112 lines
3.7 KiB
YAML
112 lines
3.7 KiB
YAML
name: Reconcile
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- "state/*.json"
|
|
|
|
jobs:
|
|
detect:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
envs: ${{ steps.changed.outputs.envs }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 2
|
|
|
|
- name: Detect changed environments
|
|
id: changed
|
|
run: |
|
|
FILES=$(git diff --name-only HEAD~1 HEAD -- 'state/*.json')
|
|
ENVS=$(python3 -c "
|
|
import os, json
|
|
files = '''$FILES'''.strip().split('\n')
|
|
envs = [os.path.basename(f).replace('.json','') for f in files if f.strip()]
|
|
print(json.dumps(envs))
|
|
")
|
|
echo "envs=$ENVS" >> "$GITHUB_OUTPUT"
|
|
echo "Changed environments: $ENVS"
|
|
|
|
reconcile:
|
|
needs: detect
|
|
runs-on: ubuntu-latest
|
|
if: needs.detect.outputs.envs != '[]'
|
|
strategy:
|
|
matrix:
|
|
env: ${{ fromJson(needs.detect.outputs.envs) }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Resolve environment secrets
|
|
id: env
|
|
run: |
|
|
ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_')
|
|
echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT"
|
|
echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT"
|
|
echo "age_key=${ENV_UPPER}_AGE_PUBLIC_KEY" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Sync events
|
|
env:
|
|
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
|
|
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
|
|
run: |
|
|
if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then
|
|
echo "No secrets configured for environment '${{ matrix.env }}' — skipping"
|
|
exit 0
|
|
fi
|
|
curl -sf \
|
|
-X POST \
|
|
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
|
|
"${RECONCILER_URL}/sync-events"
|
|
|
|
- name: Pull latest (poller may have committed)
|
|
run: git pull --rebase
|
|
|
|
- name: Apply reconcile
|
|
id: reconcile
|
|
env:
|
|
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
|
|
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
|
|
run: |
|
|
RESPONSE=$(curl -sf \
|
|
-X POST \
|
|
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
|
|
-H "Content-Type: application/json" \
|
|
-d @state/${{ matrix.env }}.json \
|
|
"${RECONCILER_URL}/reconcile")
|
|
echo "response<<EOF" >> "$GITHUB_OUTPUT"
|
|
echo "$RESPONSE" >> "$GITHUB_OUTPUT"
|
|
echo "EOF" >> "$GITHUB_OUTPUT"
|
|
|
|
STATUS=$(python3 -c "import json,sys; print(json.loads(sys.stdin.read()).get('status','ok'))" <<< "$RESPONSE")
|
|
if [ "$STATUS" = "error" ]; then
|
|
echo "Reconcile failed for ${{ matrix.env }}"
|
|
python3 -m json.tool <<< "$RESPONSE"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Encrypt and upload setup keys
|
|
if: success()
|
|
env:
|
|
AGE_PUBLIC_KEY: ${{ secrets[steps.env.outputs.age_key] }}
|
|
RESPONSE: ${{ steps.reconcile.outputs.response }}
|
|
run: |
|
|
KEYS=$(python3 -c "import json,os; d=json.loads(os.environ['RESPONSE']); k=d.get('created_keys'); print(json.dumps(k) if k and k != {} else '')")
|
|
if [ -n "$KEYS" ] && [ -n "$AGE_PUBLIC_KEY" ]; then
|
|
echo "$KEYS" | age -r "$AGE_PUBLIC_KEY" -o setup-keys-${{ matrix.env }}.age
|
|
echo "Setup keys for ${{ matrix.env }} encrypted"
|
|
else
|
|
echo "No new keys created for ${{ matrix.env }}"
|
|
fi
|
|
|
|
- name: Upload artifact
|
|
if: success()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: setup-keys-${{ matrix.env }}
|
|
path: setup-keys-${{ matrix.env }}.age
|
|
if-no-files-found: ignore
|