action.yaml

name: 'guardian/actions-static-site'
description: 'Deploy a Guardian static site.'
inputs:
  app:
    description: 'App name (pattern: [a-zA-Z-]+).'
    required: true
  domain:
    description: A Guardian-owned domain. [name].gutools.co.uk is recommended.
    required: true
  artifact:
    description: 'Name of artifact containing the static site. Should be uploaded in an earlier workflow step.'
    required: false
    default: 'artifact'
  guActionsRiffRaffRoleArn:
    description: "Role to use for writing to Riffraff's AWS bucket (typically org secret of same name)."
    required: true
  dryRun:
    description: 'If set to true, will not upload Riffraff artifact.'
    default: false
runs:
  # Note composite steps do not have direct access to secrets, or inputs (via
  # env) so need to be passed them explicitly :(. Sad times I know.
  using: 'composite'
  steps:
    - name: CDK synth
      shell: bash
      run: |
        cd ${{github.action_path}}
        ls -hal
        node index.js
      env:
        INPUT_APP: ${{ inputs.app }}
        INPUT_DOMAIN: ${{ inputs.domain }}
        INPUT_ARTIFACT: ${{ inputs.artifact }}
        INPUT_DRYRUN: ${{ inputs.dryRun}}
        INPUT_ACTIONS_RUNTIME_TOKEN: ${ github.token }

    - uses: actions/download-artifact@v3
      with:
        name: ${{ inputs.artifact }}
        path: site

    - name: Display structure of downloaded files
      shell: bash
      run: ls -R
      working-directory: site

    - uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-region: eu-west-1
        role-to-assume: ${{ inputs.guActionsRiffRaffRoleArn }}

    - uses: guardian/actions-riff-raff@v2
      with:
        app: ${{ inputs.app }}
        dryRun: ${{ inputs.dryRun }}
        contentDirectories: |
          cfn: [${{github.action_path}}/cfn.json]
          static-site-assets: [site]
        config: |
          stacks:
            - deploy
          regions:
            - eu-west-1
          allowedStages:
            - PROD
          deployments:
            cfn:
              type: cloud-formation
              app: ${{ inputs.app }}
              parameters:
                templatePath: cfn.json
            static-site-assets:
              type: aws-s3
              app: ${{ inputs.domain }} # A hack to prefix uploads with the domain.
              parameters:
                cacheControl: private
                publicReadAcl: false
                bucket: deploy-infra-actions-static-site-i-staticd8c87b36-jyufgyb0llkj # TODO replace with SSM param once possible.
                prefixApp: true # See comment on `app` above.
                prefixStack: false
                prefixStage: false
              dependencies:
                - cfn