docker
+    concurrency:
+      group: docker-${{ matrix.project }}-${{ needs.get-app-versions.outputs[matrix.project] }}
+    needs:
+      - orchestrator
+      - get-app-versions
+      - app
+    if: ${{ always() && !cancelled() && !failure() && needs.orchestrator.outputs.should-build-docker }}
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - api
+          - selfserve
+          - internal
+        exclude:
+          - project: ${{ needs.orchestrator.outputs.should-build-api-docker && 'ignored' || 'api' }}
+          - project: ${{ needs.orchestrator.outputs.should-build-selfserve-docker && 'ignored' || 'selfserve' }}
+          - project: ${{ needs.orchestrator.outputs.should-build-internal-docker && 'ignored' || 'internal' }}
+    uses: ./.github/workflows/docker.yaml
+    with:
+      project: ${{ matrix.project }}
+      app-artefact-name: app-${{ matrix.project}}-${{ needs.get-app-versions.outputs[matrix.project] }}
+      should-upload-artefact-to-ecr: false
+    permissions:
+      contents: read
+      id-token: write

.github/workflows/docker.yaml

@@ -0,0 +1,67 @@
+name: Docker
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        required: false
+      project:
+        type: string
+        required: true
+      should-upload-artefact-to-ecr:
+        type: boolean
+        required: true
+        default: false
+      app-artefact-name:
+        type: string
+        required: true
+
+jobs:
+  check-ecr:
+    name: Check ECR
+    if: ${{ inputs.should-upload-artefact-to-ecr }}
+    runs-on: ubuntu-latest
+    outputs:
+      image-exists: ${{ steps.check-ecr.outputs.exists }}
+    env:
+      PROJECT: ${{ inputs.project }}
+      OBJECT_PREFIX: ${{ inputs.app-artefact-name }}
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.TF_OIDC_ROLE }}
+          aws-region: ${{ vars.TF_AWS_REGION }}
+      - name: Check if image already exists in ECR
+        id: check-ecr
+        # Check if the image already exists in ECR, so we don't have to build it again.
+        run: exit 0
+
+  lint:
+    name: Lint
+    needs:
+      - check-ecr
+    runs-on: ubuntu-latest
+    if: ${{ always() && (needs.check-ecr.result == 'skipped' || !needs.check-ecr.outputs.image-exists) }}
+    steps:
+      - name: Lint
+        run: exit 0
+
+  build:
+    name: Build
+    needs:
+      - check-ecr
+    runs-on: ubuntu-latest
+    if: ${{ always() && (needs.check-ecr.result == 'skipped' || !needs.check-ecr.outputs.image-exists) }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref || null }}
+          path: infra/docker/${{ inputs.project }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.app-artefact-name }}
+          path: app/${{ inputs.project }}
+      - name: Build
+        run: exit 0