main.yaml

#  vim:ts=2:sts=2:sw=2:et
#
#  Author: Hari Sekhon
#  Date: [% DATE  # Tue Feb 4 09:53:28 2020 +0000 %]
#
#  [% URL  # https://github.com/HariSekhon/GitHub-Actions %]
#
#  License: see accompanying Hari Sekhon LICENSE file
#
#  If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback
#
#  https://www.linkedin.com/in/HariSekhon
#

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
#
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

# MarketPlace:  https://github.com/marketplace?type=actions
#               https://github.com/marketplace?query=publisher%3Aactions&type=actions

---
# XXX: Edit - badges appear with this name
name: My Workflow

# ============================================================================ #
#                             E n v i r o n m e n t
# ============================================================================ #

# https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
#
# https://docs.github.com/en/actions/learn-github-actions/contexts#github-context
#
# GITHUB_WORKFLOW = name of the workflow (set at top of this file)
# GITHUB_REPOSITORY = owner/repo
# GITHUB_SHA
# GITHUB_REF_NAME (branch or tag)
# GITHUB_REF_TYPE="branch"/"tag"
# RUNNER_NAME
# RUNNER_OS
# RUNNER_ARCH
#
# XXX: can't reference other environment variable to compose larger ones, must be done as a step based workaround, see Steps section of build further down
# XXX: not accessible in 'with' steps or called workflows
env:
  repo: bash-tools
  APP: myapp
  ENV: dev
  # workflow_dispatch passes even boolean as string, and fromJSON() only works for true/false strings otherwise breaks whole workflow
  DEBUG: ${{ inputs.debug != 'false' || github.event.inputs.debug != 'false' || '' }}

  # or generate dynamic image including the registry, see step section
  DOCKER_IMAGE: myimage
  # must generate in Steps
  #DOCKER_TAG: ${{env.GITHUB_SHA}}
  # Docker Container Registry
  #DOCKER_IMAGE: "${{env.GHCR_REGISTRY}}/${{env.APP}}"
  # GCP
  #DOCKER_IMAGE: "${{env.GCR_REGISTRY}}/${{env.CLOUDSDK_CORE_PROJECT}}/${{env.APP}}"
  # DockerHub
  #DOCKER_IMAGE: "harisekhon/${{env.APP}}"

  DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
  DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

  GHCR_REGISTRY: ghcr.io/harisekhon

  # or configure via aws-actions/configure-aws-credentials in Setup section
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  GCP_SERVICEACCOUNT_KEY: ${{ secrets.GCP_SERVICEACCOUNT_KEY }}
  GITHUB_USER: ${{ secrets.GITHUB_USER }}
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  CLOUDFLARE_API_KEY: ${{ secrets.CLOUDFLARE_API_KEY }}

  AWS_DEFAULT_REGION: eu-west-2  # London
  # use secrets from Environments as dynamic variables to share workflow across environments
  #AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}  # or generate this from aws access keys (see Generate steps further down)
  #AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
  #
  # must generate in Steps in order to compose like this
  #AWS_ECR_REGISTRY: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ $AWS_DEFAULT_REGION }}.amazonaws.com
  #DOCKER_IMAGE: ${{ env.AWS_ECR_REGISTRY }}/${{ env.APP }}
  #
  #AWS_DEFAULT_OUTPUT: json
  #AWS_MAX_ATTEMPTS: 3
  #AWS_EKS_CLUSTER: mycluster

  CLOUDSDK_CORE_PROJECT: mycompany-dev
  CLOUDSDK_COMPUTE_REGION: europe-west2
  #CLOUDSDK_COMPUTE_ZONE: "${{env.CLOUDSDK_COMPUTE_REGION}}-a" # or b or c
  #CLOUDSDK_CONTAINER_CLUSTER: myGKEcluster
  GCR_REGISTRY: eu.gcr.io

  #JDBC_URL: jdbc:mysql://x.x.x.x:3306/my_db
  JDBC_URL: jdbc:postgres://x.x.x.x:5432/my_db

  # or set in argocd job
  ARGOCD_SERVER: argocd.domain.com
  ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}

  ARTIFACTORY_URL: https://artifactory.domain.com:8082/artifactory/
  ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

  #SELENIUM_HUB_URL: http://x.x.x.x:4444/wd/hub/
  #SELENIUM_HUB_URL: https://x.x.x.x/wd/hub/

  TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
  TF_IN_AUTOMATION: "1"
  TF_WORKSPACE: ${{ env.ENV }}  # run same code against multiple environments

  # for Git Merge branch jobs
  #
  GIT_USERNAME: 'GitHub Actions'
  GIT_EMAIL: 'platform-engineering@MYCOMPANY.CO.UK'

  # prevent script injection from inputs - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
  SANITIZED_INPUT: ${{ inputs.someuntrusted || github.event.inputs.someuntrusted }}

# ============================================================================ #
#                                T r i g g e r s
# ============================================================================ #

# https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows

on:
  push:
    branches:
      - master
      - dev
      - staging
      - production
      - main
      - '*docker*'  # glob requires quoting, only run on branches with docker in the name
    paths:
      - '*'  # only run when changes have happened on matching paths, this glob misses hidden directories though such as .github/workflows

  pull_request:
    branches:
      - master
      - main
      - dev
      - staging
      - production
    paths:
      - '*'  # only run when changes have happened on matching paths, this glob misses hidden directories though such as .github/workflows

  # triggered from another workflow for cross-workflow dependencies
  workflow_run:
    workflows:
      - my-other-workflow
    types:
      - completed
    branches:
      - 'releases/**'
      - '!releases/**-alpha'

  # https://docs.github.com/en/actions/using-workflows/reusing-workflows#creating-a-reusable-workflow
  workflow_call:
    # accessible as ${{ inputs.* }}
    # XXX: don't mention ${{ env.blah }} or ${{ secrets.BLAH }} in the descriptions, as it'll try to interpolate them and fail
    inputs:
      repo:
        description: The ECR repository, without the 'xxx.dkr.ecr.<region>.amazonaws.com' prefix
        type: string
        required: true
      # workflow_dispatch pass through sends a string instead of boolean due to this issue:
      #
      #   https://github.com/actions/runner/issues/1483
      #
      # so to avoid forcing all calling workflows to have casting expressions such as
      #
      #   ${{ github.event.inputs.debug && fromJSON(github.event.inputs.debug) || false }}
      #
      # use more forgiving string type instead of boolean and cast in reusable workflow
      debug:
        #type: boolean
        type: string
        required: false
        default: false
    secrets:
      aws_access_key_id:
        required: true
      aws_secret_access_key:
        required: true
      aws_default_region:
        required: true

  # https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow#running-a-workflow
  workflow_dispatch:  # needs to be in default branch before you get the UI option to manually run though
    # accessible as ${{ github.events.inputs.* }}
    inputs:
      repo:
        description: The ECR repository, without the 'xxx.dkr.ecr.<region>.amazonaws.com' prefix
        type: string
        required: true
      debug:
        type: boolean
        required: false
        default: false

  schedule:
    # * is a special character in YAML so you have to quote this string
    - cron: '0 0 * * 1'

# ============================================================================ #
#                             P e r m i s s i o n s
# ============================================================================ #

# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#assigning-permissions-to-a-specific-job

# use minimal permissions at workflow / jobs level
permissions:
  contents: read

  #actions: read|write|none
  #checks: read|write|none
  #contents: read|write|none
  #deployments: read|write|none
  #id-token: read|write|none
  #issues: read|write|none
  #discussions: read|write|none
  #packages: read|write|none
  #pages: read|write|none
  #pull-requests: read|write|none
  #repository-projects: read|write|none
  #security-events: read|write|none
  #statuses: read|write|none


# ============================================================================ #
#                             C o n c u r r e n c y
# ============================================================================ #

# XXX: cancels previous builds that haven't started even if cancel-in-progress is set to false
concurrency:
  # XXX: don't set this to the same group in a reusable workflow and calling workflow, that will result in a deadlock
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: false  # build auto-cancellation - enabling this causes false-positive badge failure statuses


# ============================================================================ #
#                                D e f a u l t s
# ============================================================================ #

# doesn't affect imported actions
defaults:
  run:
    # Bash not available on Alpine
    # catch subshell failures in short steps such as 'Generating env vars'
    shell: bash -euxo pipefail {0}
    #shell: perl {0}
    #shell: python {0}
    #working-directory: /var/jenkins_home  # $GITHUB_WORKSPACE


# ============================================================================ #
#                                    J o b s
# ============================================================================ #

jobs:
  reusable_workflow:
    if: github.event.repository.fork == false
    name: NAME
    uses: HariSekhon/GitHub-Actions/.github/workflows/some-workflow.yaml@master
    with:
      # don't cast in calling workflow any more, reusable workflows are using debug string and handling the comparison
      #debug: ${{ github.event.inputs.debug && fromJSON(github.event.inputs.debug) || false }}
      debug: ${{ github.event.inputs.debug }}

  build:
    name: Build
    #needs: [job1, job2]  # dependency jobs
    environment:
      name: production  # use Environment with approval and different Secrets - add this to Deploy stage to allow the build to progress
    timeout-minutes: 10

    # XXX: Conditionals must use single quotes for strings or get an error - Unexpected symbol: '"string"'
    # stops this workflow running on manual workflow_dispatch on the wrong branch (eg. to stop it invalidating the Docker build cache, update: solved now because I use many tags to cache)
    if: ( github.ref_name == 'master' || github.ref_name == 'main' || github.ref_name == 'docker' ) && github.event.repository.fork == false
    #if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main'

    # if triggered from another workflow using workflow_run above, check that workflow succeeded before running
    #if: ${{ github.event.workflow_run.conclusion == 'success' }}

    # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
    permissions:
      contents: read
      # both needed for code scanning tools to write GitHub Security tab alerts (eg. https://github.com/HariSekhon/GitHub-Actions/blob/master/.github/workflows/tfsec.yaml)
      #actions: read
      #security-events: write

    # job-specific environment variables
    #env:
    #  key: value


    # ============================================================================ #
    #               Chooser Runner - OS, Language, Matrix etc.
    # ============================================================================ #

    runs-on: ubuntu-latest
#    runs-on: ${{ matrix.os }}
#    strategy:
#      matrix:
#        os: [ubuntu-latest, ubuntu-18.04, ubuntu-20.04]
#        python-version: ['2.7', '3.7', '3.8', '3.9', '3.10', 'pypy-2.7', 'pypy-3.8']
#        #node: [6, 8, 10]
    container: centos

    # run on a private container image hosted on GHCR - credentials are the same as would be provided to docker login command
    #container:
    #  image: ghcr.io/owner/image
    #  username: ${{ github.actor }}
    #  password: ${{ secrets.github_token }}


    # ============================================================================ #
    #                                S e r v i c e s
    # ============================================================================ #

    # access this service via 'localhost:${{ job.services.postgres.ports[5432] }}'

    services:
      postgres:
        image: postgres:13
        env:
          POSTGRES_USER: ${{ secret.POSTGRES_USER }}          # postgres
          POSTGRES_PASSWORD: ${{ secret.POSTGRES_PASSWORD }}  # postgres
          POSTGRES_DB: ${{ secret.POSTGRES_DB }}              # postgres
        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
        ports:
          - 5432/tcp  # will choose a random port on the host, reference it via ${{ job.services.postgres.ports[5432] }}


    # ============================================================================ #
    #                                   S t e p s
    # ============================================================================ #

    # use: 3rdparty/repo@<tag/branch/SHA>  # XXX: GitHub recommends SHA for 3rd party actions for security
    steps:

      # XXX: WARNING: do not dump contexts into public logs in case they contain sensitive data

      - name: Dump GitHub context
        #run: echo '${{ toJSON(github) }}'
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: echo "$GITHUB_CONTEXT"

      - name: Dump job context
        #run: echo '${{ toJSON(job) }}'
        env:
          JOB_CONTEXT: ${{ toJson(job) }}
        run: echo "$JOB_CONTEXT"

      - name: Dump steps context
        #run: echo '${{ toJSON(steps) }}'
        env:
          STEPS_CONTEXT: ${{ toJson(steps) }}
        run: echo "$STEP_CONTEXT"

      - name: Dump runner context
        #run: echo '${{ toJSON(runner) }}'
        env:
          RUNNER_CONTEXT: ${{ toJson(runner) }}
        run: echo "$RUNNER_CONTEXT"

      - name: Dump strategy context
        #run: echo '${{ toJSON(strategy) }}'
        env:
          STRATEGY_CONTEXT: ${{ toJson(strategy) }}
        run: echo "$STRATEGY_CONTEXT"

      - name: Dump matrix context
        #run: echo '${{ toJSON(matrix) }}'
        env:
          MATRIX_CONTEXT: ${{ toJson(matrix) }}
        run: echo "$MATRIX_CONTEXT"

      # ============================================================================ #
      #                                  S e t u p
      # ============================================================================ #
      #
      # do checkout first so we can generate dynamic environment variables for branch, tags, SHA etc.
      # https://github.com/marketplace/actions/checkout
      - uses: actions/checkout@v2
        #name: Git Checkout  # better to show the action@version
        with:
          submodules: 'true'  # requires Git 2.18+ to be installed first
          #remote: true
          # if not ia publicly https:// accessible repo, give a token to fetch the submodule - needs to be a personal access token because the autogenerated GITHUB_TOKEN is restricted to the local repo
          #token: ${{ secrets.PAT_TOKEN }}
          #
          #fetch-depth: 0  # fetch all history & branches, instead of just the ref/SHA for this build

      # for OS with Git < 2.18, actions/checkout uses an API download tarball which will screw up your git commands such as 'git submodule init'
      # in these cases, you can emulate the correct checkout behaviour on older versions of Git like so:
      - name: Git Checkout
        run: git clone "https://$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY" "$GITHUB_WORKSPACE"

      # checkout another repo
      #- uses: actions/checkout@v2
      #  with:
      #    repository: owner/repo
      #    ref: master
      #    submodules: 'true'
      #    ssh-key: ''
      #    path: ''  # to checkout dir under $GITHUB_WORKSPACE, if absolute dir outside or $GITHUB_WORKSPACE gets error:
                     #    Error: Repository path '/var/jenkins_home/jenkins' is not under '/__w/Jenkins/Jenkins'

      # https://github.com/aws-actions/configure-aws-credentials#configure-aws-credentials-action-for-github-actions
      - uses: aws-actions/configure-aws-credentials@v1
        #name: Configure AWS credentials
        with:
          # https://github.com/aws-actions/configure-aws-credentials/blob/master/action.yml
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}
          #role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/my-github-actions-role
           #role-duration-seconds: 43200 # default: 21600 (6 hours), but you could have a session valid token for 12 hours

      - name: AWS CLI version
        run: aws --version
      - name: Docker version
        run: docker --version
      - name: AWS CLI whoami
        run: aws sts get-caller-identity

      # https://github.com/marketplace/actions/setup-python
      - uses: actions/setup-python@v2
        #name: Setup Python
        with:
          python-version: '3.x' # Version range or exact version of a Python version to use, using SemVer's version range syntax
          #python-version: ${{ matrix.python-version }}

      # https://github.com/marketplace/actions/setup-java-jdk
      - uses: actions/setup-java@v2
        #name: Setup Java
        with:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '17'  # 8, 11, 16, 17

      # https://github.com/marketplace/actions/setup-node-js-environment
      #
      - uses: actions/setup-node@v2
        #name: Setup NodeJS
        with:
          node-version: '14'

      # ============================================================================ #
      #                                 B u i l d
      # ============================================================================ #

      # all run steps seem to operate with 'set -e'

      # Create Dynamic Environment Variables by echo'ing KEY=VALUE >> "$GITHUB_ENV"
      #                                     ... jq ... | tee --append "$GITHUB_ENV"
      #
      # XXX: WARNING: echo/printf suppress subshell failures even with -o pipefail
      - name: Generate env GITHUB_SHA_SHORT
        run: echo "GITHUB_SHA_SHORT=${GITHUB_SHA:0:6}" >> "$GITHUB_ENV"
      - name: Generate env GITHUB_REPO
        run: echo "GITHUB_REPO=${GITHUB_REPOSITORY##*/}" >> "$GITHUB_ENV"
        #
        # step-specific environment variables
        #env:
        #  key: value

      - name: Environment
        #if: ${{ env.DEBUG == true }}
        #if: (github.actor != 'dependabot[bot]')  # skip any PR created by dependabot
        #if: github.event_name == 'push' && contains(toJson(github.event.commits), '***NO_CI***') == false && contains(toJson(github.event.commits), '[ci skip]') == false && contains(toJson(github.event.commits), '[skip ci]') == false
        # multi-line scripts start with |
        run: |
          [ -e /.dockerenv ] && ls -l /.dockerenv
          echo
          cat /etc/*release
          echo
          echo "Environment Variables:"
          echo
          env | sort

      - name: Install git & make
        run: yum install -y git make

      - name: Git Checkout
        run: git clone "https://$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY" "$GITHUB_WORKSPACE"

      # 'cd' in one step, is ignored in the next step, which ends up back in $GITHUB_WORKSPACE, regardless of whether you inject a new value for $GITHUB_WORKSPACE

      - name: Init
        run: make init

      - name: Build
        run: make build

      - name: Test
        run: make test

      - name: Job Failed
        if: ${{ failure() }}
        run: echo 'run a notify command or action here'

  # ============================================================================ #
  #                                D o c k e r
  # ============================================================================ #

  # Call reusable workflow
  dockerhub_build:
    name: Docker Build
    # XXX: stop this workflow being manually run on other branches if workflow_dispatch is defined
    if: ( github.ref_name == 'master' || github.ref_name == 'main' || github.ref_name == 'docker' ) && github.event.repository.fork == false
    uses: HariSekhon/GitHub-Actions/.github/workflows/docker_build.yaml@master
    with:
      repo: harisekhon/bash-tools
      tags: alpine
      dockerfile-repo: HariSekhon/Dockerfiles
      context: Dockerfiles/devops-bash-tools-alpine
    secrets:
      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
    permissions:
      contents: read
      packages: write

  docker_build_aws_ecr:
    name: Docker Build -> AWS ECR
    # XXX: stop this workflow being manually run on other branches if workflow_dispatch is defined
    if: ( github.ref_name == 'master' || github.ref_name == 'main' || contains(github.ref_name, 'docker') ) && github.event.repository.fork == false
    # XXX: path must include /.github/workflows/ and @<branch/tag/hashref>, otherwise you may get these errors:
    #       invalid value workflow reference: references to workflows must be rooted in '.github/workflows'
    #       invalid value workflow reference: no version specified
    uses: HariSekhon/GitHub-Actions/.github/workflows/docker_build_aws_ecr.yaml@master
    with:
      #repo: ${{ env.APP }}  # env not accessible here
      repo: MYREPO
      max-cache: false  # true uses GHCR for registry cache with mode=max for multi-stage build caching since ECR doesn't support this
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
    permissions:
      contents: read
      packages: write  # needed for GHCR access if using max-cache: true

  docker_build:
    if: github.event.repository.fork == false
    name: Docker Build
    #needs: [job1, job2]  # dependency jobs
    timeout-minutes: 10
    runs-on: ubuntu-latest
    env:
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
    steps:
      # docker/build-push-action does the checkout for you, but if you want to dynamically generate extra tags you need this checkout first
      - uses: actions/checkout@v2
        with:
          submodules: 'true'  # requires Git 2.18+ to be installed first

      # XXX: WARNING: echo/printf suppress subshell failures even with -o pipefail
      - name: Generate environment variable AWS_ACCOUNT_ID
        run: |
          AWS_ACCOUNT_ID="$(aws sts get-caller-identity | jq -r .Account)"
          echo "AWS_ACCOUNT_ID=$AWS_ACCOUNT_ID" >> "$GITHUB_ENV"
      - name: Generate environment variable AWS_ECR_REGISTRY
        run: echo "AWS_ECR_REGISTRY=${{env.AWS_ACCOUNT_ID}}.dkr.ecr.${{env.AWS_DEFAULT_REGION}}.amazonaws.com" >> "$GITHUB_ENV"
      - name: Generate environment variable GHCR_REGISTRY$
        run: echo "GHCR_REGISTRY=ghcr.io/${{ github.repository_owner }}" >> "$GITHUB_ENV"
      - name: Generate environment variable DOCKER_IMAGE
        run: echo "DOCKER_IMAGE=${{ env.AWS_ECR_REGISTRY }}/${{ env.APP }}" >> "$GITHUB_ENV"
      # XXX: if using:
      #         type=registry,ref=${{env.DOCKER_IMAGE_CACHE}}:buildcache,mode=max
      #       then set DOCKER_IMAGE_CACHE to GHCR because ECR doesn't support external registry cache export for mode=max
      #- name: Generate environment variable DOCKER_IMAGE_CACHE
      #  run: echo "DOCKER_IMAGE_CACHE=${{ env.GHCR_REGISTRY }}/${{ env.APP }}" >> "$GITHUB_ENV"
        #run: echo "DOCKER_IMAGE_CACHE=${{ env.AWS_ECR_REGISTRY }}/${{ env.APP }}-cache" >> $GITHUB_ENV  # doesn't work, ECR simply doesn't support it

      # don't need this any more, just use ${{ github.sha }} instead which is more readily available
      # $GITHUB_SHA is shown in environment dump but evaluates to blank, so use our own generated env var instead
      #- name: Generate environment variable GIT_SHA
      #  run: echo "GIT_SHA=$(git rev-parse HEAD)" >> "$GITHUB_ENV"
      #  # this works too
      #  run: echo "GIT_SHA=$GITHUB_SHA" >> "$GITHUB_ENV"

      # use ${{ github.ref_name }} instead which comes out to the branch or tag (${{github.ref_type}} == 'branch' if you check the github context dump above)
      #- name: Generate environment variable GIT_BRANCH
      #  run: echo "GIT_BRANCH=$(git rev-parse --abbrev-ref HEAD)" >> "$GITHUB_ENV"
      #- name: Generate environment variable GIT_TAG
      #  run: echo "GIT_TAG=$(git tag --points-at HEAD)" >> "$GITHUB_ENV"

      - name: Generate environment variable EPOCH
        run: echo "EPOCH=$(date --utc '+%s')" >> "$GITHUB_ENV"
      - name: Generate environment variable DATESTAMP
        run: echo "DATESTAMP=$(date --utc --date="@${{env.EPOCH}}" '+%FT%H%M%SZ')" >> "$GITHUB_ENV"
      - name: Generate environment variable TIMESTAMP
        run: echo "TIMESTAMP=$(date --utc --date="@${{env.EPOCH}}" '+%F')" >> "$GITHUB_ENV"

      # ======== Docker Actions =========
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      # ===================
      # Login to Registries
      # https://github.com/docker/login-action#usage
      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      # https://github.com/docker/login-action#github-container-registry
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # https://github.com/docker/login-action#gitlab
      - name: Login to GitLab
        uses: docker/login-action@v1
        with:
          registry: registry.gitlab.com
          username: ${{ secrets.GITLAB_USERNAME }}
          password: ${{ secrets.GITLAB_PASSWORD }}

      # https://github.com/docker/login-action#azure-container-registry-acr
      - name: Login to ACR
        uses: docker/login-action@v1
        with:
          registry: <registry-name>.azurecr.io
          username: ${{ secrets.AZURE_CLIENT_ID }}
          password: ${{ secrets.AZURE_CLIENT_SECRET }}

      # GCR is deprecated, use GAR below instead
      # https://github.com/docker/login-action#google-container-registry-gcr
      - name: Login to GCR
        uses: docker/login-action@v1
        with:
          registry: gcr.io
          username: _json_key  # or _json_key_base64 if you base64 encoded the credentials file before upload
          password: ${{ secrets.GCR_JSON_KEY }}  # upload entire downloaded credentials key to GitHub Secrets

      # https://github.com/docker/login-action#google-artifact-registry-gar
      - name: Login to GAR
        uses: docker/login-action@v1
        with:
          registry: europe-docker.pkg.dev  # us-docker.pkg.dev / asia-docker.pkg.dev
          username: _json_key  # or _json_key_base64 if you base64 encoded the credentials file before upload
          password: ${{ secrets.GAR_JSON_KEY }}  # upload entire downloaded credentials key to GitHub Secrets

      # https://github.com/docker/login-action#aws-elastic-container-registry-ecr
      - name: Login to ECR
        uses: docker/login-action@v1
        with:
          #registry: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_DEFAULT_REGION }}.amazonaws.com  # XXX: make sure to set these env vars
          registry: ${{ env.AWS_ECR_REGISTRY }}  # XXX: should be generated by an earlier step
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          # if you need to log in to multiple ECR accounts
          #env:
          #  AWS_ACCOUNT_IDS: 012345678910,023456789012

      # https://github.com/docker/login-action#aws-public-elastic-container-registry-ecr
      - name: Login to Public ECR
        uses: docker/login-action@v1
        with:
          registry: public.ecr.aws
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          AWS_REGION: ${{ env.AWS_DEFAULT_REGION }}

      # ============
      # Build & Push
      - name: Docker Build & Push
        #run: bin/docker_build_push_ecr.sh
        uses: docker/build-push-action@v2
        with:
          #context: .  # defaults to the git context path
          #context: {{defaultContext}}:docker  # docker/ directory subpath under the default context
          #file: Dockerfile
          #build-args:
          #
          # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md
          #
          #cache-from: type=local,src=path/to/dir
          #cache-to: type=local,dest=path/to/dir  # XXX: continues to grow, must add a move action afterwards
          #
          cache-from: |
            type=registry,ref=${{env.DOCKER_IMAGE}}:latest
            type=registry,ref=${{env.DOCKER_IMAGE}}:${{github.ref_name}}
            type=registry,ref=${{env.DOCKER_IMAGE}}:${{github.sha}}
          cache-to: type=inline  # fine for most use cases, switch to mode=max below for multi-stage builds, but requires an external image cache that ECR doesn't support
                  # type=gha,mode=max  # experimental at time of writing, results in this error:
                  #   Error: buildx failed with: error: failed to solve: error writing layer blob: Patch "https://artifactcache.actions.githubusercontent.com/.../_apis/artifactcache/caches/3": read tcp <ip_x.x.x.x>:43810-><ip_x.x.x.x>:443: use of closed network connection
          #
          #cache-from: type=registry,ref=${{env.DOCKER_IMAGE_CACHE}}:buildcache
          #cache-to: type=registry,ref=${{env.DOCKER_IMAGE_CACHE}}:buildcache,mode=max  # XXX: fails to push to ECR which doesn't support external registry cache export, so set to GHCR for cache instead
          #
          #
          # Can't use multiple 'cache-to' lines otherwise hit this error:
          #
          #   Error: buildx failed with: error: failed to solve: specifying multiple cache exports is not supported currently
          #cache-to: |
          #  type=registry,ref=${{env.DOCKER_IMAGE_CACHE}}:latest
          #  type=registry,ref=${{env.DOCKER_IMAGE_CACHE}}:${{github.ref_name}}
          #  type=registry,ref=${{env.DOCKER_IMAGE_CACHE}}:${{github.sha}}
          #
          #no-cache: false
          #pull: true  # default: false  # use this or local cache but not both
          push: true  # default: false
          # tags is a CSV or List where List is a newline delimited string
          tags: |
            ${{env.DOCKER_IMAGE}}:latest
            ${{env.DOCKER_IMAGE}}:${{github.ref_name}}
            ${{env.DOCKER_IMAGE}}:${{github.sha}}
            ${{env.DOCKER_IMAGE}}:${{env.EPOCH}}
            ${{env.DOCKER_IMAGE}}:${{env.DATESTAMP}}
            ${{env.DOCKER_IMAGE}}:${{env.TIMESTAMP}}
          # set GIT_AUTH_TOKEN if checkout out from another repo (uses local ${{github.token}} otherwise)
          #secrets: |
          #    GIT_AUTH_TOKEN=${{ secrets.PAT_TOKEN }}

      # ======== or inline Script =========
      # or consider using an external script to do all of the below like aws_ecr_docker_build_push.sh from DevOps Bash tools repo - https://github.com/HariSekhon/DevOps-Bash-tools
      #
      # see Setup section above for more info
      - uses: aws-actions/configure-aws-credentials@v1
        #name: Configure AWS credentials
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_DEFAULT_REGION }}

      # doing this in 2 steps so we can differentiate AWS CLI failures from Docker CLI failures
      - name: AWS ECR password
        run: echo "AWS_ECR_PASSWORD=$(aws ecr get-login-password --region "${{env.AWS_DEFAULT_REGION}}")" >> "$GITHUB_ENV"
      - name: Docker Login ECR
        run: docker login "${{env.AWS_ECR_REGISTRY}}" -u AWS -p "${{env.AWS_ECR_PASSWORD}}"
      - name: Docker Login GHCR
        run: docker login ghcr.io -u "${{env.GITHUB_USER}}" -p "${{env.GITHUB_TOKEN}}"

      # don't split Docker Login to separate job as it may happen on a separate machine, resulting in a docker push error of 'no basic auth credentials'
      # also can't dynamically create AWS_ECR_REGISTRY env var for 2 jobs, would have to set statically in workflow env or duplicate generation in each job
      - name: Login to DockerHub
        run: docker login -u "${{ env.DOCKERHUB_USER }}" -p "${{ env.DOCKERHUB_TOKEN }}"

      - name: Docker Build
        run: |
          export DOCKER_BUILDKIT=1
          docker build . -f Dockerfile \
                         -t "${{env.DOCKER_IMAGE}}:latest" \
                         --cache-from "${{env.DOCKER_IMAGE}}:latest" \
                         --cache-from "${{env.DOCKER_IMAGE}}:${{github.ref_name}}" \
                         --cache-from "${{env.DOCKER_IMAGE}}:${{github.sha}}" \
                         --cache-from "${{env.DOCKER_IMAGE}}:${{env.EPOCH}}" \
                         --cache-from "${{env.DOCKER_IMAGE}}:${{env.DATESTAMP}}" \
                         --cache-from "${{env.DOCKER_IMAGE}}:${{env.TIMESTAMP}}" \
                         --build-arg BUILDKIT_INLINE_CACHE=1

      - name: Docker Tagging
        run: |
          set -eux
          # env.GIT_TAG is not quoted in case it's blank
          for tag in \
                    "${{github.ref_name}}" \
                    "${{github.sha}}" \
                    "${{env.EPOCH}}" \
                    "${{env.DATESTAMP}}" \
                    "${{env.TIMESTAMP}}" \
                    latest; do \
              docker tag "${{env.DOCKER_IMAGE}}:latest" "${{env.DOCKER_IMAGE}}:$tag"
          done

      - name: Docker Push Tags
        # push latest last for an atomic cutover of latest once new tags are available
        run: |
          set -eux
          # env.GIT_TAG is not quoted in case it's blank
          for tag in \
                    "${{github.ref_name}}" \
                    "${{github.sha}}" \
                    "${{env.EPOCH}}" \
                    "${{env.DATESTAMP}}" \
                    "${{env.TIMESTAMP}}" \
                    latest; do \
                      docker push "${{env.DOCKER_IMAGE}}:$tag"
          done

      # ======== Scan after build =========
      - name: Docker Scan
        run: docker scan "${{env.DOCKER_IMAGE}}:latest"  # requires docker-scan-cli plugin (see HariSekhon/DevOps-Bash-tools setup/install_docker_scan.sh)

  # ============================================================================ #
  #                                  D e p l o y
  # ============================================================================ #

  deploy:
    if: github.event.repository.fork == false
    name: Deploy
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: production  # set up Environment 'production' to require approval to wait here
    timeout-minutes: 10
    steps:
      - name: Deploy
        run: kubectl apply -f ./

  argocd:
    if: github.event.repository.fork == false
    name: ArgoCD Deploy
    needs: build
    runs-on: ubuntu-latest
    container: argoproj/argocd:v2.0.3
    environment:
      name: production  # set up Environment 'production' to require approval to wait here
    env:
      # or set in global env at top
      ARGOCD_SERVER: argocd.domain.com
      ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
    timeout-minutes: 10
    steps:
      - name: ArgoCD Sync
        run: argocd app sync "$APP" --grpc-web --force
      - name: ArgoCD Wait
        run: argocd app wait "$APP" --grpc-web --timeout 600

  # ============================================================================ #
  #                               G i t   M e r g e
  # ============================================================================ #

  merge_production_to_staging:
    if: github.ref_name == 'production'
    name: Merge Production Branch to Staging Branch (hotfix backports)
    uses: HariSekhon/GitHub-Actions/.github/workflows/merge-branch.yaml@master
    with:
      head: production
      base: staging

  # ============================================================================ #
  #                                V a l i d a t e
  # ============================================================================ #

  validate:
    if: github.event.repository.fork == false
    name: Validate
    uses: HariSekhon/GitHub-Actions/.github/workflows/validate.yaml@master
    with:
      debug: ${{ github.event.inputs.debug && fromJSON(github.event.inputs.debug) || false }}

  # ============================================================================ #
  #                               T e r r a f o r m
  # ============================================================================ #

  terraform:
    if: github.event.repository.fork == false
    name: Terraform
    uses: HariSekhon/GitHub-Actions/.github/workflows/terraform_plan_apply.yaml@master

  # ============================================================================ #
  #                                   T F s e c
  # ============================================================================ #

  tfsec:
    if: github.event.repository.fork == false
    name: tfsec
    uses: HariSekhon/GitHub-Actions/.github/workflows/tfsec.yaml@master
    permissions:
      actions: read
      contents: read
      security-events: write

  # on: [pull_request]
  tfsec_pr_commenter:
    if: github.event.repository.fork == false
    name: tfsec PR commenter
    uses: HariSekhon/GitHub-Actions/.github/workflows/tfsec-pr-commenter.yaml@master
    permissions:
      actions: read
      contents: read
      security-events: write

  # ============================================================================ #
  #                                   T r i v y
  # ============================================================================ #

  trivy:
    name: Trivy AWS ECR
    if: ( github.ref_name == 'main' || contains(github.ref_name, 'docker') ) && github.event.repository.fork == false
    needs:
      - docker_build
    uses: HariSekhon/GitHub-Actions/.github/workflows/trivy_aws_ecr.yaml@master
    with:
      repo: myapp  # will figure out the ECR path from the secrets below
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
    permissions:
      actions: read
      contents: read
      security-events: write

  # ============================================================================ #
  #                                 C h e c k o v
  # ============================================================================ #

  checkov:
    if: github.event.repository.fork == false
    name: Checkov Scan
    uses: HariSekhon/GitHub-Actions/.github/workflows/checkov.yaml@master
    #with:
    #  framework: terraform
    permissions:
      actions: read
      contents: read
      security-events: write

  # ============================================================================ #
  #                                 S e m g r e p
  # ============================================================================ #

  semgrep:
    if: github.event.repository.fork == false
    name: Semgrep GitHub Security Tab
    uses: HariSekhon/GitHub-Actions/.github/workflows/semgrep.yaml@master
    permissions:
      actions: read
      contents: read
      security-events: write

  semgrep_cloud:
    if: github.event.repository.fork == false
    name: Semgrep Cloud
    uses: HariSekhon/GitHub-Actions/.github/workflows/semgrep-cloud.yaml@master
    secrets:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

  # ============================================================================ #
  #                              R e v i e w   D o g
  # ============================================================================ #

  reviewdog:
    if: github.event.repository.fork == false
    name: reviewdog
    uses: HariSekhon/GitHub-Actions/.github/workflows/reviewdog.yaml@master
    permissions:
      actions: read
      contents: read
      security-events: write

  # on: [pull_request]
  reviewdog-pr-check:
    if: github.event.repository.fork == false
    name: reviewdog PR
    uses: HariSekhon/GitHub-Actions/.github/workflows/reviewdog-pr.yaml@master
    permissions:
      actions: read
      contents: read
      security-events: write

    # ============================================================================ #
    #                                 C a c h e
    # ============================================================================ #

    # https://github.com/actions/cache
    # https://github.com/marketplace/actions/cache

    # Cache with matrix

#    - uses: actions/cache@v2
#      with:
#        path: ~/.cache/pip
#        key: ${{ runner.os }}-pip-bash-tools  # ${{ hashFiles('**/requirements.txt') }}
#        restore-keys: |
#          ${{ runner.os }}-pip-
#    - uses: actions/cache@v2
#      with:
#        path: ~/.cpanm
#        key: ${{ runner.os }}-cpanm-bash-tools  # ${{ hashFiles('**/cpan-requirements.txt') }}
#        restore-keys: |
#          ${{ runner.os }}-cpanm-

# ============================================================================ #
# Python
#    - uses: actions/cache@v2
#      if: startsWith(runner.os, 'Linux')
#      with:
#        path: ~/.cache/pip
#        key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
#        restore-keys: |
#          ${{ runner.os }}-pip-
#
#    - uses: actions/cache@v2
#      if: startsWith(runner.os, 'macOS')
#      with:
#        path: ~/Library/Caches/pip
#        key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
#        restore-keys: |
#          ${{ runner.os }}-pip-
# ============================================================================
# Perl
#    - uses: actions/cache@v2
#      with:
#        path: ~/.cpanm
#        key: ${{ runner.os }}-cpanm-${{ hashFiles('**/cpan-requirements.txt') }}
#        restore-keys: |
#          ${{ runner.os }}-cpanm-
# ============================================================================
# Go
#    - uses: actions/cache@v2
#      with:
#        path: ~/go/pkg/mod
#        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
#        restore-keys: |
#          ${{ runner.os }}-go-
# ============================================================================
# Java / Maven
#    - uses: actions/cache@v2
#      name: Maven Cache
#      with:
#        path: ~/.m2/repository
#        key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
#        restore-keys: |
#          ${{ runner.os }}-maven-
#    - uses: actions/cache@v2
#      name: Maven Wrapper
#      with:
#        path: ~/.m2/wrapper
#        key: ${{ runner.os }}-maven-wrapper-${{ hashFiles('**/pom.xml') }}
#        restore-keys: |
#          ${{ runner.os }}-maven-wrapper-
# ============================================================================
# Scala / SBT
#    - uses: actions/cache@v2
#      name: SBT Cache
#      with:
#        path: ~/.sbt
#        key: ${{ runner.os }}-sbt-${{ hashFiles('**/build.sbt') }}
#    - uses: actions/cache@v2
#      name: SBT Ivy Cache
#      with:
#        path: ~/.ivy2/cache
#        key: ${{ runner.os }}-sbt-ivy-cache-${{ hashFiles('**/build.sbt') }}
# ============================================================================
# Gradle
#    - uses: actions/cache@v2
#      name: Gradle Cache
#      with:
#        path: ~/.gradle/caches
#        key: ${{ runner.os }}-gradle-cache-${{ hashFiles('**/build.gradle') }}
#        restore-keys: |
#          ${{ runner.os }}-gradle-cache-
#    - uses: actions/cache@v2
#      name: Gradle Wrapper
#      with:
#        path: ~/.gradle/wrapper
#        key: ${{ runner.os }}-gradle-wrapper-${{ hashFiles('**/build.gradle') }}
#        restore-keys: |
#          ${{ runner.os }}-gradle-wrapper-

#  docker:
#    #name: docker
#    runs-on:
#      - ubuntu-latest
#
#    steps:
#    - uses: docker://harisekhon/centos-dev
#    -  name: build & test
#       run: make build test

# ============================================================================ #
# Artifact Upload / Download for sharing between jobs or storing
#
# https://github.com/marketplace/actions/upload-a-build-artifact
#
# - uses: actions/upload-artifact@v2
#   with:
#     name: my-artifact
#       path: path/to/file.jar
#
# https://github.com/marketplace/actions/download-a-build-artifact
#
# - uses: actions/download-artifact@v2
#   with:
#     name: my-artifact  # if name isn't specified, downloads all artifacts to subdirectories of same name
#     #path: path/to/artifacts-dir
#
# ============================================================================ #
# GitHub Script - runs JavaScript Octokit API calls to GitHub
#
# eg. commenting on issue / PR
#     applying a label to an issue
#     auto-merging PR from dependabot security updates once tests have passed
#
# https://github.com/marketplace/actions/github-script

  # XXX: needs to run in a workflow with 'on: [pull_request]'
  automerge:
    name: Merge Pull Request
    runs-on: [ubuntu-latest]
    needs: [build]  # [build, tests]  # if separate job for test
    if: (github.base_ref == 'master' || github.base_ref == 'main') && github.actor == 'dependabot[bot]'  # github.actor is the login of the user that initiated the workflow
    steps:
      - name: Merge
        # could do this via GitHub CLI or GitHub Script
        #run: gh pr merge ${{ context.payload.pull_request.number }}
        #env:
        #  GITHUB_TOKEN: ${{ github.token }}
        uses: actions/github-script@v5
        with:
          script: |
            github.pullRequests.merge(
              {
                owner: context.payload.repository.owner.login,
                repo:  context.payload.repository.name,
                pull_number: context.payload.pull_request.number
              }
            )
          github-token: ${{ github.token }}