Using GitHub Actions with AppPack (Advanced)
AppPack comes with a full continuous integration pipeline for your app on AWS out-of-the-box. This is the recommended approach, however in some scenarios an application may require more flexibility than what is built-in.
AppPack maintains a GitHub Action that can be used to let you build a custom application pipeline using GitHub Actions.
Prerequisites
It's possible to do this with an IAM user and access keys, but it's more secure to use OIDC. Here are the steps to set up an AWS Role for use with GitHub Actions:
- Add GitHub as an Identity Provider in your AWS account
- Create a role in your AWS account here, https://console.aws.amazon.com/iamv2/home#/roles/create
- Select "Web Identity" as the entity type
- Select the Identity Provider and audience you created in step 1
- Click
Next - Select the Codebuild policy for your app. It will be named
apppack-app-{yourappname}-CodebuildPolicy-{randomstring} - Click
Next - Provide the role name and description
- Update the "Selected trusted entities" to limit the trust to the specific GitHub repository you want to use. For example, if your repository is
myorg/my-app-repo, the trust policy should look like this:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRoleWithWebIdentity", "Principal": { "Federated": "arn:aws:iam::135549385118:oidc-provider/token.actions.githubusercontent.com" }, "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": [ "sts.amazonaws.com" ] }, "StringLike": { "token.actions.githubusercontent.com:sub": "repo:myorg/my-app-repo:*" } } } ] } - Click
Create role
- Use the
--disable-build-webhookflag when creating the app to make sure the default AppPack build pipeline is disabled.
Available Actions
- AppPack Deploy
apppackio/deploy-actionUploads an image and metadata, then triggers an AppPack deploy - Setup AppPack CLI
apppackio/setup-apppack-cliInstalls the latest version of the AppPack CLI
Using the Actions in a Workflow
Here is an example workflow which deploys an AppPack app in GitHub Actions. Note: your repo will need to include an apppack.toml file to describe your app's services.
Example
---
name: AppPack Deploy
on: [push]
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
env:
# replace this with your AppPack app name
APPNAME: your-app-image
BUILDX_CACHE_DIR: /tmp/.buildx-cache
# replace these with the AWS role you create and the region your app is in
AWS_ROLE_ARN: arn:aws:iam::123456789012:role/github-actions
AWS_REGION: us-east-2
steps:
- uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- uses: actions/cache@v3
with:
path: ${{ env.BUILDX_CACHE_DIR }}
key: ${{ runner.os }}-buildx-${{ github.ref }}-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-${{ github.ref }}-
${{ runner.os }}-buildx-
- name: Build Docker Image
shell: bash # adds pipefail
run: |
docker buildx build \
--tag $APPNAME:${{ github.run_id }} \
--progress plain \
--cache-to type=local,dest=${{ env.BUILDX_CACHE_DIR }} \
--cache-from type=local,src=${{ env.BUILDX_CACHE_DIR }} \
--file Dockerfile \
--load \
. 2>&1 | tee /tmp/build.log # avoid part of build.log ending up in the image
mv /tmp/build.log .
- name: Test
shell: bash # adds pipefail
run: |
# replace this with your own test command
docker run --rm -e SECRET_KEY=1 $APPNAME:${{ github.run_id }} pytest | tee test.log
- uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ env.AWS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}
- uses: apppackio/deploy-action@v2
with:
appname: ${{ env.APPNAME }}
image: ${{ env.APPNAME }}:${{ github.run_id }}