.github/workflows/destroy.yml
name: Destroy
on: delete
permissions:
id-token: write
contents: read
actions: read
jobs:
destroy:
# Protected branches should be designated as such in the GitHub UI.
# So, a protected branch should never have this workflow run, since the branch should never be deleted.
# This conditional is a backup mechanism to help prevent mistakes from becoming disasters.
# This is a list of branch names that are commonly used for protected branches/environments.
# Add/remove names from this list as appropriate.
if: github.event.ref_type == 'branch' && !contains(fromJson('["master", "val", "production"]'), github.event.ref)
runs-on: ubuntu-latest
steps:
- name: set branch_name
run: |
if [[ "${{ github.event.ref }}" =~ ^dependabot/.* ]]; then # Dependabot builds very long branch names. This is a switch to make it shorter.
echo "branch_name=`echo ${{ github.event.ref }} | md5sum | head -c 10 | sed 's/^/x/'`" >> $GITHUB_ENV
else
echo "branch_name=${{ github.event.ref }}" >> $GITHUB_ENV
fi
- uses: actions/checkout@v3
- name: set branch specific variable names
run: ./.github/build_vars.sh set_names
- name: set variable values
run: ./.github/build_vars.sh set_values
env:
AWS_OIDC_ROLE_TO_ASSUME: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_OIDC_ROLE_TO_ASSUME] || secrets.AWS_OIDC_ROLE_TO_ASSUME }}
AWS_DEFAULT_REGION: ${{ secrets[env.BRANCH_SPECIFIC_VARNAME_AWS_DEFAULT_REGION] || secrets.AWS_DEFAULT_REGION }}
STAGE_PREFIX: ${{ secrets.STAGE_PREFIX }}
- name: Configure AWS credentials for GitHub Actions
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ env.AWS_OIDC_ROLE_TO_ASSUME }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: lock this branch to prevent concurrent builds
run: ./.github/github-lock.sh $branch_name
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: ./destroy.sh $STAGE_PREFIX$branch_name