add: uptime-kuma and workflow files (#1)

* add: uptime-kuma and workflow files * imp: use latest uptime kuma for better DB management * ref(deploy): allow an external `mariadb` database * fix(db): patch `knex_init_db.js` file * fix(runtime): avoid spawning zombie processes * chore: do not commit `trunk` linting confs * fix(actions): permissions * imp(deploy): use secrets from GCP secret manager
ZcashFoundation · Jul 15, 2024 · 16a3f21 · 16a3f21
1 parent 7dac323
commit 16a3f21
Show file tree

Hide file tree

Showing 15 changed files with 1,291 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+    commit-message:
+      prefix: "deps(docker) "
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    commit-message:
+      prefix: "deps(actions) "
+    groups:
+      devops:
+        patterns:
+          - "*"
diff --git a/.github/workflows/cd-deploy-to-dev.yml b/.github/workflows/cd-deploy-to-dev.yml
@@ -0,0 +1,61 @@
+name: Deploy to dev
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled]
+    paths:
+      - '**/Dockerfile'
+      - 'scripts/**'
+      - 'etc/litestream.yml'
+      - .github/workflows/cd-deploy-to-dev.yml
+      - .github/workflows/sub-cloudrun-deploy.yml
+
+concurrency:
+  # Ensures that only one workflow task will run at a time. Previous builds, if
+  # already in process, will get cancelled. Only the latest commit will be allowed
+  # to run, cancelling any workflows in between
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  actions: read
+  attestations: read
+  checks: read
+  contents: read
+  deployments: read
+  id-token: write
+  issues: read
+  discussions: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  security-events: read
+  statuses: read
+
+jobs:
+  build:
+    uses: ./.github/workflows/sub-build-docker-image.yml
+    with:
+      environment: dev
+      dockerfile_path: ./docker/Dockerfile
+      dockerfile_target: runner
+      app_name: ${{ vars.APP_NAME }}
+      registry: ${{ vars.GAR_BASE }}
+    secrets: inherit
+
+  deploy:
+    needs: [build]
+    uses: ./.github/workflows/sub-cloudrun-deploy.yml
+    with:
+      environment: dev
+      project_id: ${{ vars.GCP_PROJECT }}
+      region: ${{ vars.GCP_REGION }}
+      app_name: ${{ vars.APP_NAME }}
+      registry: ${{ vars.GAR_BASE }}
+      image_digest: ${{ needs.build.outputs.image_digest }}
+      min_instances: '0'
+      max_instances: '30'
+      cpu: '1'
+      memory: 1Gi
+    secrets: inherit
diff --git a/.github/workflows/cd-deploy-to-prod.yml b/.github/workflows/cd-deploy-to-prod.yml
@@ -0,0 +1,57 @@
+name: Deploy to prod
+
+on:
+  release:
+    types:
+      - published
+
+concurrency:
+  # Ensures that only one workflow task will run at a time. Previous builds, if
+  # already in process, will get cancelled. Only the latest commit will be allowed
+  # to run, cancelling any workflows in between
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  actions: read
+  attestations: read
+  checks: read
+  contents: read
+  deployments: read
+  id-token: write
+  issues: read
+  discussions: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  security-events: read
+  statuses: read
+
+jobs:
+  build:
+    # needs: [test]
+    uses: ./.github/workflows/sub-build-docker-image.yml
+    with:
+      environment: prod
+      dockerfile_path: ./docker/Dockerfile
+      dockerfile_target: runner
+      app_name: ${{ vars.APP_NAME }}
+      registry: ${{ vars.GAR_BASE }}
+    secrets: inherit
+
+  deploy:
+    needs: [build]
+    uses: ./.github/workflows/sub-cloudrun-deploy.yml
+    with:
+      environment: prod
+      project_id: ${{ vars.GCP_PROJECT }}
+      region: ${{ vars.GCP_REGION }}
+      app_name: ${{ vars.APP_NAME }}
+      registry: ${{ vars.GAR_BASE }}
+      image_digest: ${{ needs.build.outputs.image_digest }}
+      min_instances: '1'
+      max_instances: '10'
+      cpu: '1'
+      memory: 1Gi
+    secrets: inherit
diff --git a/.github/workflows/cd-deploy-to-test.yml b/.github/workflows/cd-deploy-to-test.yml
@@ -0,0 +1,62 @@
+name: Deploy to test
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '**/Dockerfile'
+      - 'scripts/**'
+      - 'etc/litestream.yml'
+      - .github/workflows/cd-deploy-to-test.yml
+      - .github/workflows/sub-cloudrun-deploy.yml
+
+concurrency:
+  # Ensures that only one workflow task will run at a time. Previous builds, if
+  # already in process, will get cancelled. Only the latest commit will be allowed
+  # to run, cancelling any workflows in between
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  actions: read
+  attestations: read
+  checks: read
+  contents: read
+  deployments: read
+  id-token: write
+  issues: read
+  discussions: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  security-events: read
+  statuses: read
+
+jobs:
+  build:
+    uses: ./.github/workflows/sub-build-docker-image.yml
+    with:
+      environment: test
+      dockerfile_path: ./docker/Dockerfile
+      dockerfile_target: runner
+      app_name: ${{ vars.APP_NAME }}
+      registry: ${{ vars.GAR_BASE }}
+    secrets: inherit
+
+  deploy:
+    needs: [build]
+    uses: ./.github/workflows/sub-cloudrun-deploy.yml
+    with:
+      environment: test
+      project_id: ${{ vars.GCP_PROJECT }}
+      region: ${{ vars.GCP_REGION }}
+      app_name: ${{ vars.APP_NAME }}
+      registry: ${{ vars.GAR_BASE }}
+      image_digest: ${{ needs.build.outputs.image_digest }}
+      min_instances: '0'
+      max_instances: '30'
+      cpu: '1'
+      memory: 1Gi
+    secrets: inherit
diff --git a/.github/workflows/chore-clean-dev.yml b/.github/workflows/chore-clean-dev.yml
@@ -0,0 +1,35 @@
+name: Clean dev instances
+
+on:
+  delete:
+  pull_request:
+    branches:
+      - main
+    types:
+      - closed
+
+permissions: read-all
+
+jobs:
+  delete:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - name: Inject slug/short variables
+        uses: rlespinasse/[email protected]
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/[email protected]
+        with:
+          workload_identity_provider: '${{ vars.GCP_WIF }}'
+          project_id: '${{ vars.GCP_PROJECT }}'
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/[email protected]
+
+      - name: Removing CR service
+        run: |
+          gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GOOGLE_CLOUD_REGION }} --quiet
diff --git a/.github/workflows/ci-lint-codebase.patch.yml b/.github/workflows/ci-lint-codebase.patch.yml
@@ -0,0 +1,18 @@
+name: Lint Code Base
+
+on:
+  pull_request:
+    branches: [main]
+    paths-ignore:
+      - '**/Dockerfile'
+      - 'scripts/**'
+      - 'etc/litestream.yml'
+      - .github/workflows/ci-lint-codebase.yml
+
+permissions: read-all
+
+jobs:
+  linter:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Job not required"
diff --git a/.github/workflows/ci-lint-codebase.yml b/.github/workflows/ci-lint-codebase.yml
@@ -0,0 +1,57 @@
+name: Lint Code Base
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - '**/Dockerfile'
+      - 'scripts/**'
+      - 'etc/litestream.yml'
+      - .github/workflows/ci-lint-codebase.yml
+
+  push:
+    branches: [main]
+    paths:
+      - '**.sh*'
+      - '**.ts*'
+      - Dockerfile
+      - package.json
+      - pnpm-lock.yaml
+      - .github/workflows/ci-lint-codebase.yml
+
+concurrency:
+  # Ensures that only one workflow task will run at a time. Previous builds, if
+  # already in process, will get cancelled. Only the latest commit will be allowed
+  # to run, cancelling any workflows in between
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions: read-all
+
+jobs:
+  linter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code Repository
+        uses: actions/[email protected]
+        with:
+          # Full git history is needed to get a proper
+          # list of changed files within `super-linter`
+          fetch-depth: 0
+
+      - name: Lint Code Base
+        uses: super-linter/super-linter/[email protected]
+        env:
+          LOG_LEVEL: ERROR
+          VALIDATE_ALL_CODEBASE: false
+          VALIDATE_SHELL_SHFMT: false
+          VALIDATE_JSCPD: false
+          VALIDATE_CSS: false
+          VALIDATE_EDITORCONFIG: false
+          VALIDATE_MARKDOWN: false
+          VALIDATE_JAVASCRIPT_ES: false
+          VALIDATE_JAVASCRIPT_STANDARD: false
+          VALIDATE_DOCKERFILE_HADOLINT: false
+          LINTER_RULES_PATH: /
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}