Merge pull request #23 from guardian/v3

V3 — Update to node current LTS (20.12.2) and core dependencies
guardian · Jan 20, 2025 · 69d0163 · 69d0163
2 parents 44d59d7 + f0bbfa8
commit 69d0163
Show file tree

Hide file tree

Showing 20 changed files with 319,641 additions and 854,008 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -12,25 +12,21 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: write # required since guardian/actions-riff-raff@v3
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
-      - uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-region: eu-west-1
-          role-to-assume: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
-
-      - uses: guardian/[email protected]
+      - uses: guardian/actions-read-private-repos@v1
         with:
           private-ssh-keys: ${{ secrets.PRIVATE_INFRASTRUCTURE_CONFIG_DEPLOY_KEY }}
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
           cache: npm
 
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5
         with:
           go-version: '1.18'
       - name: Build Go service
@@ -44,9 +40,11 @@ jobs:
           npm test -- --passWithNoTests
           npm run synth-infra
 
-      - uses: guardian/actions-riff-raff@v2
+      - uses: guardian/actions-riff-raff@v4
         with:
           app: actions-static-site-infra
+          roleArn: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
           config: |
             stacks:
               - deploy

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -12,15 +12,16 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: write # required by guardian/actions-riff-raff
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
-      - uses: guardian/actions-read-private-repos@v0.1.0
+      - uses: guardian/actions-read-private-repos@v1
         with:
           private-ssh-keys: ${{ secrets.PRIVATE_INFRASTRUCTURE_CONFIG_DEPLOY_KEY }}
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
           cache: npm
@@ -48,12 +49,13 @@ jobs:
           </html>
           EOF
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           path: my-site
 
       - uses: ./
         with:
           app: the-coolest-static-site
           domain: test.devx.gutools.co.uk
-          guActionsRiffRaffRoleArn: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
+          roleArn: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-v16.13.2
+v20.18.1
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# @guardian/actions-static-site V2
+# @guardian/actions-static-site V3
 
 Action to provision and serve a static site with Google Auth and a custom
 domain.
@@ -33,16 +33,17 @@ jobs:
       # ... (Build your static site.)
 
       # Then upload it as an artifact
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           path: my-site
 
       # Then invoke this action (replacing app and domain)
-      - uses: guardian/actions-static-site@v2
+      - uses: guardian/actions-static-site@v3
         with:
           app: example
           domain: example.gutools.co.uk
-          guActionsRiffRaffRoleArn: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
+          roleArn: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 Each run of actions-static-site uses actions-riff-raff to create a new build in

diff --git a/action.yaml b/action.yaml
@@ -11,9 +11,12 @@ inputs:
     description: 'Name of artifact containing the static site. Should be uploaded in an earlier workflow step.'
     required: false
     default: 'artifact'
-  guActionsRiffRaffRoleArn:
+  roleArn:
     description: "Role to use for writing to Riffraff's AWS bucket (typically org secret of same name)."
     required: true
+  githubToken:
+    description: "A GitHub token scoped to allow pull request commenting"
+    required: true
   dryRun:
     description: 'If set to true, will not upload Riffraff artifact.'
     default: false
@@ -35,7 +38,7 @@ runs:
         INPUT_DRYRUN: ${{ inputs.dryRun}}
         INPUT_ACTIONS_RUNTIME_TOKEN: ${ github.token }
 
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.artifact }}
         path: site
@@ -45,14 +48,11 @@ runs:
       run: ls -R
       working-directory: site
 
-    - uses: aws-actions/configure-aws-credentials@v1
-      with:
-        aws-region: eu-west-1
-        role-to-assume: ${{ inputs.guActionsRiffRaffRoleArn }}
-
-    - uses: guardian/actions-riff-raff@v2
+    - uses: guardian/actions-riff-raff@v4
       with:
         app: ${{ inputs.app }}
+        roleArn: ${{ inputs.roleArn }}
+        githubToken: ${{ inputs.githubToken }}
         dryRun: ${{ inputs.dryRun }}
         contentDirectories: |
           cfn: [${{github.action_path}}/cfn.json]

diff --git a/cdk.json b/cdk.json
@@ -1,5 +1,5 @@
 {
-  "app": "npx ts-node cdk/bin/cdk.ts",
+  "app": "npx tsx cdk/bin/cdk.ts",
   "context": {
     "aws-cdk:enableDiffNoFail": "true",
     "@aws-cdk/core:stackRelativeExports": "true"