Skip to content

Commit

Permalink
🔐 Use environments to separate staging and production deployment targets
Browse files Browse the repository at this point in the history
  • Loading branch information
@kierandrewett
kierandrewett committed Apr 27, 2024
1 parent 3ab3c53 commit 82c2ebd
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 35 deletions.
44 changes: 38 additions & 6 deletions .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,6 @@ on:
branches: ["production", "staging"]
workflow_dispatch:

env:
SERVER_HOSTNAME: "dothq-org"

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -29,18 +26,53 @@ jobs:
yarn build
- name: Test
if: github.ref == 'refs/heads/production'
run: |
yarn dev &
SERVER_PID=$!
while ! nc -z localhost 3000; do
while ! nc -z localhost 3000; do
sleep 0.1
done
yarn test
deploy:
# Staging deployments
deploy-staging:
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/staging'
environment:
name: Staging
url: "http://dothq.local"
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Deploy to staging server
uses: ./.github/actions/run-via-ssh
with:
ts_hostname: ${{ vars.SERVER_HOSTNAME }}
ts_oauth_client_id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
ts_oauth_secret: ${{ secrets.TS_OAUTH_SECRET }}
ts_tags: tag:ci
ssh_username: ci
ssh_private_key: ${{ secrets.CI_PRIVATE_KEY }}
run: |
cd /app
git reset --hard
git pull
./scripts/rebuild_docker.sh
# Production deployments
deploy-production:
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/production'
environment:
name: Production
url: "https://www.dothq.org"
permissions:
contents: read

Expand All @@ -51,7 +83,7 @@ jobs:
- name: Deploy to production server
uses: ./.github/actions/run-via-ssh
with:
ts_hostname: ${{ env.SERVER_HOSTNAME }}
ts_hostname: ${{ vars.SERVER_HOSTNAME }}
ts_oauth_client_id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
ts_oauth_secret: ${{ secrets.TS_OAUTH_SECRET }}
ts_tags: tag:ci
Expand Down
43 changes: 14 additions & 29 deletions .github/workflows/renew.yml
View file
Original file line number Diff line number Diff line change
@@ -1,46 +1,31 @@
name: Renew certificates
name: Renew production certificates

on:
workflow_dispatch:
schedule:
- cron: "0 5 * * *" # every day at 5am

env:
SERVER_ID: "32657111668989263"

jobs:
renew:
runs-on: ubuntu-latest
environment:
name: Production
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Retrieve server hostname
run: |
TS_JSON=$(curl "https://api.tailscale.com/api/v2/device/${{ env.SERVER_ID }}" -u "${{ secrets.TS_KEY }}:")
HOSTNAME=$(echo $TS_JSON | jq -r '.name')
echo "SERVER_HOSTNAME=$HOSTNAME" >> $GITHUB_ENV
- name: Connect to Tailscale network
uses: tailscale/github-action@v2
- name: Renew production certificates
uses: ./.github/actions/run-via-ssh
with:
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
tags: tag:ci
version: "1.46.0"

- name: Install SSH key
run: |
install -m 600 -D /dev/null ~/.ssh/id_rsa
echo "${{ secrets.CI_PRIVATE_KEY }}" > ~/.ssh/id_rsa
ssh-keyscan -H ${{ env.SERVER_HOSTNAME }} > ~/.ssh/known_hosts
- name: Connect over SSH and deploy
run: |
ssh -t ci@${{ env.SERVER_HOSTNAME }} "cd /app && ./scripts/renew_certificates_docker.sh"
- name: Nuke SSH keys
run: rm -rf ~/.ssh
ts_hostname: ${{ vars.SERVER_HOSTNAME }}
ts_oauth_client_id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
ts_oauth_secret: ${{ secrets.TS_OAUTH_SECRET }}
ts_tags: tag:ci
ssh_username: ci
ssh_private_key: ${{ secrets.CI_PRIVATE_KEY }}
run: |
cd /app
./scripts/renew_certificates_docker.sh

0 comments on commit 82c2ebd

Please sign in to comment.