This repository was archived by the owner on Dec 11, 2025. It is now read-only.
Bump the npm group across 3 directories with 2 updates (#3705) #2887
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| env: | |
| OIDC_IAM_ROLE_ARN: ${{ secrets.OIDC_IAM_ROLE_ARN }} | |
| AWS_REGION: us-west-2 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| # 同時実行すると CREATE_IN_PROGRESS や UPDATE_IN_PROGRESS 状態で cdk deploy を行う可能性があるため抑止する | |
| concurrency: | |
| group: "cloudformation" | |
| cancel-in-progress: false | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 | |
| with: | |
| role-to-assume: ${{ env.OIDC_IAM_ROLE_ARN }} | |
| role-session-name: GitHubActions | |
| aws-region: ${{ env.AWS_REGION }} | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Use Node.js | |
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 | |
| with: | |
| node-version: 'lts/*' | |
| check-latest: true | |
| package-manager-cache: false | |
| - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 | |
| name: Install pnpm | |
| with: | |
| run_install: | | |
| - recursive: true | |
| cwd: ./package | |
| args: [--no-frozen-lockfile] | |
| - args: [--global, aws-cdk] | |
| package_json_file: package/package.json | |
| - name: Install AWS CLI | |
| run: | | |
| curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" | |
| unzip awscliv2.zip | |
| sudo ./aws/install --update | |
| rm -rf awscliv2.zip aws | |
| - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2 | |
| - name: Build (package) | |
| working-directory: package | |
| run: pnpm lint && pnpm build | |
| - name: deploy (package) | |
| working-directory: package | |
| run: cdk deploy -c env=dev | |
| - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 | |
| name: Install pnpm (example/cdk) | |
| with: | |
| run_install: | | |
| - recursive: true | |
| cwd: ./example/cdk | |
| args: [--no-frozen-lockfile] | |
| - args: [--global, aws-cdk] | |
| package_json_file: example/cdk/package.json | |
| - name: Build (example/cdk) | |
| working-directory: example/cdk | |
| run: pnpm lint && pnpm build | |
| - name: Generate API Gateway endpoint URL | |
| run: | | |
| API_ID=$(aws cloudformation describe-stack-resources --stack-name dev-github-cognito-oidc-proxy-stack --query 'StackResources[?ResourceType == `AWS::ApiGateway::RestApi`].PhysicalResourceId[]' --no-cli-pager --output text) | |
| API_STAGE=$(aws cloudformation describe-stack-resources --stack-name dev-github-cognito-oidc-proxy-stack --query 'StackResources[?ResourceType == `AWS::ApiGateway::Stage`].PhysicalResourceId[]' --no-cli-pager --output text) | |
| echo "API_GATEWAY_ENDPOINT=https://${API_ID}.execute-api.${AWS_REGION}.amazonaws.com/${API_STAGE}" >> $GITHUB_ENV | |
| - name: generate cdk.json | |
| working-directory: example/cdk | |
| run: | | |
| cat << EOS >> cdk.json | |
| { | |
| "app": "pnpm dlx tsx bin/github-oidc-proxy-example-cognito.ts", | |
| "watch": { | |
| "include": [ | |
| "**" | |
| ], | |
| "exclude": [ | |
| "README.md", | |
| "cdk*.json", | |
| "**/*.d.ts", | |
| "**/*.js", | |
| "tsconfig.json", | |
| "package*.json", | |
| "pnpm.lock", | |
| "node_modules", | |
| "test" | |
| ] | |
| }, | |
| "requireApproval": "never", | |
| "context": { | |
| "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true, | |
| "@aws-cdk/core:stackRelativeExports": true, | |
| "@aws-cdk/aws-rds:lowercaseDbIdentifier": true, | |
| "@aws-cdk/aws-lambda:recognizeVersionProps": true, | |
| "@aws-cdk/aws-lambda:recognizeLayerVersion": true, | |
| "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true, | |
| "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true, | |
| "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true, | |
| "@aws-cdk/core:checkSecretUsage": true, | |
| "@aws-cdk/aws-iam:minimizePolicies": true, | |
| "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true, | |
| "@aws-cdk/core:validateSnapshotRemovalPolicy": true, | |
| "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true, | |
| "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true, | |
| "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true, | |
| "@aws-cdk/aws-apigateway:disableCloudWatchRole": true, | |
| "@aws-cdk/core:enablePartitionLiterals": true, | |
| "@aws-cdk/core:target-partitions": [ | |
| "aws", | |
| "aws-cn" | |
| ], | |
| "dev": { | |
| "domainPrefix": "github-openid-example", | |
| "identityProviderClientId": "${{ secrets.OAUTH_APP_CLIENT_ID }}", | |
| "identityProviderClientSecret": "${{ secrets.OAUTH_APP_CLIENT_SECRET }}", | |
| "identityProviderRequestMethod": "GET", | |
| "identityProviderIssuerURL": "${{ env.API_GATEWAY_ENDPOINT }}", | |
| "identityProviderAuthorizeScopes": "openid read:user user:email" | |
| } | |
| } | |
| } | |
| EOS | |
| - name: deploy (example/cdk) | |
| working-directory: example/cdk | |
| run: cdk deploy -c env=dev | |
| - name: Set environment variables | |
| run: | | |
| USER_POOL_ID=$(aws cloudformation describe-stack-resources --stack-name dev-github-oidc-proxy-example-stack --query 'StackResources[?ResourceType == `AWS::Cognito::UserPool`].PhysicalResourceId[]' --no-cli-pager --output text) | |
| CLIENT_ID=$(aws cloudformation describe-stack-resources --stack-name dev-github-oidc-proxy-example-stack --query 'StackResources[?ResourceType == `AWS::Cognito::UserPoolClient`].PhysicalResourceId[]' --no-cli-pager --output text) | |
| CFN_DOMAINNAME=$(aws cloudfront get-distribution --id $(aws cloudformation describe-stack-resources --stack-name dev-github-oidc-proxy-example-stack --query 'StackResources[?ResourceType == `AWS::CloudFront::Distribution`].PhysicalResourceId[]' --no-cli-pager --output text) --query 'Distribution.DomainName' --output text --no-cli-pager) | |
| echo "::add-mask::${USER_POOL_ID}" | |
| echo "::add-mask::${CLIENT_ID}" | |
| CLIENT_SECRET=$(aws cognito-idp describe-user-pool-client --user-pool-id "${USER_POOL_ID}" --client-id "${CLIENT_ID}" --query 'UserPoolClient.ClientSecret' --no-cli-pager --output text) | |
| echo "::add-mask::${CLIENT_SECRET}" | |
| echo "NEXT_PUBLIC_COGNITO_CLIENT_ID=${CLIENT_ID}" >> $GITHUB_ENV | |
| echo "NEXT_PUBLIC_COGNITO_CLIENT_SECRET=${CLIENT_SECRET}" >> $GITHUB_ENV | |
| echo "CFN_DOMAINNAME=${CFN_DOMAINNAME}" >> $GITHUB_ENV | |
| - name: Build (example/app) | |
| working-directory: example/app | |
| run: bun run lint && pnpm build | |
| - name: deploy (example) upload next.js app | |
| working-directory: example/cdk | |
| env: | |
| NEXT_PUBLIC_COGNITO_CLIENT_ID: ${{ env.NEXT_PUBLIC_COGNITO_CLIENT_ID }} | |
| NEXT_PUBLIC_COGNITO_CLIENT_SECRET: ${{ env.NEXT_PUBLIC_COGNITO_CLIENT_SECRET }} | |
| run: cdk deploy -c env=dev | |
| - name: Display deployed CloudFront Domain name | |
| env: | |
| DOMAIN: ${{ env.CFN_DOMAINNAME }} | |
| run: echo "https://${DOMAIN}" |