Skip to content
Deploy Production

chore: PROD to CONTEXTUS in production-deploy.yaml based on https://g… #35

Sign in to view logs

chore: PROD to CONTEXTUS in production-deploy.yaml based on https://g…

chore: PROD to CONTEXTUS in production-deploy.yaml based on https://g… #35

Workflow file for this run

.github/workflows/production-deploy.yaml at eb8cfdb
name: Deploy Production
on:
push:
tags:
- 'v*'
workflow_call:
inputs:
version:
type: string
required: true
chart_version:
type: string
required: true
default: current
description: Set to 'current' to use currently deployed chart version or '0.x.y' to specify chart
jobs:
# Note - build occurs again here, even though this image has been built in continuous.
# This is because in continuous, the images are pushed to the dev registry
# Logging in to dev and prod to push to both in continuous isn't really catered for
# Since the build strategy is now a push instead of a pull, all images could live in a single registry, at which point this action would use cache and effectively just perform a tag
workflow-check:
runs-on: ubuntu-latest
outputs:
ref: ${{ steps.check.outputs.ref }}
steps:
- id: check
run: |
if [[ "${{ inputs.version }}" == "" ]]; then
echo "ref=${{ github.ref_name }}" >> $GITHUB_OUTPUT
else
echo "ref=v${{ inputs.version }}" >> $GITHUB_OUTPUT
fi
build-generic:
needs: workflow-check
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
strategy:
matrix:
app: [ web, node ]
steps:
- uses: actions/checkout@v2
with:
ref: ${{ needs.workflow-check.outputs.ref }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
token_format: 'access_token'
workload_identity_provider: 'projects/${{ secrets.CONTEXTUS_GKE_PROJECT_ID}}/locations/global/workloadIdentityPools/github/providers/github'
service_account: '${{ secrets.CONTEXTUS_GKE_SA }}'
- name: Login to GCR
uses: docker/login-action@v1
with:
registry: gcr.io
username: oauth2accesstoken
password: '${{ steps.auth.outputs.access_token }}'
- name: Login to GAR
uses: docker/login-action@v1
with:
registry: us-east1-docker.pkg.dev
username: oauth2accesstoken
password: '${{ steps.auth.outputs.access_token }}'
- name: Get current date
id: date
run: echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
- name: Generate image metadata
id: meta
uses: docker/metadata-action@v3
with:
images: |
gcr.io/${{ secrets.PROD_GKE_PROJECT }}/${{ secrets.IMAGE_NAME }}-${{ matrix.app }}
us-east1-docker.pkg.dev/${{ secrets.PROD_GKE_PROJECT }}/containers/${{ secrets.IMAGE_NAME }}-${{ matrix.app }}
# generate Docker tags based on the following events/attributes
tags: |
type=ref,event=tag
type=sha,enable=true,priority=100,prefix=sha-,suffix=-${{ steps.date.outputs.date }},format=short
type=sha
type=semver,pattern={{raw}},value=${{needs.workflow-check.outputs.ref}}
flavor: |
latest=true
- name: build and push
uses: docker/build-push-action@v3
with:
# cache-from: type=registry,ref=$gcr.io/${{ secrets.PROD_GKE_PROJECT_PROJECT }}/{{ secrets.IMAGE_NAME }}-${{ matrix.app }}/cache
# cache-to: type=registry,ref=$gcr.io/${{ secrets.PROD_GKE_PROJECT }}/{{ secrets.IMAGE_NAME }}-${{ matrix.app }}/cache,mode=max
context: .
push: true
file: ./build/${{ matrix.app }}/Dockerfile
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-derived:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
needs:
- build-generic
- workflow-check
strategy:
matrix:
app: [ asset, linker ]
steps:
- uses: actions/checkout@v2
with:
ref: ${{ needs.workflow-check.outputs.ref }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
token_format: 'access_token'
workload_identity_provider: 'projects/${{ secrets.CONTEXTUS_GKE_PROJECT_ID}}/locations/global/workloadIdentityPools/github/providers/github'
service_account: '${{ secrets.CONTEXTUS_GKE_SA }}'
- name: Login to GCR
uses: docker/login-action@v1
with:
registry: gcr.io
username: oauth2accesstoken
password: '${{ steps.auth.outputs.access_token }}'
- name: Login to GAR
uses: docker/login-action@v1
with:
registry: us-east1-docker.pkg.dev
username: oauth2accesstoken
password: '${{ steps.auth.outputs.access_token }}'
- name: Get current date
id: date
run: echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
- name: Generate image metadata
id: meta
uses: docker/metadata-action@v3
with:
images: |
gcr.io/${{ secrets.PROD_GKE_PROJECT }}/${{ secrets.IMAGE_NAME }}-${{ matrix.app }}
us-east1-docker.pkg.dev/${{ secrets.PROD_GKE_PROJECT }}/containers/${{ secrets.IMAGE_NAME }}-${{ matrix.app }}
# generate Docker tags based on the following events/attributes
tags: |
type=ref,event=tag
type=sha,enable=true,priority=100,prefix=sha-,suffix=-${{ steps.date.outputs.date }},format=short
type=sha
type=semver,pattern={{raw}},value=${{needs.workflow-check.outputs.ref}}
flavor: |
latest=true
- name: build and push
uses: docker/build-push-action@v3
with:
# cache-from: type=registry,ref=${{ secrets.IMAGE_NAME }}-${{ matrix.app }}/cache
# cache-to: type=registry,ref=${{ secrets.IMAGE_NAME }}-${{ matrix.app }}/cache,mode=max
context: .
push: true
build-args: |
SRC_IMG=us-east1-docker.pkg.dev/${{ secrets.PROD_GKE_PROJECT }}/containers/${{ secrets.IMAGE_NAME }}-web:${{ needs.workflow-check.outputs.ref }}
file: ./build/${{ matrix.app }}/Dockerfile
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
prod-deploy:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
needs:
- build-derived
- workflow-check
steps:
- name: Checkout Code
uses: actions/checkout@v2
with:
ref: ${{ needs.workflow-check.outputs.ref }}
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
token_format: 'access_token'
workload_identity_provider: 'projects/${{ secrets.CONTEXTUS_GKE_PROJECT_ID}}/locations/global/workloadIdentityPools/github/providers/github'
service_account: '${{ secrets.CONTEXTUS_GKE_SA }}'
- name: Setup GCloud
uses: google-github-actions/setup-gcloud@v0
with:
project_id: ${{ secrets.PROD_GKE_PROJECT }}
install_components: 'gke-gcloud-auth-plugin'
- name: Authenticate GHA Runner To Target Cluster
uses: google-github-actions/get-gke-credentials@v0
with:
cluster_name: ${{secrets.PROD_GKE_CLUSTER}}
location: ${{secrets.PROD_GKE_REGION}}
project_id: ${{secrets.PROD_GKE_PROJECT}}
- name: Set up yq
uses: frenck/action-setup-yq@v1
- name: Determine chart version
id: chart_version
run: |
if [[ "${{ inputs.chart_version }}" == "current" ]]; then
echo "chart_version=${{ vars.CHART_VERSION }}" >> $GITHUB_OUTPUT
else
echo "chart_version=${{ inputs.chart_version }}" >> $GITHUB_OUTPUT
fi
- name: Deploy Production
run: ./build/ci/production-helm-deploy.sh build/ci/production-values.yaml
env:
GIT_COMMIT: "${{ needs.workflow-check.outputs.ref }}"
PROJECT_ID: "${{ secrets.PROD_GKE_PROJECT }}"
NAMESPACE: "${{secrets.PROD_GKE_NAMESPACE}}"
IMAGE_NAME: "${{ secrets.IMAGE_NAME }}"
CHART_VERSION: "${{ steps.chart_version.outputs.chart_version }}"
- name: Update workflow default chart
if: github.ref == 'refs/heads/master'
run: >
curl -L
-X PATCH
-H "Accept: application/vnd.github+json"
-H "Authorization: Bearer ${{ secrets.WORKFLOW_AUTOMATION_TOKEN }}"
-H "X-GitHub-Api-Version: 2022-11-28"
https://api.github.com/repos/Sefaria/Sefaria-Project/actions/variables/CHART_VERSION
-d '{"name":"CHART_VERSION","value":"${{ steps.chart_version.outputs.chart_version }}"}'