Skip to content

Added spinup-destroy.yml workflow #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
msalsouri wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added spinup-destroy.yml workflow #4

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions spinup-destroy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
name: Configure Azure environment

on:
pull_request:
types: [labeled]

env:
IMAGE_REGISTRY_URL: ghcr.io
AZURE_RESOURCE_GROUP: cd-with-actions
AZURE_APP_PLAN: actions-ttt-deployment
AZURE_LOCATION: '"East US"'
Copy link

@gemini-code-assist gemini-code-assist bot Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The AZURE_LOCATION is hardcoded as '"East US"'. While this works, it might be beneficial to allow users to configure this via a repository secret or workflow input. This would provide more flexibility and allow the workflow to be used in different Azure regions. Consider making this configurable.

AZURE_LOCATION: ${{ secrets.AZURE_LOCATION || '"East US"' }}

###############################################
### Replace <username> with GitHub username ###
###############################################
AZURE_WEBAPP_NAME: <username>-ttt-app
Copy link

@gemini-code-assist gemini-code-assist bot Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The AZURE_WEBAPP_NAME includes a hardcoded <username> placeholder. This will likely cause naming conflicts when multiple users try to spin up environments. Consider using a more unique identifier, such as the GitHub user's ID or the pull request number, to ensure unique web app names. This is a critical issue because it prevents the workflow from functioning correctly in a multi-user environment.

I suggest using the GitHub user's ID or the pull request number in combination with the username to ensure uniqueness. For example, you could use ${{ github.actor }}-${{ github.event.pull_request.number }}-ttt-app.

AZURE_WEBAPP_NAME: ${{ github.actor }}-${{ github.event.pull_request.number }}-ttt-app


jobs:
setup-up-azure-resources:
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'spin up environment')
steps:
Comment on lines +18 to +21
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Gate setup job on the label that triggered the event

The workflow fires on every pull_request "labeled" event, but the job condition checks contains(github.event.pull_request.labels.*.name, 'spin up environment'). After a PR receives the spin up environment label, any subsequent label addition (including adding destroy environment) still satisfies this predicate and reruns the provisioning job, racing with the destroy job or repeatedly recreating the same infrastructure. The condition should compare against github.event.label.name (or similar) so the job runs only when that specific label is added.

Useful? React with 👍 / 👎.

- name: Checkout repository
uses: actions/checkout@v4

- name: Azure login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS_MSA741 }}

- name: Create Azure resource group
if: success()
run: |
az group create --location ${{env.AZURE_LOCATION}} --name ${{env.AZURE_RESOURCE_GROUP}} --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}}

- name: Create Azure app service plan
if: success()
run: |
az appservice plan create --resource-group ${{env.AZURE_RESOURCE_GROUP}} --name ${{env.AZURE_APP_PLAN}} --is-linux --sku F1 --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}}

- name: Create webapp resource
if: success()
run: |
az webapp create --resource-group ${{ env.AZURE_RESOURCE_GROUP }} --plan ${{ env.AZURE_APP_PLAN }} --name ${{ env.AZURE_WEBAPP_NAME }} --deployment-container-image-name nginx --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}}

- name: Configure webapp to use GHCR
if: success()
run: |
az webapp config container set --docker-custom-image-name nginx --docker-registry-server-password ${{secrets.CR_PAT}} --docker-registry-server-url https://${{env.IMAGE_REGISTRY_URL}} --docker-registry-server-user ${{github.actor}} --name ${{ env.AZURE_WEBAPP_NAME }} --resource-group ${{ env.AZURE_RESOURCE_GROUP }} --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}}

destroy-azure-resources:
runs-on: ubuntu-latest

if: contains(github.event.pull_request.labels.*.name, 'destroy environment')

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Azure login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS_MSA741 }}

- name: Destroy Azure environment
if: success()
run: |
az group delete --name ${{env.AZURE_RESOURCE_GROUP}} --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}} --yes