👷 Deploy Pulumi using GitHub environments (#396)

fastapi · Oct 4, 2024 · c34b954 · c34b954
1 parent 43cbc3c
commit c34b954
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 19 deletions.
diff --git a/.github/workflows/pulumi-deploy.yml b/.github/workflows/pulumi-deploy.yml
@@ -1,8 +1,9 @@
 name: Pulumi Deploy
 on:
-  push:
-    branches:
-      - master
+  # TODO: re-enable automatic deployments on staging
+  # push:
+  #   branches:
+  #     - master
   release:
     types:
       - created
@@ -17,31 +18,22 @@ jobs:
   pulumi-deploy:
     name: Pulumi Deploy
     runs-on: ubuntu-latest
+    environment: ${{ github.event_name == 'release' && 'production' || 'staging' }}
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
       - name: Configure AWS Credentials for Staging
-        if: github.event_name == 'push'
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_STAGING }}
-          aws-region: ${{ secrets.AWS_REGION_STAGING }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGING }}
-      - name: Configure AWS Credentials for Production
-        if: github.event_name == 'release'
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_PRODUCTION }}
-          aws-region: ${{ secrets.AWS_REGION_PRODUCTION }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PRODUCTION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       - run: pip install -r requirements.txt
         working-directory: infra
       - uses: pulumi/actions@v6
         id: pulumi
-        # staging manually, production on release
-        if: github.event_name == 'release'
         with:
           command: up
           # stack-name: org-name/stack-name # When using an individual account, only use stack-name.

diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml
@@ -8,6 +8,7 @@ on:
 jobs:
   pulumi-preview:
     if: ( github.event_name != 'pull_request' || github.secret_source == 'Actions' )
+    environment: staging
     name: Pulumi Preview
     runs-on: ubuntu-latest
     steps:
@@ -18,9 +19,9 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_STAGING }}
-          aws-region: ${{ secrets.AWS_REGION_STAGING }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGING }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-region: ${{ vars.AWS_REGION }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       - run: pip install -r requirements.txt
         working-directory: infra
       - uses: pulumi/actions@v6