From d35996d3d579657880f423e1c5bb1a44597ad518 Mon Sep 17 00:00:00 2001
From: Steven Eardley <steve@eardley.xyz>
Date: Tue, 21 Jan 2025 09:48:19 +0000
Subject: [PATCH 1/2] CI workflows

---
 .github/workflows/ci.yml     |  4 +--
 .github/workflows/deploy.yml | 53 ++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/deploy.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b27f200..29c033b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,7 +10,7 @@ jobs:
   qa:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
           python-version: "3.9"
@@ -19,7 +19,7 @@ jobs:
     needs: qa
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
         with:
           python-version: "3.9"
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..b638eca
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,53 @@
+name: Deploy
+
+env:
+  AZURE_CONTAINER_REGISTRY: MY_REGISTRY_NAME # set this to the name of your container registry
+  PROJECT_NAME: MY_PROJECT_NAME              # set this to your project's name
+  RESOURCE_GROUP: invenio-dev                # the resource group containing your AKS cluster
+  CLUSTER_NAME: InvenioRDM-Dev               # the name of your AKS cluster
+  CHART_PATH: "~/helm-invenio/charts/invenio/Chart.yml"                         # set this to the path to your helm file
+  CHART_OVERRIDE_PATH: "~/helm-invenio/charts/invenio/values-overrides-imperial.yaml"     # array of override file paths
+
+on:
+  workflow_run:
+    workflows: [Build and Publish]           # Only run this once Build and Publish has succeeded (image is available)
+    types: [completed]
+    branches: [develop, feature/actions_deploy]                      # Only deploy develop branch to our CI dev instance
+
+permissions:
+  id-token: write   # for Azure OIDC, see https://github.com/Azure/login
+  contents: read
+
+jobs:
+  deploy:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout the Helm charts to deploy our published instance
+        uses: actions/checkout@v4
+        with:
+          repository: ImperialCollegeLondon/helm-invenio   # Currently public, need to add a token if set to private
+          token: ${{ secrets.TOKEN_TO_PULL_HELM_REPO }}
+          fetch-depth: 0
+
+      - name: Login to Azure to deploy our chart
+        uses: azure/login@v2
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Gets K8s context
+        uses: azure/aks-set-context@v4
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          resource-group: ${{ env.RESOURCE_GROUP }}
+          cluster-name: ${{ env.CLUSTER_NAME }}
+        id: login
+
+      - name: Configure deployment
+        uses: azure/k8s-bake@61041e8c2f75c1f01186c8f05fb8b24e1fc507d8
+        with:
+          renderEngine: 'helm'
+          helmChart: ${{ env.CHART_PATH }}
+          overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
+          helm-version: 'latest'
+        id: bake

From a341b4513f310e6df015a808a06aa532d27774a4 Mon Sep 17 00:00:00 2001
From: Christopher Cave-Ayland <c.cave-ayland@imperial.ac.uk>
Date: Tue, 21 Jan 2025 15:40:06 +0000
Subject: [PATCH 2/2] First pass at fully configured worflow

---
 .github/workflows/deploy.yml | 63 ++++++++++++++++++++++--------------
 1 file changed, 38 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index b638eca..55f72cf 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,34 +1,31 @@
 name: Deploy
 
-env:
-  AZURE_CONTAINER_REGISTRY: MY_REGISTRY_NAME # set this to the name of your container registry
-  PROJECT_NAME: MY_PROJECT_NAME              # set this to your project's name
-  RESOURCE_GROUP: invenio-dev                # the resource group containing your AKS cluster
-  CLUSTER_NAME: InvenioRDM-Dev               # the name of your AKS cluster
-  CHART_PATH: "~/helm-invenio/charts/invenio/Chart.yml"                         # set this to the path to your helm file
-  CHART_OVERRIDE_PATH: "~/helm-invenio/charts/invenio/values-overrides-imperial.yaml"     # array of override file paths
-
 on:
-  workflow_run:
-    workflows: [Build and Publish]           # Only run this once Build and Publish has succeeded (image is available)
-    types: [completed]
-    branches: [develop, feature/actions_deploy]                      # Only deploy develop branch to our CI dev instance
+  push:
+    branches:
+      - feature/actions_deploy
+  # workflow_run:
+  #   workflows: [Build and Publish] # Only run this once Build and Publish has succeeded (image is available)
+  #   types: [completed]
+  #   branches: [develop, feature/actions_deploy] # Only deploy develop branch to our CI dev instance
 
 permissions:
-  id-token: write   # for Azure OIDC, see https://github.com/Azure/login
+  id-token: write
   contents: read
+  actions: read
 
 jobs:
   deploy:
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
+    environment: develop
     steps:
       - name: checkout the Helm charts to deploy our published instance
         uses: actions/checkout@v4
         with:
-          repository: ImperialCollegeLondon/helm-invenio   # Currently public, need to add a token if set to private
-          token: ${{ secrets.TOKEN_TO_PULL_HELM_REPO }}
-          fetch-depth: 0
+          repository: ImperialCollegeLondon/helm-invenio
+          path: helm-invenio
+          ref: imperial_deployment
 
       - name: Login to Azure to deploy our chart
         uses: azure/login@v2
@@ -38,16 +35,32 @@ jobs:
       - name: Gets K8s context
         uses: azure/aks-set-context@v4
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-          resource-group: ${{ env.RESOURCE_GROUP }}
-          cluster-name: ${{ env.CLUSTER_NAME }}
+          resource-group: ${{ vars.RESOURCE_GROUP }}
+          cluster-name: ${{ vars.CLUSTER_NAME }}
         id: login
 
       - name: Configure deployment
-        uses: azure/k8s-bake@61041e8c2f75c1f01186c8f05fb8b24e1fc507d8
+        uses: azure/k8s-bake@v3
         with:
-          renderEngine: 'helm'
-          helmChart: ${{ env.CHART_PATH }}
-          overrideFiles: ${{ env.CHART_OVERRIDE_PATH }}
-          helm-version: 'latest'
+          renderEngine: "helm"
+          helmChart: ${{ vars.CHART_PATH }}
+          overrideFiles: ${{ vars.CHART_OVERRIDE_PATH }}
+          helm-version: "latest"
+          releaseName: "develop"
+          namespace: invenio
+          overrides: |
+            invenio.secret_key: ${{ secrets.INVENIO_SECRET_KEY }}
+            invenio.security_login_salt: ${{ secrets.INVENIO_SECURITY_LOGIN_SALT }}
+            invenio.csrf_secret_salt: ${{ secrets.INVENIO_CSRF_SECRET_SALT }}
+            invenio.extraConfig.ICL_OAUTH_CLIENT_ID: ${{ vars.ICL_OAUTH_CLIENT_ID }}
+            invenio.extraConfig.ICL_OAUTH_CLIENT_SECRET: ${{ secrets.ICL_OAUTH_CLIENT_SECRET }}
+            invenio.extraConfig.ICL_OAUTH_WELL_KNOWN_URL: ${{ vars.ICL_OAUTH_WELL_KNOWN_URL }}
+            rabbitmq.auth.password: ${{ secrets.RABBITMQ_AUTH_PASSWORD }}
+            postgresql.auth.password: ${{ secrets.POSTGRESQL_AUTH_PASSWORD }}
+            invenio.web.image: ${{ vars.IMAGE_NAME }}
         id: bake
+      - name: Deploys application
+        uses: Azure/k8s-deploy@v5
+        with:
+          manifests: ${{ steps.bake.outputs.manifestsBundle }}
+          namespace: invenio