FIPS FAQs, Readme Update (#2004) #1338
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy to Cloud Run | |
on: | |
push: | |
branches: [ "main" ] | |
workflow_dispatch: | |
jobs: | |
deploy: | |
runs-on: ubuntu-latest | |
if: github.repository == 'chainguard-dev/edu' | |
permissions: | |
id-token: write # federates with GCP | |
steps: | |
- name: 'Github Actions Runner' | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: 'Checkout default branch to $GITHUB_WORKSPACE dir' | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v3 | |
with: | |
node-version: 16 | |
- name: Update themes | |
run: git submodule update --init --recursive | |
- name: npm install | |
run: npm install | |
- name: npm run build | |
run: npm run build | |
- name: Authenticate to Google Cloud | |
id: auth | |
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v0 | |
with: | |
token_format: 'access_token' | |
project_id: '${{ secrets.PROJECT_ID }}' | |
workload_identity_provider: '${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}' | |
service_account: '${{ secrets.GCP_SERVICE_ACCOUNT }}' | |
- name: Docker Auth | |
id: docker-auth | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: 'oauth2accesstoken' | |
password: '${{ steps.auth.outputs.access_token }}' | |
registry: '${{ secrets.REGISTRY_URL }}' | |
- name: Build and push | |
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
with: | |
context: . | |
push: true | |
tags: '${{ secrets.REGISTRY_URL }}/${{ secrets.PROJECT_ID }}/${{ secrets.REPOSITORY }}/${{ secrets.SERVICE }}:${{ github.sha }}' | |
# Attempt to deploy the terraform configuration | |
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v2.0.0 | |
with: | |
terraform_version: 1.6 | |
- env: | |
TF_VAR_image: '${{ secrets.REGISTRY_URL }}/${{ secrets.PROJECT_ID }}/${{ secrets.REPOSITORY }}/${{ secrets.SERVICE }}:${{ github.sha }}' | |
TF_VAR_project_id: ${{ secrets.PROJECT_ID }} | |
working-directory: ./iac | |
run: | | |
terraform init | |
terraform plan | |
terraform apply -auto-approve | |
- name: Post failure notice to Slack | |
uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2.3.2 | |
if: ${{ failure() }} | |
env: | |
SLACK_ICON: http://github.com/chainguard-dev.png?size=48 | |
SLACK_USERNAME: guardian | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
SLACK_CHANNEL: 'alerts-edu' | |
SLACK_COLOR: '#8E1600' | |
MSG_MINIMAL: 'true' | |
SLACK_TITLE: 'Deploy to cloud run failed - ${{ github.repository }}' | |
SLACK_MESSAGE: | | |
For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} |