Common GHA for Dynamic Staging Envs process

.github/actions/argocd-deployment/argo-workflows-cli-wait/action.yaml

@@ -0,0 +1,40 @@
+---
+name: 'Argo Workflows CLI Wait for workflow'
+description: 'Argo Workflows commands for its CLI wait for workflow.'
+
+inputs:
+  argo_namespace:
+    description: 'Argo Workflows namespace.'
+    required: false
+    default: 'argo-workflows'
+  argo_server:
+    description: 'Argo Workflows server URL.'
+    required: false
+    default: 'argo-workflows.stg.fcm.digital:443'
+  argo_token:
+    description: 'Argo Workflows auth token.'
+    required: true
+  environment:
+    description: 'Environment.'
+    required: true
+  labels:
+    description: 'Labels to be used for filtering.'
+    required: false
+    default: ''
+
+runs:
+  using: "composite"
+  steps:
+    - id: workflow-wait
+      name: 'Argo Workflow Wait'
+      shell: bash
+      run: ${{ github.action_path }}/entrypoint.sh
+      env:
+        ARGO_NAMESPACE: ${{ inputs.argo_namespace }}
+        ARGO_SERVER: ${{ inputs.argo_server }}
+        ARGO_TOKEN: ${{ inputs.argo_token }}
+        ARGO_HTTP1: true
+        ARGO_SECURE: true
+        KUBECONFIG: /dev/null
+        ENVIRONMENTS: ${{ inputs.environments }}
+        LABELS: ${{ inputs.labels }}

.github/actions/argocd-deployment/argo-workflows-cli-wait/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if [[ -z $LABELS ]]; then
+    LABELS=""
+else
+    LABELS="-l $LABELS"
+fi
+
+echo "Waiting for Argo Workflow to complete"
+argo wait @latest -n $ENVIRONMENTS $LABELS
+if [[ $? -eq 0 ]]; then
+    echo "Argo Workflow submitted successfully"
+    argo get @latest -n $ENVIRONMENTS $LABELS
+else
+    echo "Argo Workflow failed"
+    exit 1
+fi
+

.github/actions/github/execute-manual-workflow/action.yaml

@@ -0,0 +1,93 @@
+---
+name: 'Execute Manual Workflow'
+description: 'Execute a manual workflow based on .'
+
+inputs:
+  branch_name:
+    description: 'The branch name to execute the workflow on.'
+    required: false
+    default: "master"
+  github_token:
+    description: 'The GitHub Token. (Required if github_app_id and github_app_private_key are not provided)'
+    required: true
+  github_organization_name:
+    description: 'The GitHub organization name.'
+    required: true
+  github_repository_name:
+    description: 'The repository name.'
+    required: true
+  workflow_id:
+    description: 'The workflow ID.'
+    required: true
+  workflow_inputs:
+    description: 'The workflow inputs. Valid format: "--field key1=value1 --field key2=value2"'
+    required: false
+    default: ""
+  workflow_watch:
+    description: 'Whether to watch the workflow run or not. If true, the workflow will wait for the new workflow to finish.'
+    required: false
+    default: "false"
+  # This input is necessary because `gh workflow run` doesn't return the database ID of the workflow run and `gh run watch` requires the database ID.
+  workflow_watch_name_filter:
+    description: 'Filter the workflow run by name (Only available if workflow_watch is true).'
+    required: false
+    default: ""
+  workflow_watch_user:
+    description: 'The user to watch the workflow run as (Only available if workflow_watch is true).'
+    required: false
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - id: exec-workflow
+      name: Execute Workflow
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+      run: |
+        gh workflow run ${{ inputs.workflow_id }} --repo ${{ inputs.github_organization_name }}/${{ inputs.github_repository_name }} --ref ${{ inputs.branch_name }} ${{ inputs.workflow_inputs }}
+      shell: bash
+
+    - id: watch-workflow
+      if: inputs.workflow_watch == 'true'
+      name: Watch Workflow
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+        GH_OUTPUT_FILE_NAME: gh-output.json
+      run: |
+        echo "Waiting for new run to appear..."
+        for i in {1..12}; do
+          sleep 10
+          # Get the latest run of the workflow as the user specified
+          gh run list --workflow=${{ inputs.workflow_id }} --repo ${{ inputs.github_organization_name }}/${{ inputs.github_repository_name }} --limit=1 --user "${{ inputs.workflow_watch_user }}" --json name,databaseId,createdAt > $GH_OUTPUT_FILE_NAME
+
+          if [[ $? -ne 0 ]] || [ ! -f "$GH_OUTPUT_FILE_NAME" ] && [ ! -s "$GH_OUTPUT_FILE_NAME" ]; then
+            echo "Workflow run not found. Still waiting... ($i/12)"
+            continue
+          fi
+
+          WORKFLOW_RUN_TIMESTAMP=$(cat $GH_OUTPUT_FILE_NAME | jq '.[0].createdAt' | xargs -I {} date -d {} +%s)
+          CURRENT_TIMESTAMP=$(date +%s)
+
+          WORKFLOW_RUN_AGE=$((CURRENT_TIMESTAMP - WORKFLOW_RUN_TIMESTAMP))
+          if [[ $WORKFLOW_RUN_AGE -lt 120 ]]; then
+            echo "Workflow run found with age of $WORKFLOW_RUN_AGE seconds"
+
+            # Get the database ID of the workflow run            
+            WORKFLOW_RUN_DBID=$(cat $GH_OUTPUT_FILE_NAME | jq --arg name "${{ inputs.workflow_watch_name_filter }}" '.[] | select(.name | contains($name))' | jq '.databaseId')
+
+            if [[ -z "$WORKFLOW_RUN_DBID" ]]; then
+              echo "Workflow run not found. Still waiting... ($i/12)"
+              continue
+            fi
+            echo "Workflow run found with database ID: $WORKFLOW_RUN_DBID"
+            break            
+          else
+            echo "Workflow run not found. Still waiting... ($i/12)"
+            continue
+          fi
+        done
+
+        # Wait for the workflow to finish and exit with the same status.
+        gh run watch --repo ${{ inputs.github_organization_name }}/${{ inputs.github_repository_name }} $WORKFLOW_RUN_DBID --interval 15 --compact --exit-status
+      shell: bash

.github/actions/github/generate-github-app-token/action.yaml

@@ -0,0 +1,46 @@
+---
+name: 'Generate GitHub App Token'
+description: 'Generate a GitHub App token based on the GitHub App ID and private key.'
+
+inputs:
+  github_app_id:
+    description: 'The GitHub App ID.'
+    required: true
+  github_app_private_key:
+    description: 'The GitHub App private key.'
+    required: true
+  github_organization_name:
+    description: 'The GitHub organization name.'
+    required: true
+  github_repositories:
+    description: 'The GitHub repositories names to grant access to.'
+    required: true
+
+outputs:
+  gh_token:
+    description: 'The GitHub App token.'
+    value: ${{ steps.generate-gh-token.outputs.token }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Generate a GH Token
+      id: generate-gh-token
+      uses: actions/create-github-app-token@v2
+      with:
+        app-id: ${{ inputs.github_app_id }}
+        private-key: ${{ inputs.github_app_private_key }}
+        owner: ${{ inputs.github_organization_name }}
+        repositories: ${{ inputs.github_repositories }}
+
+    - name: Test Token
+      run: |
+        gh auth status
+        if [[ $? -ne 0 ]]; then
+          echo "Failed to get GitHub App Token using GH App ID: ${{ inputs.github_app_id }} credentials."
+          exit 1
+        else
+          echo "GitHub App Token generated successfully. Token saved to output 'gh_token'."
+        fi
+      shell: bash
+

.github/actions/github/get-workflow-id/action.yaml

@@ -0,0 +1,47 @@
+---
+name: 'Get Workflow ID'
+description: 'Get the ID of a GitHub workflow based on the workflow file name and repository.'
+
+inputs:
+  github_token:
+    description: 'The GitHub Token.'
+    required: true
+  github_organization_name:
+    description: 'The GitHub organization name.'
+    required: true
+  github_repository_name:
+    description: 'The repository name.'
+    required: true
+  workflow_file_name:
+    description: 'The workflow file name.'
+    required: true
+
+outputs:
+  workflow_id:
+    description: 'The workflow ID.'
+    value: ${{ steps.get-workflow-id.outputs.workflow_id }}
+
+runs:
+  using: "composite"
+  steps:
+    - id: get-workflow-id
+      name: Get Workflow ID
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+        GH_OUTPUT_FILE_NAME: gh-output.json
+      run: |
+        gh workflow list --repo ${{ inputs.github_organization_name }}/${{ inputs.github_repository_name }} --json id,path > $GH_OUTPUT_FILE_NAME
+
+        if [[ $? -ne 0 ]] || [ ! -f "$GH_OUTPUT_FILE_NAME" ] && [ ! -s "$GH_OUTPUT_FILE_NAME" ]; then
+          echo "Failed to list workflows"
+          exit 1
+        fi
+
+        WORKFLOW_ID=$(cat $GH_OUTPUT_FILE_NAME | jq --arg workflowFileName "${{ inputs.workflow_file_name }}" '.[] | select(.path | contains($workflowFileName))' | jq '.id')
+
+        if [[ $? -ne 0 ]] || [[ -z $WORKFLOW_ID ]]; then
+          echo "Failed to get workflow ID"
+          exit 1
+        fi
+        echo "workflow_id=$WORKFLOW_ID" >> $GITHUB_OUTPUT
+      shell: bash

.github/actions/google-cloud-platform/cloudsql-instance-new-owner/action.yaml

@@ -0,0 +1,101 @@
+---
+name: 'CloudSQL Instance New Owner'
+description: 'Reassign the owner of a CloudSQL instance to a new owner.'
+
+inputs:
+  gcloud-sdk-configure:
+    description: 'Whether to configure GCloud SDK.'
+    required: false
+    default: 'false'
+  gcp-project-id:
+    description: 'The GCP project ID.'
+    required: true
+
+  app-name:
+    description: 'The name of the application.'
+    required: true
+  service-name:
+    description: 'The name of the specific service (part of the app-name).'
+    required: true
+  database-name:
+    description: 'The prefix name of the database.'
+    required: true
+
+  restore-environment:
+    description: 'The environment to which the instance is being restored.'
+    required: true
+  snapshot-environment:
+    description: 'The environment from which the snapshot was taken.'
+    required: true
+
+  restore-instance:
+    description: 'The CloudSQL instance ID to reassign the owner of.'
+    required: true
+  private-ip-instance:
+    description: 'The CloudSQL private IP of the restored instance.'
+    required: true
+
+  postgres-user-pwd:
+    description: 'The password for the PostgreSQL database.'
+    required: true
+  appname-user-pwd:
+    description: 'The password for the App User.'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - id: gcloud-sdk-configure
+      if: inputs.gcloud-sdk-configure == 'true'
+      name: 'Configure GCloud SDK'
+      uses: fcm-digital/.github/.github/actions/google-cloud-platform/gcloud-sdk-configure@sc-23004-dynamic-staging-envs
+      with:
+        gcp-project-id: ${{ inputs.gcp-project-id }}
+
+    - id: restore-postgres-user-password
+      name: Restore Postgres User Password
+      env:
+        DESTINATION_INSTANCE_ID: ${{ inputs.restore-instance }}
+        PGUSER: 'postgres'
+        PGPASSWORD: ${{ inputs.postgres-user-pwd }}
+      shell: bash
+      run: gcloud sql users set-password "${PGUSER}" --instance="${DESTINATION_INSTANCE_ID}" --password=${PGPASSWORD} --project=${{ inputs.gcp-project-id }}
+
+    - id: create-app-user
+      name: 'Create database user and password'
+      env:
+        DESTINATION_INSTANCE_ID: ${{ inputs.restore-instance }}
+        PGUSER: '${{ inputs.service-name }}-${{ inputs.restore-environment }}'
+        PGPASSWORD: ${{ inputs.appname-user-pwd }}
+      shell: bash
+      run: gcloud sql users create "${PGUSER}" --instance="${DESTINATION_INSTANCE_ID}" --password=${PGPASSWORD} --project=${{ inputs.gcp-project-id }}
+
+    - id: install-psql
+      name: Install PostgreSQL Client
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install --yes --no-install-recommends postgresql-client
+
+    - id: 'run-postgres-config'
+      name: 'Configure restored PostgreSQL database'
+      env:
+        PGPASSWORD: ${{ inputs.postgres-user-pwd }}
+      shell: bash
+      run: |-
+        psql --host=${{ inputs.private-ip-instance }} --port=5432 --username=postgres <<EOF
+        \x
+        GRANT "${{ inputs.service-name }}-${{ inputs.restore-environment }}" TO "postgres";
+        ALTER DATABASE "${{ inputs.database-name }}_${{ inputs.snapshot-environment }}" RENAME TO "${{ inputs.database-name }}_${{ inputs.restore-environment }}";
+        ALTER DATABASE "${{ inputs.database-name }}_${{ inputs.restore-environment }}" OWNER TO "${{ inputs.service-name }}-${{ inputs.restore-environment }}";
+        \c "${{ inputs.database-name }}_${{ inputs.restore-environment }}"
+        REASSIGN OWNED BY "${{ inputs.service-name }}-${{ inputs.snapshot-environment }}" TO "${{ inputs.service-name }}-${{ inputs.restore-environment }}";
+        EOF
+
+    # - id: 'remove-snapshot-app-user'
+    #   name: Remove Snapshot App User
+    #   env:
+    #     DESTINATION_INSTANCE_ID: ${{ inputs.restore-instance }}
+    #     PGUSER: '${{ inputs.service-name }}-${{ inputs.snapshot-environment }}'
+    #   shell: bash
+    #   run: gcloud sql users delete "${PGUSER}" --instance="${DESTINATION_INSTANCE_ID}" --project=${{ inputs.gcp-project-id }}