Update push-tag.yml - Image digest #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # You need to set up Workload Identity Federation in your Google Cloud project in order to use this GitHub Actions definition: https://medium.com/p/3932dce678b8. | |
| # And the secrets.GSA_ID needs to have the roles/artifactregistry.repoAdmin role in order push and delete container images. | |
| name: open-pr | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| on: | |
| pull_request: | |
| env: | |
| ENVIRONMENT_ID: pr-${{ github.event.number }} | |
| IMAGE_NAME: ${{ secrets.REGISTRY_LOCATION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.REGISTRY_NAME }}/${{ vars.APP_NAME }} | |
| jobs: | |
| build-run-push: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: checkout code | |
| uses: actions/checkout@v3 | |
| - name: build container | |
| run: | | |
| docker build \ | |
| -t ${{ env.IMAGE_NAME }}:${{ env.ENVIRONMENT_ID }} \ | |
| app/ | |
| - name: run container | |
| run: | | |
| docker run \ | |
| -d \ | |
| -p 8080:8080 \ | |
| --read-only \ | |
| --cap-drop=ALL \ | |
| --user=1000 \ | |
| ${{ env.IMAGE_NAME }}:${{ env.ENVIRONMENT_ID }} | |
| - name: test container | |
| run: | | |
| sleep 10 | |
| curl localhost:8080 | |
| - name: authenticate to google cloud | |
| uses: google-github-actions/auth@v1 | |
| with: | |
| workload_identity_provider: '${{ secrets.WI_PROVIDER_ID }}' | |
| service_account: '${{ secrets.GSA_ID }}' | |
| - name: setup gcloud | |
| uses: google-github-actions/setup-gcloud@v1 | |
| with: | |
| version: latest | |
| - name: sign-in to gar | |
| run: | | |
| gcloud auth configure-docker \ | |
| ${{ secrets.REGISTRY_LOCATION }}-docker.pkg.dev \ | |
| --quiet | |
| - name: delete previous container image in gar | |
| run: | | |
| gcloud artifacts docker images delete \ | |
| ${IMAGE_NAME}:${{ env.ENVIRONMENT_ID }} \ | |
| --delete-tags \ | |
| --quiet \ | |
| || true | |
| - name: push the container to gar | |
| run: | | |
| docker push \ | |
| ${{ env.IMAGE_NAME }}:${{ env.ENVIRONMENT_ID }} | |
| deploy-preview-env: | |
| needs: build-run-push | |
| runs-on: ubuntu-latest | |
| env: | |
| BASE_ENVIRONMENT: 'development' | |
| ENVIRONMENT_TYPE: 'development' | |
| ENVIRONMENT_NAME: PR-${{ github.event.number }} | |
| steps: | |
| - name: checkout code | |
| uses: actions/checkout@v3 | |
| - name: create humanitec preview env | |
| run: | | |
| .github/workflows/bin/humctl create environment ${{ env.ENVIRONMENT_ID }} \ | |
| --token ${{ secrets.HUMANITEC_TOKEN }} \ | |
| --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }} \ | |
| --name ${{ env.ENVIRONMENT_NAME }} \ | |
| -t ${{ env.ENVIRONMENT_TYPE }} \ | |
| --from ${{ env.BASE_ENVIRONMENT }} \ | |
| || true | |
| - name: authenticate to google cloud | |
| uses: google-github-actions/auth@v1 | |
| with: | |
| workload_identity_provider: '${{ secrets.WI_PROVIDER_ID }}' | |
| service_account: '${{ secrets.GSA_ID }}' | |
| - name: setup gcloud | |
| uses: google-github-actions/setup-gcloud@v1 | |
| with: | |
| version: latest | |
| - name: sign-in to gar | |
| run: | | |
| gcloud auth configure-docker \ | |
| ${{ secrets.REGISTRY_LOCATION }}-docker.pkg.dev \ | |
| --quiet | |
| - name: save container image digest as env var | |
| run: | | |
| echo "IMAGE_DIGEST=$(oras manifest fetch ${{ env.IMAGE_NAME }}:${{ env.ENVIRONMENT_ID }} \ | |
| --descriptor \ | |
| | jq -r .digest)" >> $GITHUB_ENV | |
| - name: install score-humanitec | |
| run: | | |
| SCORE_HUMANITEC_VERSION=$(curl -sL https://api.github.com/repos/score-spec/score-humanitec/releases/latest | jq -r .tag_name) | |
| wget https://github.com/score-spec/score-humanitec/releases/download/${SCORE_HUMANITEC_VERSION}/score-humanitec_${SCORE_HUMANITEC_VERSION}_linux_amd64.tar.gz | |
| tar -xvf score-humanitec_${SCORE_HUMANITEC_VERSION}_linux_amd64.tar.gz | |
| chmod +x score-humanitec | |
| mv score-humanitec /usr/local/bin | |
| - name: deploy score-humanitec | |
| run: | | |
| sed -i "s,image: ${{ vars.APP_NAME }},image: ${{ env.IMAGE_NAME }}@${IMAGE_DIGEST},g" score/score.yaml | |
| score-humanitec delta \ | |
| --retry \ | |
| --deploy \ | |
| --token ${{ secrets.HUMANITEC_TOKEN }} \ | |
| --org ${{ secrets.HUMANITEC_ORG }} \ | |
| --app ${{ vars.APP_NAME }} \ | |
| --env ${{ env.ENVIRONMENT_ID }} \ | |
| -f score/score.yaml \ | |
| --extensions score/humanitec.score.yaml \ | |
| | tee score_output.json | |
| - name: wait for deployment | |
| run: | | |
| sleep 1 | |
| IS_DONE=false | |
| while [ "$IS_DONE" = false ]; do | |
| CURRENT_STATUS=$(.github/workflows/bin/humctl get environment ${{ env.ENVIRONMENT_ID }} -o json \ | |
| --token ${{ secrets.HUMANITEC_TOKEN }} \ | |
| --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }} \ | |
| | jq -r .object.last_deploy.status) | |
| INPROGRESS="in progress" | |
| if [ "$CURRENT_STATUS" = "$INPROGRESS" ]; then | |
| echo "Deployment still in progress..." | |
| sleep 1 | |
| else | |
| echo "Deployment complete!" | |
| IS_DONE=true | |
| fi | |
| done | |
| - name: build comment message | |
| run: | | |
| ENV_URL=$(jq -r ".metadata.url" score_output.json) | |
| DEPLOYMENT_ID=$(jq -r ".id" score_output.json) | |
| DOMAINS=$(.github/workflows/bin/humctl get active-resources \ | |
| --token ${{ secrets.HUMANITEC_TOKEN }} \ | |
| --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }}/envs/${{ env.ENVIRONMENT_ID }} -o json \ | |
| | jq -r '. | map(. | select(.object.type == "dns")) | map((.object.res_id | split(".") | .[1]) + ": [" + .object.resource.host + "](https://" + .object.resource.host + ")") | join("\n")') | |
| echo "## Deployment Complete for ${{ env.ENVIRONMENT_NAME }}! :tada:" >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo "### [View in Humanitec]($ENV_URL)" >> pr_message.txt | |
| echo "Deployment ID: $DEPLOYMENT_ID" >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo "### Domains:" >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo "$DOMAINS" >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo "<details><summary>Deployment diff</summary>" >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo "### Deployment diff:" >> pr_message.txt | |
| echo '```json' >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| .github/workflows/bin/humctl diff env ${{ env.ENVIRONMENT_ID }} ${{ env.BASE_ENVIRONMENT }} \ | |
| --token ${{ secrets.HUMANITEC_TOKEN }} \ | |
| --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }} -o json >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo '```' >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo "</details>" >> pr_message.txt | |
| echo "<details><summary>Score Output</summary>" >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo "### Score Output:" >> pr_message.txt | |
| echo '```json' >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| cat score_output.json >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo '```' >> pr_message.txt | |
| echo "" >> pr_message.txt | |
| echo "</details>" >> pr_message.txt | |
| cat pr_message.txt | |
| - name: comment pr | |
| uses: thollander/actions-comment-pull-request@v2 | |
| with: | |
| filePath: pr_message.txt |