name: deploy-aws on: push: branches: [main] workflow_dispatch: permissions: id-token: write # required for OIDC contents: read concurrency: group: deploy-prod cancel-in-progress: false jobs: deploy: name: SAM deploy (prod) runs-on: ubuntu-latest env: AWS_REGION: ap-southeast-1 STACK_NAME: miti99bot steps: - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: go-version: '1.25' cache: true - uses: aws-actions/setup-sam@v3 with: use-installer: true - uses: aws-actions/configure-aws-credentials@v6 with: role-to-assume: arn:aws:iam::225603493174:role/github-deploy-miti99bot aws-region: ${{ env.AWS_REGION }} - name: Build Lambda binary run: make build-lambda - name: SAM deploy env: ALERT_EMAIL: ${{ secrets.ALERT_EMAIL }} STACK_ENV: prod run: | set -euo pipefail # EventBridge Connection consumes ApiKeyValue at stack-update time # and stores it in a service-linked secret. SSM holds the canonical # value; fetch here and pass as a NoEcho CFN parameter so it never # appears in template source or stack events. CRON_SECRET=$(aws ssm get-parameter \ --name "/miti99bot/${STACK_ENV}/cron-shared-secret" \ --with-decryption --query Parameter.Value --output text) echo "::add-mask::$CRON_SECRET" # Non-secret CFN params. SAM CLI's --parameter-overrides REPLACES # samconfig.toml's parameter_overrides (does not merge), so anything # CI needs in the deployed stack must be listed here explicitly. # Telegram user IDs are public (visible to anyone the bot DMs), so # they live in this committed workflow rather than a secret. OVERRIDES="CronSharedSecret=$CRON_SECRET BotOwnerID=1064111334 AdminUserIDs=1064111334 ModulesCSV=util,misc,wordle,loldle,lolschedule,twentyq,trading,stats" if [ -n "$ALERT_EMAIL" ]; then OVERRIDES="$OVERRIDES AlertEmail=$ALERT_EMAIL" fi sam deploy --template-file template.yaml \ --no-confirm-changeset \ --no-fail-on-empty-changeset \ --parameter-overrides "$OVERRIDES" - name: Smoke test (Function URL responds) run: | URL=$(aws cloudformation describe-stacks \ --stack-name "$STACK_NAME" \ --query "Stacks[0].Outputs[?OutputKey=='FunctionUrl'].OutputValue" \ --output text) echo "FunctionUrl=$URL" curl -fsSL --max-time 30 "$URL/" | tee /tmp/smoke.json | jq . - name: Register Telegram webhook env: STACK_ENV: prod run: | set -euo pipefail URL=$(aws cloudformation describe-stacks \ --stack-name "$STACK_NAME" \ --query "Stacks[0].Outputs[?OutputKey=='FunctionUrl'].OutputValue" \ --output text) TOKEN=$(aws ssm get-parameter \ --name "/miti99bot/${STACK_ENV}/telegram-bot-token" \ --with-decryption --query Parameter.Value --output text) echo "::add-mask::$TOKEN" SECRET=$(aws ssm get-parameter \ --name "/miti99bot/${STACK_ENV}/telegram-webhook-secret" \ --with-decryption --query Parameter.Value --output text) echo "::add-mask::$SECRET" WEBHOOK_URL="${URL%/}/webhook" echo "Setting Telegram webhook to ${WEBHOOK_URL}" RESP=$(curl -fsS --max-time 30 -X POST \ "https://api.telegram.org/bot${TOKEN}/setWebhook" \ -d "url=${WEBHOOK_URL}" \ -d "secret_token=${SECRET}" \ -d 'allowed_updates=["message","callback_query"]') echo "$RESP" | jq -e '.ok == true' >/dev/null \ || { echo "setWebhook failed: $RESP"; exit 1; } echo "$RESP" | jq '{ok, result, description}' - name: Register Telegram command menu env: STACK_ENV: prod run: | set -euo pipefail TOKEN=$(aws ssm get-parameter \ --name "/miti99bot/${STACK_ENV}/telegram-bot-token" \ --with-decryption --query Parameter.Value --output text) echo "::add-mask::$TOKEN" echo "Registering Telegram commands from aws/telegram-commands.json" RESP=$(curl -fsS --max-time 30 -X POST \ "https://api.telegram.org/bot${TOKEN}/setMyCommands" \ -H 'Content-Type: application/json' \ --data-binary "@aws/telegram-commands.json") echo "$RESP" | jq -e '.ok == true' >/dev/null \ || { echo "setMyCommands failed: $RESP"; exit 1; } echo "$RESP" | jq '{ok, result, description}'