mirror of
https://github.com/tiennm99/miti99bot.git
synced 2026-06-08 08:16:03 +00:00
tiennm99
ab53d9639f
SAM CLI's --parameter-overrides replaces samconfig.toml's overrides rather than merging them, so every CI deploy reset the stack's ModulesCSV to the prior value (which predated the stats module). The live Lambda's MODULES env was missing stats, so /stats was dispatched but never handled — the module factory was never called.
125 lines
4.7 KiB
YAML
125 lines
4.7 KiB
YAML
name: deploy-aws
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
id-token: write # required for OIDC
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: deploy-prod
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
deploy:
|
|
name: SAM deploy (prod)
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
AWS_REGION: ap-southeast-1
|
|
STACK_NAME: miti99bot
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
|
|
- uses: actions/setup-go@v6
|
|
with:
|
|
go-version: '1.25'
|
|
cache: true
|
|
|
|
- uses: aws-actions/setup-sam@v3
|
|
with:
|
|
use-installer: true
|
|
|
|
- uses: aws-actions/configure-aws-credentials@v6
|
|
with:
|
|
role-to-assume: arn:aws:iam::225603493174:role/github-deploy-miti99bot
|
|
aws-region: ${{ env.AWS_REGION }}
|
|
|
|
- name: Build Lambda binary
|
|
run: make build-lambda
|
|
|
|
- name: SAM deploy
|
|
env:
|
|
ALERT_EMAIL: ${{ secrets.ALERT_EMAIL }}
|
|
STACK_ENV: prod
|
|
run: |
|
|
set -euo pipefail
|
|
# EventBridge Connection consumes ApiKeyValue at stack-update time
|
|
# and stores it in a service-linked secret. SSM holds the canonical
|
|
# value; fetch here and pass as a NoEcho CFN parameter so it never
|
|
# appears in template source or stack events.
|
|
CRON_SECRET=$(aws ssm get-parameter \
|
|
--name "/miti99bot/${STACK_ENV}/cron-shared-secret" \
|
|
--with-decryption --query Parameter.Value --output text)
|
|
echo "::add-mask::$CRON_SECRET"
|
|
# Non-secret CFN params. SAM CLI's --parameter-overrides REPLACES
|
|
# samconfig.toml's parameter_overrides (does not merge), so anything
|
|
# CI needs in the deployed stack must be listed here explicitly.
|
|
# Telegram user IDs are public (visible to anyone the bot DMs), so
|
|
# they live in this committed workflow rather than a secret.
|
|
OVERRIDES="CronSharedSecret=$CRON_SECRET BotOwnerID=1064111334 AdminUserIDs=1064111334 ModulesCSV=util,misc,wordle,loldle,lolschedule,twentyq,trading,stats"
|
|
if [ -n "$ALERT_EMAIL" ]; then
|
|
OVERRIDES="$OVERRIDES AlertEmail=$ALERT_EMAIL"
|
|
fi
|
|
sam deploy --template-file template.yaml \
|
|
--no-confirm-changeset \
|
|
--no-fail-on-empty-changeset \
|
|
--parameter-overrides "$OVERRIDES"
|
|
|
|
- name: Smoke test (Function URL responds)
|
|
run: |
|
|
URL=$(aws cloudformation describe-stacks \
|
|
--stack-name "$STACK_NAME" \
|
|
--query "Stacks[0].Outputs[?OutputKey=='FunctionUrl'].OutputValue" \
|
|
--output text)
|
|
echo "FunctionUrl=$URL"
|
|
curl -fsSL --max-time 30 "$URL/" | tee /tmp/smoke.json | jq .
|
|
|
|
- name: Register Telegram webhook
|
|
env:
|
|
STACK_ENV: prod
|
|
run: |
|
|
set -euo pipefail
|
|
URL=$(aws cloudformation describe-stacks \
|
|
--stack-name "$STACK_NAME" \
|
|
--query "Stacks[0].Outputs[?OutputKey=='FunctionUrl'].OutputValue" \
|
|
--output text)
|
|
TOKEN=$(aws ssm get-parameter \
|
|
--name "/miti99bot/${STACK_ENV}/telegram-bot-token" \
|
|
--with-decryption --query Parameter.Value --output text)
|
|
echo "::add-mask::$TOKEN"
|
|
SECRET=$(aws ssm get-parameter \
|
|
--name "/miti99bot/${STACK_ENV}/telegram-webhook-secret" \
|
|
--with-decryption --query Parameter.Value --output text)
|
|
echo "::add-mask::$SECRET"
|
|
WEBHOOK_URL="${URL%/}/webhook"
|
|
echo "Setting Telegram webhook to ${WEBHOOK_URL}"
|
|
RESP=$(curl -fsS --max-time 30 -X POST \
|
|
"https://api.telegram.org/bot${TOKEN}/setWebhook" \
|
|
-d "url=${WEBHOOK_URL}" \
|
|
-d "secret_token=${SECRET}" \
|
|
-d 'allowed_updates=["message","callback_query"]')
|
|
echo "$RESP" | jq -e '.ok == true' >/dev/null \
|
|
|| { echo "setWebhook failed: $RESP"; exit 1; }
|
|
echo "$RESP" | jq '{ok, result, description}'
|
|
|
|
- name: Register Telegram command menu
|
|
env:
|
|
STACK_ENV: prod
|
|
run: |
|
|
set -euo pipefail
|
|
TOKEN=$(aws ssm get-parameter \
|
|
--name "/miti99bot/${STACK_ENV}/telegram-bot-token" \
|
|
--with-decryption --query Parameter.Value --output text)
|
|
echo "::add-mask::$TOKEN"
|
|
echo "Registering Telegram commands from aws/telegram-commands.json"
|
|
RESP=$(curl -fsS --max-time 30 -X POST \
|
|
"https://api.telegram.org/bot${TOKEN}/setMyCommands" \
|
|
-H 'Content-Type: application/json' \
|
|
--data-binary "@aws/telegram-commands.json")
|
|
echo "$RESP" | jq -e '.ok == true' >/dev/null \
|
|
|| { echo "setMyCommands failed: $RESP"; exit 1; }
|
|
echo "$RESP" | jq '{ok, result, description}'
|