Migrate to ECS environment

.github/workflows/add-labels.yml

@@ -0,0 +1,54 @@
+name: add labels for some cases
+
+on: pull_request
+
+jobs:
+  reviewapps:
+    name: grant 'reviewapps' label if there are any changes in PR's source code.
+    runs-on: ubuntu-latest  # windows-latest | macos-latest
+    if: ${{ ! startsWith(github.head_ref, 'renovate/') }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get changed files
+        id: check-paths-ignore
+        uses: tj-actions/changed-files@v42
+        with:
+          files_ignore: |
+            .github/**/*.yml
+            **.md
+
+      # to trigger other Actions caused by adding reviewapp Label
+      - name: Generate token
+        if: steps.check-paths-ignore.outputs.any_changed == 'true'
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Labeling 'reviewapps' to PR
+        if: steps.check-paths-ignore.outputs.any_changed == 'true'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          result-encoding: string
+          script: |
+            const targetLabel = 'reviewapps';
+            issue = await github.rest.issues.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            flag = false;
+            issue.data.labels.filter(label => {
+              if (label.name == targetLabel) { flag = true; };
+            });
+            if (!flag) {
+              github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                labels: [targetLabel]
+              });
+            }

.github/workflows/build.yml → .github/workflows/build-branch.yml

@@ -1,6 +1,8 @@
-name: build dreamkast-weaver image
+name: build dreamkast-weaver image when branches are pushed
 
-on: push
+on:
+  push:
+    branches: ["*"]
 
 jobs:
   build:
@@ -18,7 +20,7 @@ jobs:
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ap-northeast-1
+          aws-region: us-west-2
 
       - name: Login to Amazon ECR
         id: login-ecr

.github/workflows/build-tag.yml

@@ -0,0 +1,49 @@
+name: build dreamkast-weaver image when tags are pushed
+
+on:
+  push:
+    tags: ["*"]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ap-northeast-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ steps.login-ecr.outputs.registry }}/dreamkast-weaver
+          tags: |
+            type=sha,prefix=,format=long
+            type=ref,event=tag
+
+      - name: Build
+        id: docker_build
+        uses: docker/build-push-action@v5
+        with:
+          context: ./
+          file: Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          provenance: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/gitops-stg.yml

@@ -78,3 +78,84 @@ jobs:
               pull_number: pr.data.number,
               merge_method: "squash",
             });
+
+  ecs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+
+      - name: Install jsonnet
+        run: |
+          go install github.com/google/go-jsonnet/cmd/jsonnet@latest
+          go install github.com/google/go-jsonnet/cmd/jsonnetfmt@latest
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout dreamkast-infra
+        uses: actions/checkout@v4
+        with:
+          repository: cloudnativedaysjp/dreamkast-infra
+          path: dreamkast-infra
+          token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Update image-tags
+        working-directory: dreamkast-infra/ecspresso/stg
+        run: |
+          cat << _EOL_ | jsonnet - > ./const.libsonnet.tmp
+          local const = import './const.libsonnet';
+
+          const + {
+            imageTags: const.imageTags + {
+              dreamkast_weaver: "${{ github.sha }}",
+            },
+          }
+          _EOL_
+          mv const.libsonnet.tmp const.libsonnet
+          jsonnetfmt -i const.libsonnet
+
+      - name: Commit files
+        id: commit_files
+        continue-on-error: true
+        working-directory: dreamkast-infra/
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "GitHub Action"
+          git status
+          git add -A
+          git commit -am "Bump docker tag (${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA})"
+
+      - name: Push changes
+        if: steps.commit_files.outcome == 'success'
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ steps.generate_token.outputs.token }}
+          repository: cloudnativedaysjp/dreamkast-infra
+          directory: dreamkast-infra
+          branch: staging/weaver-main
+
+      - name: Create and Merge Pull Request
+        if: steps.commit_files.outcome == 'success'
+        uses: "actions/github-script@v7"
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const pr = await github.rest.pulls.create({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              title: "Automated PR (staging/weaver-main)",
+              body: "**this PR is automatically created & merged**",
+              head: "staging/weaver-main",
+              base: "main"
+            });
+            await github.rest.pulls.merge({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              pull_number: pr.data.number,
+              merge_method: "squash",
+            });

.github/workflows/reviewapp-cleanup.yml

@@ -0,0 +1,91 @@
+name: cleanup reviewapps
+
+on:
+  schedule:
+    - cron:  '*/30 * * * *'
+
+# this workflow should not work with cleanup workflow
+concurrency: reviewapps
+
+jobs:
+  cleanup:
+    name: create reviewapp files to dreamkast-infra
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout dreamkast-infra
+        uses: actions/checkout@v4
+        with:
+          repository: cloudnativedaysjp/dreamkast-infra
+          path: dreamkast-infra
+          token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Install ecspresso
+        uses: kayac/ecspresso@v2
+
+      - name: Cleanup
+        working-directory: dreamkast-infra/ecspresso/reviewapps
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PREFIX: weaver-
+        shell: bash -x {0}
+        run: |
+          EXPECTED="$(gh pr list --repo ${{ github.repository }} --label 'reviewapps' --json number --jq '.[].number' | sed 's/^\(.*\)$/'$PREFIX'\1/g')"
+          ACTUAL="$(ls | grep -E ^$PREFIX)"
+          # If present only in ACTUAL, cleanup
+          for act in $ACTUAL; do
+            EXIST=false
+            for exp in $EXPECTED; do
+              [ "$act" = "$exp" ] && EXIST=true
+            done
+            [ $EXIST = true ] && continue
+            bash -x $act/cleanup.sh
+            rm -rf $act
+          done
+      - name: Commit files
+        id: commit_files
+        continue-on-error: true
+        working-directory: dreamkast-infra/
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "GitHub Action"
+          git status
+          git add -A
+          git commit -a -F- <<EOM
+          cleanup ReviewApps by GHA in ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
+          EOM
+      - name: Push changes
+        if: steps.commit_files.outcome == 'success'
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ steps.generate_token.outputs.token }}
+          repository: cloudnativedaysjp/dreamkast-infra
+          directory: dreamkast-infra
+          branch: staging/weaver-main
+
+      - name: Create and Merge Pull Request
+        if: steps.commit_files.outcome == 'success'
+        uses: "actions/github-script@v7"
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const pr = await github.rest.pulls.create({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              title: "Automated PR (staging/weaver-main)",
+              body: "**this PR is automatically created & merged**",
+              head: "staging/weaver-main",
+              base: "main"
+            });
+            await github.rest.pulls.merge({
+              owner: "cloudnativedaysjp",
+              repo: "dreamkast-infra",
+              pull_number: pr.data.number,
+              merge_method: "squash",
+            });