Add build and deploy GitHub actions for AWS environments (#47)

* Add per-deployment build configs

* Add github actions to build-and-publish docker images

* Add missing DEPLOYMENT_ENV build args

* Remove old github action

* Refactor main.yml

* Try production publishing

* Give write permissions to the workflow

* Add missing day to the tag

* Run checks

* Make build and publish steps consistent

Author: pgetta

.deployment-envs/.env.production

@@ -0,0 +1,9 @@
+NEXT_PUBLIC_NEXUS_URL=https://openbluebrain.com/api/nexus/v1
+NEXT_PUBLIC_BLUE_NAAS_URL=https://openbluebrain.com/api/bluenaas
+NEXT_PUBLIC_CELL_SVC_BASE_URL=https://openbluebrain.com/api/circuit
+NEXT_PUBLIC_KG_INFERENCE_BASE_URL=https://openbluebrain.com/api/kg-inference
+NEXT_PUBLIC_THUMBNAIL_GENERATION_BASE_URL=https://openbluebrain.com/api/thumbnail-generation
+NEXT_PUBLIC_SYNTHESIS_URL=https://synthesis.sbo.kcp.bbp.epfl.ch/synthesis-with-resources # TODO: change to staging
+NEXT_PUBLIC_ME_MODEL_ANALYSIS_WS_URL=wss://yyuu69y9fk.execute-api.us-east-1.amazonaws.com/prod/ # TODO: check if correct
+NEXT_PUBLIC_VIRTUAL_LAB_API_URL=https://openbluebrain.com/api/virtual-lab-manager
+NEXT_PUBLIC_BBS_ML_BASE_URL=https://openbluebrain.com/api/literature

.deployment-envs/.env.staging

@@ -0,0 +1,9 @@
+NEXT_PUBLIC_NEXUS_URL=https://staging.openbraininstitute.org/api/nexus/v1
+NEXT_PUBLIC_BLUE_NAAS_URL=https://staging.openbraininstitute.org/api/bluenaas
+NEXT_PUBLIC_CELL_SVC_BASE_URL=https://staging.openbraininstitute.org/api/circuit
+NEXT_PUBLIC_KG_INFERENCE_BASE_URL=https://staging.openbraininstitute.org/api/kg-inference
+NEXT_PUBLIC_THUMBNAIL_GENERATION_BASE_URL=https://staging.openbraininstitute.org/api/thumbnail-generation
+NEXT_PUBLIC_SYNTHESIS_URL=https://synthesis.sbo.kcp.bbp.epfl.ch/synthesis-with-resources # TODO: change to staging
+NEXT_PUBLIC_ME_MODEL_ANALYSIS_WS_URL=wss://yyuu69y9fk.execute-api.us-east-1.amazonaws.com/prod/ # TODO: check if correct
+NEXT_PUBLIC_VIRTUAL_LAB_API_URL=https://staging.openbraininstitute.org/api/virtual-lab-manager
+NEXT_PUBLIC_BBS_ML_BASE_URL=https://staging.openbraininstitute.org/api/literature

.github/workflows/deploy-aws-prod.yml

@@ -0,0 +1,67 @@
+name: Publish PRODUCTION image
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  tag-and-publish-image:
+    runs-on: ubuntu-latest
+    env:
+      ENVIRONMENT: staging
+      IMAGE_NAME: ${{ vars.PUBLICECR_URI }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Get full history to check existing tags
+
+      - name: Set up Git
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Determine new tag
+        id: tag
+        run: |
+          YEAR=$(date +'%Y')
+          MONTH=$(date +'%m')
+          DAY=$(date +'%d')
+          LATEST_TAG=$(git tag --sort=-v:refname | grep -E "^${YEAR}\.${MONTH}\.${DAY}\.[0-9]+$" | head -n 1 || echo "")
+
+          if [[ -z "$LATEST_TAG" ]]; then
+            COUNTER=1
+          else
+            COUNTER=$(( ${LATEST_TAG##*.} + 1 ))
+          fi
+
+          NEW_TAG="${YEAR}.${MONTH}.${DAY}.${COUNTER}"
+          echo "NEW_TAG=${NEW_TAG}" >> $GITHUB_ENV
+          echo "New tag: $NEW_TAG"
+
+      - name: Create Git Tag
+        run: |
+          git tag $NEW_TAG
+          git push origin $NEW_TAG
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.PUBLICECR_UPLOAD_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.PUBLICECR_UPLOAD_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.PUBLICECR_REGION }}
+
+      - name: Authenticate with AWS Public ECR
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registry-type: public
+
+      - name: Build a Docker image
+        run: |
+          docker build --build-arg DEPLOYMENT_ENV=production -t ${{ vars.PUBLICECR_URI }}:${{ env.NEW_TAG }} .
+
+      - name: Publish To AWS ECR
+        run: |
+          docker push ${{ vars.PUBLICECR_URI }}:$${{ env.NEW_TAG }}

.github/workflows/publish-production-image.yml

@@ -0,0 +1,37 @@
+name: Publish STAGING image
+
+on:
+  push:
+    branches:
+      - develop
+  workflow_dispatch:
+
+jobs:
+  publish-image:
+    runs-on: ubuntu-latest
+    env:
+      ENVIRONMENT: staging
+      IMAGE_NAME: ${{ vars.PUBLICECR_URI }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.PUBLICECR_UPLOAD_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.PUBLICECR_UPLOAD_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.PUBLICECR_REGION }}
+
+      - name: Authenticate with AWS Public ECR
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registry-type: public
+
+      - name: Build a Docker image
+        run: |
+          docker build --build-arg DEPLOYMENT_ENV=staging -t ${{ vars.PUBLICECR_URI }}:staging .
+
+      - name: Publish To AWS ECR
+        run: |
+          docker push ${{ vars.PUBLICECR_URI }}:staging

.github/workflows/publish-staging-image.yml

@@ -1,11 +1,11 @@
-name: OBP CI/CD - Linter, Prettier, Test, Build
+name: Lint, Format, Test, Build
 
 on:
   push:
     branches:
-      - '*'
-      - '!main'
-      - '!develop'
+      - "*"
+      - "!main"
+      - "!develop"
   workflow_dispatch:
 
 jobs:
@@ -18,8 +18,8 @@ jobs:
       - name: Set-up Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: 'npm'
+          node-version: 23
+          cache: "npm"
 
       - name: Install Node.js packages
         run: npm ci
@@ -33,8 +33,8 @@ jobs:
       - name: Set-up Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: 'npm'
+          node-version: 23
+          cache: "npm"
 
       - name: Install Node.js packages
         run: npm ci
@@ -51,8 +51,8 @@ jobs:
       - name: Set-up Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: 'npm'
+          node-version: 23
+          cache: "npm"
 
       - name: Install Node.js packages
         run: npm ci
@@ -69,8 +69,8 @@ jobs:
       - name: Set-up Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: 'npm'
+          node-version: 23
+          cache: "npm"
 
       - name: Install Node.js packages
         run: npm ci
@@ -89,8 +89,8 @@ jobs:
       - name: Set-up Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: 'npm'
+          node-version: 23
+          cache: "npm"
 
       - name: Install Node.js packages
         run: npm ci

.github/workflows/main.yml .github/workflows/run-checks.yml

@@ -1,5 +1,5 @@
 # Install dependencies only when needed
-FROM node:21-alpine AS deps
+FROM node:23-alpine AS deps
 # Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine
 # to understand why libc6-compat might be needed.
 RUN apk add --no-cache libc6-compat
@@ -11,39 +11,27 @@ RUN npm ci
 
 
 # Rebuild the source code only when needed
-FROM node:21-alpine AS builder
-
-ARG NEXT_PUBLIC_SENTRY_DSN
-ARG SENTRY_AUTH_TOKEN
-ARG NEXT_PUBLIC_BASE_PATH
-ARG NEXT_PUBLIC_NEXUS_URL
-ARG NEXT_PUBLIC_BBS_ML_URL
-ARG NEXT_PUBLIC_ATLAS_ES_VIEW_ID
-ARG NEXT_PUBLIC_THUMBNAIL_GENERATION_BASE_URL
-ARG NEXT_PUBLIC_KG_INFERENCE_BASE_URL
-ARG NEXT_PUBLIC_ENVIRONMENT
-ARG CI_COMMIT_SHORT_SHA
-ARG NEXT_PUBLIC_VIRTUAL_LAB_API_URL
-ARG NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
-ARG NEXT_PUBLIC_BBS_ML_PRIVATE_BASE_URL
-ARG NEXT_PUBLIC_BRAIN_REGION_ONTOLOGY_RESOURCE_TAG
-ARG NEXT_PUBLIC_CELL_COMPOSITION_TAG
-ARG NEXT_PUBLIC_CELL_SVC_BASE_URL
-ARG NEXT_PUBLIC_BLUE_NAAS_URL
+FROM node:23-alpine AS builder
+
+ARG DEPLOYMENT_ENV
+
 ENV NODE_OPTIONS="--max_old_space_size=7168"
 
 WORKDIR /app
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
 
+# Copy correct .env file according to the deployment environment
+RUN cp .deployment-envs/.env.$DEPLOYMENT_ENV .env.production
+
 RUN npm run build
 
 
 # Production image, copy all the files and run next
-FROM node:21-alpine AS runner
+FROM node:23-alpine AS runner
 WORKDIR /app
 
-ENV NODE_ENV production
+ENV NODE_ENV=production
 
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
@@ -59,6 +47,6 @@ USER nextjs
 
 EXPOSE 8000
 
-ENV PORT 8000
+ENV PORT=8000
 
 CMD ["node", "server.js"]