fix: pr open for manual deploys (#87)

* fix: pr open for manual deploys

* fix: trivy permissions

* fix: add resume before deploy

* fix: permissions

* chore: docs

Author: mishraomp

.github/workflows/.tests.yml

@@ -76,6 +76,9 @@ jobs:
     name: Trivy Security Scan
     if: ${{ ! github.event.pull_request.draft }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read # This is required for actions/checkout
+      security-events: write # This is required to upload SARIF results to the Security tab
     timeout-minutes: 1
     steps:
       - uses: actions/checkout@v4

.github/workflows/pr-open.yml

@@ -2,6 +2,7 @@ name: PR
 
 on:
   pull_request:
+
   workflow_dispatch:
 
 concurrency:
@@ -13,6 +14,7 @@ permissions:
   contents: write # This is required for actions/checkout
   packages: write
   pull-requests: write
+  security-events: write
 env:
     AWS_REGION: ca-central-1
 jobs:
@@ -41,26 +43,31 @@ jobs:
     with:
       environment_name: dev
       command: plan
-      tag: ${{ github.event.number || 'latest' }} # this is the tag of the containers to deploy, defaults to test
-      app_env: ephermal-${{ github.event.number || 'latest' }} # ephermal, prefixed for easy clean up of PR resources in s3 and dynamodb generated by terraform
+      tag: ${{ github.event.number || 'latest' }} 
+      app_env: ${{ github.event.number || 'latest' }} # ephermal, prefixed for easy clean up of PR resources in s3 and dynamodb generated by terraform
     secrets: inherit
 
- 
   tests:
     name: Tests
     needs: builds
     uses: ./.github/workflows/.tests.yml
     with:
-      tag: ${{ github.event.number }}
+      tag: ${{ github.event.number || 'latest' }} 
+  resume-resources-dev:
+    name: Resume Resources Dev
+    if: (github.event_name == 'workflow_dispatch')
+    needs: [builds]
+    uses: ./.github/workflows/resume-resources.yml
+    secrets: inherit
   deploy-to-dev:
     name: Deploy to Dev
     if: (github.event_name == 'workflow_dispatch')
-    needs: [builds, tests]
+    needs: [resume-resources-dev]
     uses: ./.github/workflows/.deploy_stack.yml
     with:
       environment_name: dev
       command: apply
-      tag: latest
+      tag: manual
       app_env: dev
     secrets: inherit
   results:

GHA.md

@@ -14,21 +14,29 @@ The workflows in this repository are organized into three main categories:
 
 ### `pr-open.yml`
 
-**Trigger**: Pull request open or update
+**Trigger**: 
+- Pull request open or update
+- Manual workflow dispatch (for deploying to dev environment)
 
-**Purpose**: Validates the proposed changes to ensure they meet quality standards and work as expected.
+**Purpose**: Validates the proposed changes to ensure they meet quality standards and work as expected. Additionally allows manual deployment to the dev environment through workflow dispatch.
 
 **Steps**:
-1. Builds container images for backend, frontend, and migrations, tagging them with the PR number
+1. Builds container images for backend, frontend, and migrations, tagging them with:
+   - The PR number (for PR events)
+   - 'manual' tag (for workflow dispatch events)
+   - 'latest' tag
+   - 'pr-{number}' tag
 2. Runs comprehensive tests on the codebase including:
    - Backend unit tests with a PostgreSQL service container
    - Frontend unit tests
    - Security scanning with Trivy
 3. SonarCloud analysis for code quality
-4. Creates a preview environment (when comments contain `/deploy`)
-5. Runs end-to-end tests using Playwright
+4. Plans infrastructure changes using Terraform/Terragrunt
+5. For workflow dispatch events:
+   - Resumes any paused resources in the dev environment
+   - Deploys the stack to the dev environment for testing
 
-**Outputs**: Container images tagged with PR number, test results, SonarCloud reports
+**Outputs**: Container images with appropriate tags, test results, SonarCloud reports, and (for workflow dispatch) a deployed environment
 
 ### `pr-validate.yml`
 
@@ -198,8 +206,10 @@ The workflows in this repository are organized into three main categories:
 The workflows use the following environment configurations:
 
 1. **Development (dev)**: Used for continuous integration and feature testing
+   - Can be deployed manually via workflow dispatch on the PR workflow
+   - Serves as the target for merged PRs from the main branch
 2. **Testing (test)**: Used for QA and acceptance testing
-3. **Production (prod)**: Used for live production deployments
+3. **Production (prod)**: Used for live production deployments via the release workflow
 
 ## Required Secrets
 
@@ -223,6 +233,12 @@ GitHub Event (PR, Push, etc.)
     │       │
     │       ├─── Test (calls .tests.yml)
     │       │
+    │       ├─── Manual Workflow Dispatch─┐
+    │       │                             │
+    │       │                             ▼
+    │       │                        Resume Resources
+    │       │                             │
+    │       │                             ▼
     │       ├─── Deploy (calls .deploy_stack.yml)
     │       │     │
     │       │     └─── Deploy Components (database, api, frontend)
@@ -245,6 +261,10 @@ When customizing these workflows:
 3. Test changes thoroughly in isolation before merging
 4. Consider impacts on automated resource management
 5. Update documentation when changing workflow behavior
+6. When using manual workflow dispatch for deployments:
+   - Ensure proper resource resume/pause mechanisms are in place
+   - Use consistent tagging strategies between PR-based and manual deployments
+   - Consider adding validation steps after manual deployments to verify success
 
 ## Troubleshooting