Wrapped username and password data in encodeURIComponent (#224) #140
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and deploy website | |
on: | |
push: | |
branches: | |
- master | |
paths-ignore: | |
- '**.md' # Don't deploy when markdown files are edited | |
- 'deploy/kubernetes/dev' # Ignore changes to dev environment | |
- 'Tiltfile' # Ignore changes to dev environment | |
- 'startdev.sh' # Ignore changes to dev environment | |
- 'old_website_migration/' # Ignore changes to scripts | |
jobs: | |
deploy: | |
name: Apply Terraform configuration, build containers, and deploy to Kubernetes | |
runs-on: ubuntu-latest | |
env: | |
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
HCLOUD_TOKEN: ${{ secrets.HETZNER_API_TOKEN }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.TF_STATE_BUCKET_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_STATE_BUCKET_KEY }} | |
B2_APPLICATION_KEY_ID: ${{ secrets.B2_MASTER_KEY_ID }} | |
B2_APPLICATION_KEY: ${{ secrets.B2_MASTER_KEY }} | |
TF_VAR_pw_hash: ${{ secrets.NODE_ROOT_USER_PW_HASH }} | |
steps: | |
- uses: actions/checkout@v3 | |
# https://learn.hashicorp.com/tutorials/terraform/github-actions?in=terraform/automation | |
- uses: hashicorp/setup-terraform@v2 | |
- name: Terraform Init | |
run: terraform init | |
working-directory: deploy/terraform | |
- name: Terraform Apply | |
run: terraform apply -auto-approve -input=false | |
working-directory: deploy/terraform | |
# How to fetch Terraform variables from CLI | |
# https://learn.hashicorp.com/tutorials/terraform/outputs | |
- name: Get node IPv4 address # GITHUB DOESNT SUPPORT IPV6 FFS | |
id: tf_ip_addr | |
run: terraform output -raw ipv4_address | |
working-directory: deploy/terraform | |
- uses: hashicorp/setup-terraform@v2 # Remove wrapper so that we can output directly to files | |
with: | |
terraform_wrapper: false | |
- name: Get Cloudflare token for Let's Encrypt | |
id: tf_cf_le_token | |
run: terraform output -raw cloudflare-le-token > ../kubernetes/tmeit-se/certificate/cloudflare-api-token | |
working-directory: deploy/terraform | |
- name: Get name for the B2 database backup bucket | |
id: tf_b2_db_bucket | |
run: terraform output -raw b2-db-backup-bucket > ../kubernetes/tmeit-se/postgres/b2-db-backup-bucket | |
working-directory: deploy/terraform | |
- name: Get B2 appkey id for DB backups | |
id: tf_b2_db_id | |
run: terraform output -raw b2-db-key-id > ../kubernetes/tmeit-se/postgres/b2-db-backup-id | |
working-directory: deploy/terraform | |
- name: Get B2 appkey secret for DB backups | |
id: tf_b2_db_secret | |
run: terraform output -raw b2-db-key-secret > ../kubernetes/tmeit-se/postgres/b2-db-backup-key | |
working-directory: deploy/terraform | |
- name: Get SSH key | |
run: terraform output -raw ssh_key > "$HOME/id_ed25519" | |
working-directory: deploy/terraform | |
- name: chmod SSH key | |
run: chmod 700 "$HOME/id_ed25519" | |
- name: Download kubeconfig file | |
run: | | |
scp \ | |
-qo "StrictHostKeyChecking=no" \ | |
-i "$HOME/id_ed25519" \ | |
root@${{ steps.tf_ip_addr.outputs.stdout }}:/etc/rancher/k3s/k3s.yaml . | |
- name: Set kubeconfig server URL | |
uses: mikefarah/yq@master | |
with: | |
cmd: yq -i '.clusters[0].cluster.server = "https://${{ steps.tf_ip_addr.outputs.stdout }}:6443"' "k3s.yaml" | |
- name: Move kubeconfig to ~/.kube/config | |
run: mkdir "$HOME/.kube/" && mv k3s.yaml "$HOME/.kube/config" | |
- uses: actions/setup-python@v3 | |
with: | |
python-version: '3.10' | |
- name: Get release version | |
run: python release_utils/get_version.py gh-actions | |
shell: sh | |
id: release_version | |
- name: Build OCI image for tmeit-app | |
uses: redhat-actions/buildah-build@v2 | |
with: | |
image: ghcr.io/tmeit/tmeit-app | |
tags: "${{ steps.release_version.outputs.version }}" | |
context: '.' | |
containerfiles: |- | |
containerfiles/tmeit-app.Containerfile | |
- name: Build OCI image for tmeit-run-migrations | |
uses: redhat-actions/buildah-build@v2 | |
with: | |
image: ghcr.io/tmeit/tmeit-run-migrations | |
tags: "${{ steps.release_version.outputs.version }}" | |
context: '.' | |
containerfiles: |- | |
containerfiles/tmeit-run-migrations.Containerfile | |
- name: Build OCI image for tmeit-worker | |
uses: redhat-actions/buildah-build@v2 | |
with: | |
image: ghcr.io/tmeit/tmeit-worker | |
tags: "${{ steps.release_version.outputs.version }}" | |
context: '.' | |
containerfiles: |- | |
containerfiles/tmeit-worker.Containerfile | |
- name: Build OCI image for db-backup-agent | |
uses: redhat-actions/buildah-build@v2 | |
with: | |
image: ghcr.io/tmeit/db-backup-agent | |
tags: "${{ steps.release_version.outputs.version }}" | |
context: '.' | |
containerfiles: |- | |
containerfiles/db-backup-agent.Containerfile | |
- name: Export OCI images | |
run: | | |
podman save --format docker-archive -o tmeit-app-docker-container.tar ghcr.io/tmeit/tmeit-app:${{ steps.release_version.outputs.version }} | |
podman save --format docker-archive -o tmeit-run-migrations-docker-container.tar ghcr.io/tmeit/tmeit-run-migrations:${{ steps.release_version.outputs.version }} | |
podman save --format docker-archive -o tmeit-worker-docker-container.tar ghcr.io/tmeit/tmeit-worker:${{ steps.release_version.outputs.version }} | |
podman save --format docker-archive -o db-backup-agent-docker-container.tar ghcr.io/tmeit/db-backup-agent:${{ steps.release_version.outputs.version }} | |
- name: Send tmeit-app image to publish-tag job # https://stackoverflow.com/a/57877438 | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "tmeit-app-image" | |
path: "tmeit-app-docker-container.tar" | |
- name: Send tmeit-run-migrations image to publish-tag job | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "tmeit-run-migrations-image" | |
path: "tmeit-run-migrations-docker-container.tar" | |
- name: Send tmeit-worker image to publish-tag job | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "tmeit-worker-image" | |
path: "tmeit-worker-docker-container.tar" | |
- name: Send db-backup-agent image to publish-tag job | |
uses: actions/upload-artifact@v3 | |
with: | |
name: "db-backup-agent-image" | |
path: "db-backup-agent-docker-container.tar" | |
- name: Log in to gh registry | |
uses: redhat-actions/podman-login@v1 | |
with: | |
username: "${{ github.actor }}" | |
password: "${{ secrets.GITHUB_TOKEN }}" | |
registry: "ghcr.io/tmeit" | |
- name: Publish OCI images # This is where kubernetes will download the images from | |
run: | | |
podman push ghcr.io/tmeit/tmeit-app:${{ steps.release_version.outputs.version }} | |
podman push ghcr.io/tmeit/tmeit-run-migrations:${{ steps.release_version.outputs.version }} | |
podman push ghcr.io/tmeit/tmeit-worker:${{ steps.release_version.outputs.version }} | |
podman push ghcr.io/tmeit/db-backup-agent:${{ steps.release_version.outputs.version }} | |
- name: 'Push manifests to prod' | |
# We delete the job because jobs are immutable, but we also don't want to break our migration-check init-container with an old job | |
# NOTE: latest version of kubectl can be found here https://dl.k8s.io/release/stable.txt | |
run: | | |
curl -LO "https://dl.k8s.io/release/v1.25.3/bin/linux/amd64/kubectl" | |
curl -LO "https://dl.k8s.io/v1.25.3/bin/linux/amd64/kubectl.sha256" | |
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check | |
chmod +x kubectl | |
kubectl delete -f deploy/kubernetes/tmeit-se/run-migrations/job.yaml | |
kubectl apply --server-side=true --force-conflicts -k deploy/kubernetes/tmeit-se/ | |
# kubectl 1.25.3 has kustomize 4.5.7 built-in, according to "kubectl version" | |
publish-tag: | |
name: Publish GH release | |
runs-on: ubuntu-latest | |
needs: deploy # Run after deploy so that we can get the docker image for publishing | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: '0' | |
- uses: actions/setup-python@v3 | |
with: | |
python-version: '3.10' | |
- name: Get release version | |
run: python release_utils/get_version.py gh-actions | |
shell: sh | |
id: release_version | |
- name: Build k8s manifests | |
uses: stefanprodan/kube-tools@v1 | |
with: | |
kustomize: '4.5.4' | |
command: |- | |
kustomize build deploy/kubernetes/tmeit-se -o k8s-manifests.yaml | |
- name: Receive tmeit-app image from build-push job # https://stackoverflow:com/a/57877438 | |
uses: actions/download-artifact@v3 | |
with: | |
name: "tmeit-app-image" | |
- name: Receive tmeit-run-migrations image from build-push job | |
uses: actions/download-artifact@v3 | |
with: | |
name: "tmeit-run-migrations-image" | |
- name: Receive tmeit-worker image from build-push job | |
uses: actions/download-artifact@v3 | |
with: | |
name: "tmeit-worker-image" | |
- name: Receive db-backup-agent image from build-push job | |
uses: actions/download-artifact@v3 | |
with: | |
name: "db-backup-agent-image" | |
- name: Create git tag | |
uses: anothrNick/[email protected] | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
CUSTOM_TAG: "${{ steps.release_version.outputs.version }}" | |
- name: Generate changelog | |
uses: loopwerk/tag-changelog@v1 | |
id: changelog | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create GH release | |
uses: softprops/action-gh-release@v1 | |
with: | |
tag_name: "${{ steps.release_version.outputs.version }}" | |
body: "${{ steps.changelog.outputs.changelog }}" | |
files: | | |
tmeit-app-docker-container.tar | |
tmeit-run-migrations-docker-container.tar | |
tmeit-worker-docker-container.tar | |
db-backup-agent-docker-container.tar | |
k8s-manifests.yaml |