-
Notifications
You must be signed in to change notification settings - Fork 56
144 lines (132 loc) · 4.05 KB
/
deploy-review.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Deploy Review App on PR
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
id-token: write
contents: read
packages: write
concurrency:
group: ${{ github.event.pull_request.number }}
jobs:
check-secret-access:
runs-on: ubuntu-latest
outputs:
allowed: ${{ steps.check-secret.outputs.allowed }}
steps:
- name: Test for secrets access
id: check-secret
shell: bash
run: |
unset allowed
if [ "${{ secrets.TEST_SECRETS_ACCESS }}" != '' ]; then
echo "allowed=true" >> $GITHUB_OUTPUT;
else
echo "allowed=false" >> $GITHUB_OUTPUT;
fi
build:
runs-on: ubuntu-latest
container: node:18-alpine
steps:
- name: 'Install deps'
run: |
apk add python3 make g++ git
- name: Checkout Code
uses: actions/checkout@v4
- name: 'npm install and build'
run: |
npm install
npm ci
npm run build
- name: Upload build to artifacts
uses: actions/upload-artifact@v4
with:
name: build
path: build
package:
runs-on: ubuntu-latest
needs:
- build
- check-secret-access
if: needs.check-secret-access.outputs.allowed == 'true'
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Download build from artifacts
uses: actions/download-artifact@v4
with:
name: build
path: ./build
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository }}
tags: |
type=sha,format=long
- name: Build Docker Container
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
deploy:
name: Deploy
needs:
- package
- check-secret-access
if: needs.check-secret-access.outputs.allowed == 'true'
runs-on: [k8s-public-fmt]
container:
image: registry.gitlab.com/cmmarslender/kubectl-helm:v3
environment:
name: Review ${{ github.event.pull_request.number }}
url: https://${{ github.event.pull_request.number }}.chialisp-web.chia.net
steps:
- uses: actions/checkout@v4
- name: Vault Login
uses: Chia-Network/actions/vault/login@main
with:
vault_url: ${{ secrets.VAULT_URL }}
role_name: github-chialisp-web
- name: Get secrets from vault
uses: hashicorp/vault-action@v3
with:
url: ${{ secrets.VAULT_URL }}
token: ${{ env.VAULT_TOKEN }}
secrets: |
secret/data/fmt/k8s/k8s-fmt api_server_url | K8S_API_SERVER_URL;
- name: Login to k8s cluster
uses: Chia-Network/actions/vault/k8s-login@main
with:
vault_url: ${{ secrets.VAULT_URL }}
vault_token: ${{ env.VAULT_TOKEN }}
backend_name: k8s-fmt
role_name: github-actions
cluster_url: ${{ env.K8S_API_SERVER_URL }}
- name: Install certificate
run: |
kubectl create namespace chialisp-web || true
kubectl apply -n chialisp-web -f ./k8s/certificate.yaml
- uses: Chia-Network/actions/helm/deploy@main
env:
DOCKER_TAG: "sha-${{ github.sha }}"
REVIEW_SLUG: ${{ github.event.pull_request.number }}
with:
namespace: "chialisp-web"
app_name: "chialisp-web-${{ env.REVIEW_SLUG }}"
helm_chart_repo: "https://chia-network.github.io/helm-charts"
helm_chart: "generic"
helm_values: "./k8s/review.yaml"