.github/workflows/ci-cd-pipeline.yml

name: Go CI/CD

on:
  pull_request:
    types: [opened, synchronize, reopened]
    branches:
      - main
  push:
    branches:
      - main

permissions:
  contents: write

env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

jobs:
  ci:
    name: CI Pipeline
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: ^1.22.1

      - name: Install dependencies
        run: go mod download

      - name: Build
        run: go build -o ./app .

      - name: Format code with gofumpt
        run: go install mvdan.cc/gofumpt@latest && gofumpt -w .

      - name: Install golangci-lint
        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin latest

      - name: Run golangci-lint
        run: |
          OUTPUT=$(golangci-lint run ./... 2>&1) || true
          if [[ -n "$OUTPUT" ]]; then
            echo "golangci-lint found issues:"
            echo "$OUTPUT"
          fi

      - name: Install go-staticcheck
        run: go install honnef.co/go/tools/cmd/staticcheck@latest

      - name: Run go-staticcheck
        run: |
          OUTPUT=$(staticcheck ./... 2>&1) || true
          if [[ -n "$OUTPUT" ]]; then
            echo "golangci-lint found issues:"
            echo "$OUTPUT"
          fi

      - name: Install gosec
        run: go install github.com/securego/gosec/cmd/gosec@latest

      - name: Run gosec
        run: |
          OUTPUT=$(gosec -exclude=G104 ./... 2>&1) || true
          if [[ -n "$OUTPUT" ]]; then
            echo "golangci-lint found issues:"
            echo "$OUTPUT"
          fi

      - name: Test
        run: go test ./...

  build-and-deploy:
    name: CD Pipeline - Continuous Delivery Pipeline
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    steps:
      - name: Set short git commit SHA
        id: commit
        uses: prompt/actions-commit-hash@v2

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - name: Set up AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ vars.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Build, tag, and push Docker image to Amazon ECR
        env:
          ECR_REPOSITORY: ${{ vars.SERVICE_NAME }}
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          IMAGE_TAG: ${{ steps.commit.outputs.short }}
        run: |
          IMAGE_URI="$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
          docker build -t $IMAGE_URI .
          docker push $IMAGE_URI
          echo "IMAGE_URI=$IMAGE_URI" >> $GITHUB_ENV

      - name: Update Kubernetes configuration
        env:
          SERVICE_NAME: ${{ vars.SERVICE_NAME }}
          JWT_SECRET: ${{ secrets.JWT_SECRET }}
          JWT_ISSUER: ${{ secrets.JWT_ISSUER }}
        run: |
          DB_NAME=$(aws ssm get-parameter --name "/$SERVICE_NAME/db_name" --with-decryption --output json | jq '.Parameter | .Value')
          DB_HOST=$(aws ssm get-parameter --name "/$SERVICE_NAME/db_host" --with-decryption --output json | jq '.Parameter | .Value')
          DB_USERNAME=$(aws ssm get-parameter --name "/$SERVICE_NAME/db_username" --with-decryption --output json | jq '.Parameter | .Value')
          DB_PASSWORD=$(aws ssm get-parameter --name "/$SERVICE_NAME/db_password" --with-decryption --output json | jq '.Parameter | .Value')

          sed -i 's|placeholder_repository_name|'"$IMAGE_URI"'|' ./infra/golang-app-deployment.yaml
          sed -i 's|aws_ssm_db_name|'"$DB_NAME"'|' ./infra/configmap.yaml
          sed -i 's|aws_ssm_db_host|'"$DB_HOST"'|' ./infra/configmap.yaml
          sed -i 's|aws_ssm_db_username|'"$DB_USERNAME"'|' ./infra/secrets.yaml
          sed -i 's|aws_ssm_db_password|'"$DB_PASSWORD"'|' ./infra/secrets.yaml
          sed -i 's|git_hub_secrets_jwt_secret|'"$JWT_SECRET"'|' ./infra/secrets.yaml
          sed -i 's|git_hub_secrets_jwt_issuer|'"$JWT_ISSUER"'|' ./infra/secrets.yaml

      - name: Install kubectl
        run: |
          curl -LO "https://dl.k8s.io/release/$(curl -sSL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          chmod +x kubectl
          sudo mv kubectl /usr/local/bin/

      - name: Update kube config
        env:
          AWS_EKS_CLUSTER_NAME: ${{ vars.AWS_EKS_CLUSTER_NAME }}
          AWS_REGION: ${{ vars.AWS_REGION }}
        run: aws eks update-kubeconfig --name $AWS_EKS_CLUSTER_NAME --region $AWS_REGION

      - name: Deploy to Kubernetes
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        run: |
          kubectl config get-contexts
          kubectl apply -f ./infra --validate=false
          kubectl rollout status deployment/customer-service