deploy to gcp #58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: deploy to gcp | |
| on: | |
| workflow_dispatch | |
| permissions: | |
| contents: write | |
| env: | |
| DEPLOY_STATE_BRANCH_NAME: deploy-state | |
| ENCRYPTED_DEPLOY_STATE_FILE_NAME: deploy-state.enc | |
| jobs: | |
| deploy_to_gcp: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: checkout project files | |
| uses: actions/checkout@v4 | |
| with: | |
| path: ./project | |
| - name: build project | |
| working-directory: ./project | |
| run: | | |
| cargo build --release -p server | |
| # cargo install trunk | |
| # rustup target add wasm32-unknown-unknown | |
| # cd client | |
| # trunk build --release | |
| - name: checkout encrypted deploy state | |
| continue-on-error: true | |
| uses: actions/checkout@v4 | |
| with: | |
| path: ./deploy-state-enc | |
| ref: ${{ env.DEPLOY_STATE_BRANCH_NAME }} | |
| sparse-checkout: | | |
| ${{ env.ENCRYPTED_DEPLOY_STATE_FILE_NAME }} | |
| sparse-checkout-cone-mode: false | |
| - name: decrypt and unzip deploy state | |
| continue-on-error: true | |
| run: | | |
| openssl enc -d -in ./deploy-state-enc/${{ env.ENCRYPTED_DEPLOY_STATE_FILE_NAME }} -aes-256-cbc -pbkdf2 -pass pass:"${{ secrets.TERRAFORM_STATE_PASSWORD }}" -out ./deploy-state.tar.gz | |
| tar -xzf ./deploy-state.tar.gz | |
| - name: initialize deploy state if it doesn't exist | |
| run: | | |
| [ ! -f "./deploy-state/id_ed25519" ] && mkdir -p deploy-state && ssh-keygen -t ed25519 -f ./deploy-state/id_ed25519 -N "" || true | |
| - name: setup terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: run terraform apply | |
| working-directory: ./project | |
| run: | | |
| terraform init | |
| terraform apply --auto-approve --state=../deploy-state/terraform_state.tfstate --var="ssh_public_key_file_path=../deploy-state/id_ed25519.pub" --var="gcp_project_id=$(echo $GOOGLE_CREDENTIALS | jq -r .project_id)" | |
| env: | |
| GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }} | |
| - name: zip and encrypt new deploy state | |
| run: | | |
| tar -czf ./deploy-state.tar.gz ./deploy-state | |
| openssl enc -in ./deploy-state.tar.gz -aes-256-cbc -pbkdf2 -pass pass:"${{ secrets.TERRAFORM_STATE_PASSWORD }}" -out ./deploy-state-enc/${{ env.ENCRYPTED_DEPLOY_STATE_FILE_NAME }} | |
| - name: push new encrypted deploy state | |
| working-directory: ./deploy-state-enc | |
| run: | | |
| # create terraform-state branch if it doesn't exist yet | |
| git ls-remote --exit-code --heads origin ${{ env.DEPLOY_STATE_BRANCH_NAME }} || git switch --orphan ${{ env.DEPLOY_STATE_BRANCH_NAME }} | |
| git config user.name "${{github.actor}}" | |
| git config user.email "${{github.actor}}@users.noreply.github.com" | |
| git add ${{ env.ENCRYPTED_DEPLOY_STATE_FILE_NAME }} | |
| git commit -m "new state after deploy_to_gcp" | |
| git push -u origin ${{ env.DEPLOY_STATE_BRANCH_NAME }} | |
| - name: run ansible | |
| working-directory: ./project | |
| run: | | |
| echo '${{ secrets.GOOGLE_CREDENTIALS }}' > ../google_credentials.json | |
| echo 'ansible-node-inventory:' && cat ansible-node-inventory | |
| ansible-playbook -i ansible-node-inventory --key-file "../deploy-state/id_ed25519" ansible-playbook.yml --user user --extra-vars | |
| rm ../google_credentials.json | |
| env: | |
| ANSIBLE_HOST_KEY_CHECKING: false | |