Merge pull request #83 from Vizzuality/SKY30-152-implement-the-follow… #140
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The workflow uses GH Secrets managed by Terraform: | |
# - GCP_PROJECT_ID | |
# - GCP_REGION | |
# - <environment>_GCP_SA_KEY - credentials json for authentication | |
# - <environment>_CLIENT_ENV_TF_MANAGED | |
# - <environment>_CMS_ENV_TF_MANAGED | |
# - <environment>_CLIENT_REPOSITORY | |
# - <environment>_CLIENT_SERVICE | |
# - <environment>_CMS_REPOSITORY | |
# - <environment>_CMS_SERVICE | |
# - <environment>_ANALYSIS_CF_NAME | |
# | |
# it also uses the following secrets not managed by Terraform: | |
# - <environment>_CLIENT_ENV | |
name: Run deploy | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
- develop | |
paths: | |
- 'frontend/**' | |
- 'cms/**' | |
- 'cloud_functions/**' | |
- '.github/workflows/*' | |
env: | |
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} | |
GAR_LOCATION: ${{ secrets.GCP_REGION }} | |
REGION: ${{ secrets.GCP_REGION }} | |
jobs: | |
deploy_client: | |
# Add 'id-token' with the intended permissions for workload identity federation | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Extract branch name | |
shell: bash | |
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
id: extract_branch | |
- name: Extract environment name | |
env: | |
ENVIRONMENT: ${{ steps.extract_branch.outputs.branch == 'main' && 'PRODUCTION' || 'STAGING' }} | |
run: echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT | |
id: extract_environment | |
#- name: Google Auth authentication via credentials json | |
- name: Google Auth | |
id: auth | |
uses: 'google-github-actions/auth@v1' | |
with: | |
credentials_json: "${{ secrets[format('{0}_GCP_SA_KEY', steps.extract_environment.outputs.environment)] }}" | |
token_format: 'access_token' | |
# Authenticate Docker to Google Cloud Artifact Registry via credentials json | |
- name: Docker Auth | |
id: docker-auth | |
uses: 'docker/login-action@v3' | |
with: | |
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev | |
username: _json_key | |
password: ${{ secrets[format('{0}_GCP_SA_KEY', steps.extract_environment.outputs.environment)] }} | |
- name: Copy env variables to docker | |
run: | | |
echo "${{ secrets[format('{0}_CLIENT_ENV', steps.extract_environment.outputs.environment)] }}" > frontend/.env.local | |
# append Terraform managed secrets | |
echo "${{ secrets[format('{0}_CLIENT_ENV_TF_MANAGED', steps.extract_environment.outputs.environment)] }}" >> frontend/.env.local | |
- name: Build and Push Container | |
env: | |
REPOSITORY: ${{ secrets[format('{0}_CLIENT_REPOSITORY', steps.extract_environment.outputs.environment)] }} | |
SERVICE: ${{ secrets[format('{0}_CLIENT_SERVICE', steps.extract_environment.outputs.environment)] }} | |
run: |- | |
docker build -f frontend/Dockerfile.prod -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" ./frontend | |
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" | |
# tag as "latest" | |
docker tag "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:latest" | |
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:latest" | |
- name: Deploy to Cloud Run | |
env: | |
REPOSITORY: ${{ secrets[format('{0}_CLIENT_REPOSITORY', steps.extract_environment.outputs.environment)] }} | |
SERVICE: ${{ secrets[format('{0}_CLIENT_SERVICE', steps.extract_environment.outputs.environment)] }} | |
id: deploy | |
uses: google-github-actions/deploy-cloudrun@v1 | |
with: | |
service: ${{ env.SERVICE }} | |
region: ${{ env.REGION }} | |
image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }} | |
# NOTE: You can also set env variables here: | |
# env_vars: | | |
# NODE_ENV=production | |
# TOKEN_EXPIRE=6400 | |
# If required, use the Cloud Run url output in later steps | |
- name: Show Output | |
run: echo ${{ steps.deploy.outputs.url }} | |
deploy_cms: | |
# Add 'id-token' with the intended permissions for workload identity federation | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Extract branch name | |
shell: bash | |
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
id: extract_branch | |
- name: Extract environment name | |
env: | |
ENVIRONMENT: ${{ steps.extract_branch.outputs.branch == 'main' && 'PRODUCTION' || 'STAGING' }} | |
run: echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT | |
id: extract_environment | |
- name: Google Auth | |
id: auth | |
uses: 'google-github-actions/auth@v1' | |
with: | |
credentials_json: "${{ secrets[format('{0}_GCP_SA_KEY', steps.extract_environment.outputs.environment)] }}" | |
token_format: 'access_token' | |
# Authenticate Docker to Google Cloud Artifact Registry via credentials json | |
- name: Docker Auth | |
id: docker-auth | |
uses: 'docker/login-action@v3' | |
with: | |
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev | |
username: _json_key | |
password: ${{ secrets[format('{0}_GCP_SA_KEY', steps.extract_environment.outputs.environment)] }} | |
- name: Copy env variables to docker | |
run: | | |
echo "${{ secrets[format('{0}_CMS_ENV_TF_MANAGED', steps.extract_environment.outputs.environment)] }}" > cms/.env | |
- name: Build and Push Container | |
env: | |
REPOSITORY: ${{ secrets[format('{0}_CMS_REPOSITORY', steps.extract_environment.outputs.environment)] }} | |
SERVICE: ${{ secrets[format('{0}_CMS_SERVICE', steps.extract_environment.outputs.environment)] }} | |
run: |- | |
docker build -f cms/Dockerfile.prod -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" ./cms | |
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" | |
# tag as "latest" | |
docker tag "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:latest" | |
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:latest" | |
- name: Deploy to Cloud Run | |
env: | |
REPOSITORY: ${{ secrets[format('{0}_CMS_REPOSITORY', steps.extract_environment.outputs.environment)] }} | |
SERVICE: ${{ secrets[format('{0}_CMS_SERVICE', steps.extract_environment.outputs.environment)] }} | |
id: deploy | |
uses: google-github-actions/deploy-cloudrun@v1 | |
with: | |
service: ${{ env.SERVICE }} | |
region: ${{ env.REGION }} | |
image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }} | |
# NOTE: You can also set env variables here: | |
# env_vars: | | |
# NODE_ENV=production | |
# TOKEN_EXPIRE=6400 | |
# If required, use the Cloud Run url output in later steps | |
- name: Show Output | |
run: echo ${{ steps.deploy.outputs.url }} | |
deploy_cloud_functions: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Extract branch name | |
shell: bash | |
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
id: extract_branch | |
- name: Extract environment name | |
env: | |
ENVIRONMENT: ${{ steps.extract_branch.outputs.branch == 'main' && 'PRODUCTION' || 'STAGING' }} | |
run: echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT | |
id: extract_environment | |
- name: Google Auth | |
id: auth | |
uses: 'google-github-actions/auth@v1' | |
with: | |
credentials_json: "${{ secrets[format('{0}_GCP_SA_KEY', steps.extract_environment.outputs.environment)] }}" | |
token_format: 'access_token' | |
- name: 'Set up Cloud SDK' | |
uses: 'google-github-actions/setup-gcloud@v1' | |
with: | |
version: '>= 363.0.0' | |
- name: 'Use gcloud CLI' | |
run: 'gcloud info' | |
- name: 'Deploy to gen2 cloud function' | |
env: | |
CLOUD_FUNCTION_NAME: ${{ secrets[format('{0}_ANALYSIS_CF_NAME', steps.extract_environment.outputs.environment)] }} | |
run: | | |
gcloud functions deploy ${{ env.CLOUD_FUNCTION_NAME }} \ | |
--gen2 \ | |
--region=${{ env.REGION }} \ | |
--source=./cloud_functions/analysis \ |