Init Commit

Author: nuzil

.github/workflows/deployMesh.yaml

@@ -0,0 +1,114 @@
+name: Deploy Mesh
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push events for staging and production branches
+  push:
+    branches: ["production", "staging"]
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  deploy:
+    name: Deploy API Mesh
+    runs-on: ${{ matrix.os }}
+    strategy:
+      max-parallel: 1
+      matrix:
+        node-version: ["20"]
+        os: [ubuntu-latest]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Map branch-specific secrets
+        run: |
+          BRANCH_NAME="${GITHUB_REF_NAME:-${GITHUB_REF##*/}}"
+          if [ "$BRANCH_NAME" = "staging" ]; then
+            echo "TARGET_ENV=staging" >> "$GITHUB_ENV"
+            echo "CLIENTID=${{ secrets.CLIENTID_STAGE }}" >> "$GITHUB_ENV"
+            echo "CLIENTSECRET=${{ secrets.CLIENTSECRET_STAGE }}" >> "$GITHUB_ENV"
+            echo "TECHNICALACCID=${{ secrets.TECHNICALACCID_STAGE }}" >> "$GITHUB_ENV"
+            echo "TECHNICALACCEMAIL=${{ secrets.TECHNICALACCEMAIL_STAGE }}" >> "$GITHUB_ENV"
+            echo "WORKSPACEID=${{ secrets.WORKSPACEID_STAGE }}" >> "$GITHUB_ENV"
+          elif [ "$BRANCH_NAME" = "production" ]; then
+            echo "TARGET_ENV=production" >> "$GITHUB_ENV"
+            echo "CLIENTID=${{ secrets.CLIENTID_PROD }}" >> "$GITHUB_ENV"
+            echo "CLIENTSECRET=${{ secrets.CLIENTSECRET_PROD }}" >> "$GITHUB_ENV"
+            echo "TECHNICALACCID=${{ secrets.TECHNICALACCID_PROD }}" >> "$GITHUB_ENV"
+            echo "TECHNICALACCEMAIL=${{ secrets.TECHNICALACCEMAIL_PROD }}" >> "$GITHUB_ENV"
+            echo "WORKSPACEID=${{ secrets.WORKSPACEID_PROD }}" >> "$GITHUB_ENV"
+          else
+            echo "Unsupported branch '$BRANCH_NAME'. Only staging and production are allowed." >&2
+            exit 1
+          fi
+      - name: Validate Secrets
+        run: |
+          if
+          [ -z "${CLIENTID}" ] ||
+          [ -z "${CLIENTSECRET}" ] ||
+          [ -z "${TECHNICALACCID}" ] ||
+          [ -z "${TECHNICALACCEMAIL}" ] ||
+          [ -z "${{ secrets.IMSORGID }}" ] ||
+          [ -z "${{ secrets.ORGID }}" ] ||
+          [ -z "${{ secrets.PROJECTID }}" ] ||
+          [ -z "${WORKSPACEID}" ]; then
+            echo "Please set all required secrets: CLIENTID, CLIENTSECRET, TECHNICALACCID, TECHNICALACCEMAIL, IMSORGID, ORGID, PROJECTID, WORKSPACEID"
+            exit 1
+          fi
+      - name: Setup CLI
+        uses: adobe/aio-cli-setup-action@1.3.0
+        with:
+          os: ${{ matrix.os }}
+          version: 11.x.x
+      - name: api-mesh-plugin install
+        run: aio plugins:install @adobe/aio-cli-plugin-api-mesh
+      - name: Auth
+        uses: adobe/aio-apps-action@4.0.0
+        with:
+          os: ${{ matrix.os }}
+          command: oauth_sts
+          CLIENTID: ${{ env.CLIENTID }}
+          CLIENTSECRET: ${{ env.CLIENTSECRET }}
+          TECHNICALACCOUNTID: ${{ env.TECHNICALACCID }}
+          TECHNICALACCOUNTEMAIL: ${{ env.TECHNICALACCEMAIL }}
+          IMSORGID: ${{ secrets.IMSORGID }}
+          SCOPES: AdobeID, openid, read_organizations, additional_info.projectedProductContext, additional_info.roles, adobeio_api, read_client_secret, manage_client_secrets
+      - name: Set CLI ENV
+        run: aio config set cli.env prod
+      - name: Select org
+        run: aio console:org:select ${{ secrets.ORGID }}
+      - name: Select project
+        run: aio console:project:select ${{ secrets.PROJECTID }}
+      - name: Select workspace
+        run: aio console:workspace:select ${{ env.WORKSPACEID }}
+      - name: Print AIO CLI Config
+        run: aio config list
+      - name: Get Mesh
+        id: get_mesh
+        continue-on-error: true
+        run: |
+          output=$(aio api-mesh:get 2>&1)
+          # Escape the output and replace newlines with %0A
+          escaped_output=$(echo "$output" | tr -d '\r' | tr '\n' ' ')
+          echo "mesh_output=$escaped_output" >> $GITHUB_OUTPUT
+          echo "$output"
+      - name: Debug Get Mesh Output
+        continue-on-error: true
+        run: echo "Get Mesh Output - ${{ steps.get_mesh.outputs.mesh_output }}"
+      - name: Create Mesh
+        if: ${{ contains(steps.get_mesh.outputs.mesh_output, 'No mesh found') }}
+        run: aio api-mesh:create -c mesh.json --env .env
+      - name: Update Mesh
+        if: ${{ !contains(steps.get_mesh.outputs.mesh_output, 'No mesh found') }}
+        run: aio api-mesh:update -c mesh.json --env .env
+      - name: Wait for 30 seconds
+        run: sleep 30
+      - name: Describe Mesh
+        run: aio api-mesh:describe
+      - name: Get Mesh Status
+        run: aio api-mesh:status

.gitignore

@@ -0,0 +1,13 @@
+# Dependencies
+node_modules
+
+# Temporary files
+.wrangler
+.mesh
+tenantFiles
+tempfiles
+mesh-artifact
+meshes
+
+# Template files from @adobe/aio-cli-plugin-api-mesh
+wrangler.toml

README.md

@@ -1,2 +1,129 @@
-# com-acc-api-mesh-ci-cd
-Its an Public repository for Adobe Api Mesh CI/CD flows
+# Adobe API Mesh CI/CD Template
+
+This repository is a lightweight starting point for teams that want a repeatable GitHub Actions pipeline for provisioning and updating Adobe API Mesh configurations. Fork it, drop in your mesh definition files, wire up the required Adobe Developer Console credentials, and you will have a push-button deployment path for staging and production meshes.
+
+---
+
+## What You Get
+
+- **Workflow automation** – `.github/workflows/deployMesh.yaml` handles checkout, authentication via the Adobe I/O CLI, mesh creation (or update), and post-deploy validation.
+- **Environment awareness** – pushes to `staging` or `production` automatically pull the corresponding credential set and workspace identifiers.
+- **Manual control** – trigger the workflow with `workflow_dispatch` whenever you need an ad-hoc deployment.
+- **Extensibility** – add new environments, steps, linters, or notifications by extending the single workflow file.
+
+Repository layout (expected):
+
+```
+.
+├── .github/workflows/deployMesh.yaml   # Main CI/CD pipeline
+├── mesh.json                          # API Mesh definition (commit your own)
+├── .env                               # Optional runtime variables used by mesh.json
+└── README.md                          # This documentation
+```
+
+> Tip: keep secrets out of `mesh.json` and `.env`. Use GitHub Encrypted Secrets wherever possible.
+
+---
+
+## Prerequisites
+
+1. **Adobe Developer Console access** with permissions to the target organization, project, and workspaces that host your meshes.
+2. **Mesh definition files** (`mesh.json` plus any schema/resolver files) committed to the repository.
+3. **GitHub repository admin rights** to configure Actions secrets and branch protection rules.
+4. **Node.js 20.x** compatibility for any local development or custom steps (the workflow pins Node 20 via the matrix but can be adjusted).
+5. **Adobe I/O CLI knowledge** (`aio`) in case you want to run the same commands locally for troubleshooting.
+
+---
+
+## Required GitHub Secrets
+
+Configure the following secrets under **Settings → Secrets and variables → Actions** in your fork. Stage/prod secrets allow the workflow to decide which credentials to use based on the branch being deployed.
+
+| Secret Name | When Used | Description |
+| --- | --- | --- |
+| `CLIENTID_STAGE`, `CLIENTSECRET_STAGE`, `TECHNICALACCID_STAGE`, `TECHNICALACCEMAIL_STAGE`, `WORKSPACEID_STAGE` | Pushes to `staging` | OAuth client + technical account bound to your staging workspace. |
+| `CLIENTID_PROD`, `CLIENTSECRET_PROD`, `TECHNICALACCID_PROD`, `TECHNICALACCEMAIL_PROD`, `WORKSPACEID_PROD` | Pushes to `production` | Production equivalents of the above credentials. |
+| `IMSORGID` | Both | Adobe organization ID hosting the project. |
+| `ORGID` | Both | Console organization identifier consumed by `aio console:org:select`. |
+| `PROJECTID` | Both | Console project identifier used by `aio console:project:select`. |
+
+Add any extra secrets referenced by your mesh (for custom resolvers, HTTP headers, etc.) and load them via environment variables or additional steps in the workflow.
+
+---
+
+## Quick Start
+
+1. **Fork this repo** or use it as a template inside your organization.
+2. **Add your mesh files**:
+	- Place the primary mesh definition in `mesh.json`.
+	- Commit any supporting schemas/resolvers alongside it.
+	- (Optional) store non-secret runtime values in `.env` (e.g., `MESH_NAME=my-mesh`). The workflow passes `--env .env` to the CLI so those values are merged during create/update.
+3. **Populate GitHub Secrets** with the values listed above.
+4. **Adopt the branch convention**:
+	- Push or merge to `staging` for deploying to staging Adobe workspaces.
+	- Push or merge to `production` for production deployments.
+5. **Run the pipeline**:
+	- Commit changes and push to the target branch.
+	- Or open the **Actions** tab, select **Deploy Mesh**, and click **Run workflow** (specify the target branch).
+
+Once the workflow succeeds, your Adobe API Mesh instance will be created (if missing) or updated using the latest `mesh.json` contents, then described and queried for status to confirm a healthy deployment.
+
+---
+
+## Workflow Walkthrough (`deployMesh.yaml`)
+
+1. **Checkout & Node setup** – pulls repository code and provisions Node 20 on `ubuntu-latest`.
+2. **Branch-aware env mapping** – resolves GitHub secrets to runtime variables (`TARGET_ENV`, `CLIENTID`, etc.). Only `staging` and `production` are allowed to prevent accidental deployments from other branches.
+3. **Secret validation** – fails fast if any required value is missing.
+4. **Adobe I/O CLI bootstrap** – installs `aio` plus the API Mesh plugin (`@adobe/aio-cli-plugin-api-mesh`).
+5. **Authentication & targeting** – performs `oauth_sts`, selects the right org/project/workspace, and prints the CLI config for traceability.
+6. **Mesh lifecycle** – runs `aio api-mesh:get`; if no mesh exists it calls `api-mesh:create`, otherwise `api-mesh:update`, then waits briefly, describes the mesh, and fetches status.
+
+Extend or reorder steps as needed (e.g., run linting/tests before deployment, send Slack notifications after success, etc.).
+
+---
+
+## Customizing the Template
+
+- **Additional environments** – duplicate the branch/secrets mapping block and add new branches like `qa` or `dev` with their own credential sets.
+- **Matrix changes** – adjust `matrix.node-version` or `os` if you need different runtimes.
+- **Multiple meshes** – add extra steps to iterate over multiple `mesh.json` files or parameterize the mesh name via `.env` values.
+- **Observability** – append steps that push deployment metadata to your logging/monitoring stack.
+
+When editing `deployMesh.yaml`, keep the secret-validation step up to date so failures happen quickly.
+
+---
+
+## Local Validation (Optional)
+
+If you mirror the GitHub secrets as local environment variables you can run the same commands for smoke tests:
+
+```bash
+npm install -g @adobe/aio-cli
+aio plugins:install @adobe/aio-cli-plugin-api-mesh
+aio console:org:select <ORGID>
+aio console:project:select <PROJECTID>
+aio console:workspace:select <WORKSPACEID>
+aio api-mesh:update -c mesh.json --env .env
+```
+
+This makes it easier to debug mesh misconfigurations before committing.
+
+---
+
+## Troubleshooting
+
+- **Unsupported branch error** – ensure you are pushing to `staging` or `production`, or extend the branch mapping block for additional environments.
+- **Secret validation failure** – confirm every secret listed earlier is present; GitHub scope is repository-level by default.
+- **CLI auth issues** – verify the OAuth client has `oauth_sts` permissions and the scopes defined in the workflow.
+- **Mesh update fails** – inspect the workflow logs around `aio api-mesh:update` for schema/validation errors; run the same command locally with `--verbose` for more detail.
+
+---
+
+## Next Steps
+
+- Protect the `production` branch to require PR reviews before deployment.
+- Wire Slack/Teams notifications by adding an extra step after `Get Mesh Status`.
+- Version your mesh definitions (e.g., tag releases) so you can roll back quickly if needed.
+
+Happy shipping!