-
Notifications
You must be signed in to change notification settings - Fork 7
53 lines (45 loc) · 1.56 KB
/
cd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: CD
on:
push:
branches: [main]
workflow_dispatch:
concurrency:
group: "merge-${{ github.ref }}"
permissions:
id-token: write
contents: read
jobs:
sst:
name: SST
runs-on: ubuntu-latest
# This is required to workaround the lack of wildcard for OIDC scope
# https://github.com/Azure/azure-workload-identity/issues/373
#
# I swear to god Microsoft have never tried anything they have built.
environment: production
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: "arn:aws:iam::101829795063:role/mattrax-gh-actions"
aws-region: us-east-1
role-session-name: mattrax-sst-workflow
- uses: pnpm/action-setup@v4
with:
version: latest
- name: Install SST
run: curl -fsSL https://ion.sst.dev/install | bash
- run: pnpm i
- run: cd infra && sst deploy --stage brendonovich
env:
ARM_USE_OIDC: true
ARM_CLIENT_ID: 8aaf4dbe-001d-4003-9572-8dd6ab658c53
ARM_TENANT_ID: 3509b545-2799-4c5c-a0d2-f822ddbd416c
AZURE_SUBSCRIPTION_ID: 3509b545-2799-4c5c-a0d2-f822ddbd416c
CLOUDFLARE_DEFAULT_ACCOUNT_ID: f02b3ef168fe64129e9941b4fb2e4dc1
CLOUDFLARE_EMAIL: [email protected]
CLOUDFLARE_API_KEY: ${{ secrets.CLOUDFLARE_API_KEY }}
OAUTH_CLIENT_ID: kXdvzkEgiN11CNTRL
OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_SECRET }}