mirror of
https://github.com/roleypoly/roleypoly.git
synced 2025-04-24 19:39:11 +00:00
193 lines
7.1 KiB
YAML
193 lines
7.1 KiB
YAML
name: Deploy
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
environment:
|
|
description: 'One of: stage, prod'
|
|
required: true
|
|
default: stage
|
|
ui_tag:
|
|
description: 'tag/digest reference to a UI container build'
|
|
required: false
|
|
default: ':main'
|
|
bot_tag:
|
|
description: 'tag/digest reference to a UI container build'
|
|
required: false
|
|
default: ':main'
|
|
worker_tag:
|
|
description: 'bucket key to fetch worker from'
|
|
required: false
|
|
default: '' # Empty will try using current main branch hash
|
|
|
|
jobs:
|
|
docker_sync:
|
|
name: Docker Sync
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
ui_tag: ${{ steps.tags.outputs.ui_tag }}
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
|
|
- uses: docker/setup-buildx-action@v1
|
|
id: buildx
|
|
with:
|
|
install: true
|
|
|
|
- name: Set up Cloud SDK
|
|
uses: google-github-actions/setup-gcloud@master
|
|
with:
|
|
project_id: ${{ secrets.GCS_PROJECT_ID }}
|
|
service_account_key: ${{ secrets.GCS_TF_KEY }}
|
|
export_default_credentials: true
|
|
|
|
- name: Login to GHCR
|
|
uses: docker/login-action@v1
|
|
with:
|
|
registry: ghcr.io
|
|
username: roleypoly
|
|
password: ${{ secrets.GHCR_PAT }}
|
|
|
|
- name: Login to GAR US
|
|
uses: docker/login-action@v1
|
|
with:
|
|
registry: us-docker.pkg.dev
|
|
username: _json_key
|
|
password: ${{ secrets.GAR_JSON_KEY }}
|
|
|
|
- name: Login to GAR Europe
|
|
uses: docker/login-action@v1
|
|
with:
|
|
registry: europe-docker.pkg.dev
|
|
username: _json_key
|
|
password: ${{ secrets.GAR_JSON_KEY }}
|
|
|
|
- name: Login to GAR Asia
|
|
uses: docker/login-action@v1
|
|
with:
|
|
registry: asia-docker.pkg.dev
|
|
username: _json_key
|
|
password: ${{ secrets.GAR_JSON_KEY }}
|
|
|
|
- name: Retag
|
|
id: tags
|
|
run: |
|
|
retag_push() {
|
|
docker tag $1 $2
|
|
docker push $2
|
|
}
|
|
|
|
get_digest() {
|
|
# Finds the digest for any GAR-pushed artifact
|
|
docker inspect $1 --format='{{json .RepoDigests}}' | jq -r '[.[] | match("docker.pkg.*(sha256:.*)"; "g")] | .[0] | .captures | .[0] | .string'
|
|
}
|
|
|
|
UI_IMAGE_SRC=ghcr.io/roleypoly/ui${{github.event.inputs.ui_tag}}
|
|
UI_IMAGE_DEST_BASE=docker.pkg.dev/roleypoly/roleypoly/ui:${{github.event.inputs.environment}}
|
|
|
|
docker pull $UI_IMAGE_SRC
|
|
retag_push $UI_IMAGE_SRC us-$UI_IMAGE_DEST_BASE
|
|
retag_push $UI_IMAGE_SRC europe-$UI_IMAGE_DEST_BASE
|
|
retag_push $UI_IMAGE_SRC asia-$UI_IMAGE_DEST_BASE
|
|
echo ::set-output name=ui_tag::@$(get_digest $UI_IMAGE_SRC)
|
|
|
|
deploy_metadata:
|
|
name: Make Deployment Metadata
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- docker_sync
|
|
outputs:
|
|
url: ${{steps.metadata.outputs.url}}
|
|
env: ${{steps.metadata.outputs.env}}
|
|
steps:
|
|
- name: Create deployment metadata
|
|
id: metadata
|
|
run: |
|
|
ENV_URL=
|
|
ENV_NAME=
|
|
|
|
if [[ "${{github.event.inputs.environment}}" == "prod" ]]; then
|
|
ENV_URL=https://next.roleypoly.com
|
|
ENV_NAME=Production
|
|
elif [[ "${{github.event.inputs.environment}}" == "stage" ]]; then
|
|
ENV_URL=https://web-stage.roleypoly.com
|
|
ENV_NAME=Staging
|
|
else
|
|
ENV_URL=https://web-${{github.event.inputs.environment}}.roleypoly.com
|
|
ENV_NAME=Preview-${{github.event.inputs.environment}}
|
|
fi
|
|
|
|
echo ::set-output name=url::$ENV_URL
|
|
echo ::set-output name=env::$ENV_NAME
|
|
|
|
deploy_terraform:
|
|
name: Deploy Terraform
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- docker_sync
|
|
- deploy_metadata
|
|
environment:
|
|
name: ${{ needs.deploy_metadata.outputs.env }}
|
|
url: ${{ needs.deploy_metadata.outputs.url }}
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
|
|
- uses: hashicorp/setup-terraform@v1.3.2
|
|
with:
|
|
terraform_version: ^0.14.0
|
|
|
|
- name: Set up Cloud SDK
|
|
uses: google-github-actions/setup-gcloud@master
|
|
with:
|
|
project_id: ${{ secrets.GCS_PROJECT_ID }}
|
|
service_account_key: ${{ secrets.GCS_TF_KEY }}
|
|
export_default_credentials: true
|
|
|
|
- name: Get Google Secrets (they keep them in a box under a tree)
|
|
id: secrets
|
|
uses: google-github-actions/get-secretmanager-secrets@main
|
|
with:
|
|
secrets: |-
|
|
secretJSON:${{ secrets.GCS_PROJECT_ID }}/${{github.event.inputs.environment}}-tfvars
|
|
|
|
- name: Pull necessary artifacts
|
|
working-directory: ./terraform
|
|
run: |
|
|
currentHash=${{ github.sha }}
|
|
targetArtifact=${{ github.event.inputs.worker_tag }}
|
|
selected="${targetArtifact:-$currentHash}"
|
|
|
|
mkdir worker-dist
|
|
gsutil cp gs://roleypoly-artifacts/backend-worker/$selected/script.js worker-dist/backend-worker.js
|
|
|
|
- name: Terraform init
|
|
working-directory: ./terraform
|
|
run: |
|
|
terraform init --backend-config "prefix=${{github.event.inputs.environment}}"
|
|
|
|
- name: Write *.auto.tfvars.json files
|
|
working-directory: ./terraform
|
|
run: |
|
|
echo \
|
|
'{"ui_tag": "${{needs.docker_sync.outputs.ui_tag}}", "bot_tag": "${{github.event.inputs.bot_tag}}", "api_path_to_worker": "./worker-dist/backend-worker.js"}' \
|
|
| jq . \
|
|
| tee tags.auto.tfvars.json
|
|
|
|
echo ${SECRET_TFVARS} > secrets.auto.tfvars.json
|
|
env:
|
|
SECRET_TFVARS: ${{ steps.secrets.outputs.secretJSON }}
|
|
|
|
- name: Terraform plan
|
|
working-directory: ./terraform
|
|
run: |
|
|
terraform plan \
|
|
-var-file variables/global.tfvars \
|
|
-var-file variables/${{github.event.inputs.environment}}.tfvars \
|
|
-out=./deployment.tfplan
|
|
|
|
- name: Terraform apply
|
|
working-directory: ./terraform
|
|
run: |
|
|
terraform apply \
|
|
-auto-approve \
|
|
deployment.tfplan
|