H-3723: Add link table indices (#5771) #1947
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
# We could allow configuring environment here. | |
workflow_dispatch: {} | |
push: | |
branches: | |
- main | |
paths: | |
- ".github/workflows/hash-backend-cd.yml" | |
- "apps/hash-ai-worker-ts/**" | |
- "apps/hash-integration-worker/**" | |
- "apps/hash-graph/**" | |
- "apps/hash-api/**" | |
- "apps/hash-external-services/temporal/**" | |
- "apps/hash-external-services/kratos/**" | |
- "apps/hash-external-services/hydra/**" | |
- "libs/@local/**" | |
- "infra/docker/api/prod/**" | |
env: | |
VAULT_ADDR: ${{ secrets.VAULT_ADDR }} | |
AWS_REGION: ${{ secrets.AWS_REGION }} | |
AWS_ECR_URL: ${{ secrets.AWS_ECR_URL }} | |
GH_RUN_ID: ${{ github.run_id }} | |
GOOGLE_CLOUD_WORKLOAD_IDENTITY_FEDERATION_CONFIG_JSON: ${{ secrets.GOOGLE_CLOUD_WORKLOAD_IDENTITY_FEDERATION_CONFIG_JSON }} | |
HASH_API_RESOURCE_NAME: ${{ secrets.HASH_API_RESOURCE_NAME }} | |
HASH_GRAPH_RESOURCE_NAME: ${{ secrets.HASH_GRAPH_RESOURCE_NAME }} | |
HASH_KRATOS_RESOURCE_NAME: ${{ secrets.HASH_KRATOS_RESOURCE_NAME }} | |
HASH_HYDRA_RESOURCE_NAME: ${{ secrets.HASH_HYDRA_RESOURCE_NAME }} | |
HASH_TEMPORAL_AI_TS_WORKER_RESOURCE_NAME: h-hash-prod-usea1-temporalworkeraits | |
HASH_TEMPORAL_INTEGRATION_WORKER_RESOURCE_NAME: h-hash-prod-usea1-temporalworkerintegration | |
HASH_TEMPORAL_SETUP_RESOURCE_NAME: h-temporal-prod-usea1-setup | |
HASH_TEMPORAL_MIGRATE_RESOURCE_NAME: h-temporal-prod-usea1-migrate | |
HASH_TEMPORAL_VERSION: 1.23.1.0 | |
HASH_ECS_CLUSTER_NAME: h-hash-prod-usea1-ecs | |
HASH_APP_SERVICE_NAME: h-hash-prod-usea1-appsvc | |
HASH_GRAPH_SERVICE_NAME: h-hash-prod-usea1-graph | |
HASH_WORKER_SERVICE_NAME: h-hash-prod-usea1-appworker-svc | |
HASH_TEMPORAL_ECS_CLUSTER_NAME: h-temporal-prod-usea1-ecs | |
HASH_TEMPORAL_SERVICE_NAME: h-temporal-prod-usea1-svc | |
name: HASH backend deployment | |
jobs: | |
build-graph: | |
name: Build and push HASH graph image | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- name: Docker image build through docker-build-push | |
uses: ./.github/actions/docker-build-push | |
id: build | |
with: | |
SHORTNAME: "graph" | |
CONTEXT_PATH: ${{ github.workspace }}/ | |
DOCKERFILE_LOCATION: ${{ github.workspace }}/apps/hash-graph/docker/Dockerfile | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ECR_URL: ${{ env.AWS_ECR_URL }} | |
IMAGE_NAME: ${{ env.HASH_GRAPH_RESOURCE_NAME }} | |
build-api: | |
name: Build and push HASH api image | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- name: Docker image build through docker-build-push | |
uses: ./.github/actions/docker-build-push | |
id: build | |
with: | |
SHORTNAME: "api" | |
CONTEXT_PATH: ${{ github.workspace }} | |
DOCKERFILE_LOCATION: ${{ github.workspace }}/infra/docker/api/prod/Dockerfile | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ECR_URL: ${{ env.AWS_ECR_URL }} | |
IMAGE_NAME: ${{ env.HASH_API_RESOURCE_NAME }} | |
build-kratos: | |
name: Build and push Kratos image | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- name: Docker image build through docker-build-push | |
uses: ./.github/actions/docker-build-push | |
id: build | |
with: | |
SHORTNAME: "kratos" | |
CONTEXT_PATH: ${{ github.workspace }}/apps/hash-external-services/kratos | |
DOCKERFILE_LOCATION: ${{ github.workspace }}/apps/hash-external-services/kratos/Dockerfile | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ECR_URL: ${{ env.AWS_ECR_URL }} | |
IMAGE_NAME: ${{ env.HASH_KRATOS_RESOURCE_NAME }} | |
BUILD_ARGS: | | |
ENV=prod | |
API_SECRET=${{ secrets.HASH_KRATOS_API_SECRET }} | |
build-hydra: | |
name: Build and push Hydra image | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- name: Docker image build through docker-build-push | |
uses: ./.github/actions/docker-build-push | |
id: build | |
with: | |
SHORTNAME: "hydra" | |
CONTEXT_PATH: ${{ github.workspace }}/apps/hash-external-services/hydra | |
DOCKERFILE_LOCATION: ${{ github.workspace }}/apps/hash-external-services/hydra/Dockerfile | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ECR_URL: ${{ env.AWS_ECR_URL }} | |
IMAGE_NAME: ${{ env.HASH_HYDRA_RESOURCE_NAME }} | |
BUILD_ARGS: | | |
ENV=prod | |
build-ts-worker: | |
name: Build and push Temporal TS AI Worker | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- name: Docker image build through docker-build-push | |
uses: ./.github/actions/docker-build-push | |
id: build | |
with: | |
SHORTNAME: "temporal-worker-ai-ts" | |
CONTEXT_PATH: ${{ github.workspace }} | |
DOCKERFILE_LOCATION: ${{ github.workspace }}/apps/hash-ai-worker-ts/docker/Dockerfile | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ECR_URL: ${{ env.AWS_ECR_URL }} | |
IMAGE_NAME: ${{ env.HASH_TEMPORAL_AI_TS_WORKER_RESOURCE_NAME }} | |
BUILD_ARGS: | | |
GOOGLE_CLOUD_WORKLOAD_IDENTITY_FEDERATION_CONFIG_JSON: ${{ secrets.GOOGLE_CLOUD_WORKLOAD_IDENTITY_FEDERATION_CONFIG_JSON }} | |
build-integration-worker: | |
name: Build and push Temporal integration Worker | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- name: Docker image build through docker-build-push | |
uses: ./.github/actions/docker-build-push | |
id: build | |
with: | |
SHORTNAME: "temporal-integration-worker" | |
CONTEXT_PATH: ${{ github.workspace }} | |
DOCKERFILE_LOCATION: ${{ github.workspace }}/apps/hash-integration-worker/docker/Dockerfile | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ECR_URL: ${{ env.AWS_ECR_URL }} | |
IMAGE_NAME: ${{ env.HASH_TEMPORAL_INTEGRATION_WORKER_RESOURCE_NAME }} | |
build-temporal-migrate: | |
name: Build and push Temporal Migrate image | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- name: Docker image build through docker-build-push | |
uses: ./.github/actions/docker-build-push | |
id: build | |
with: | |
SHORTNAME: "temporal-migrate" | |
CONTEXT_PATH: ${{ github.workspace }}//apps/hash-external-services/temporal | |
DOCKERFILE_LOCATION: ${{ github.workspace }}/apps/hash-external-services/temporal/migrate.Dockerfile | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ECR_URL: ${{ env.AWS_ECR_URL }} | |
IMAGE_NAME: ${{ env.HASH_TEMPORAL_MIGRATE_RESOURCE_NAME }} | |
IMAGE_TAG: ${{ env.HASH_TEMPORAL_VERSION }} | |
BUILD_ARGS: | | |
TEMPORAL_VERSION=${{ env.HASH_TEMPORAL_VERSION }} | |
build-temporal-setup: | |
name: Build and push Temporal Setup image | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- name: Docker image build through docker-build-push | |
uses: ./.github/actions/docker-build-push | |
id: build | |
with: | |
SHORTNAME: "temporal-setup" | |
CONTEXT_PATH: ${{ github.workspace }}//apps/hash-external-services/temporal | |
DOCKERFILE_LOCATION: ${{ github.workspace }}/apps/hash-external-services/temporal/setup.Dockerfile | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
AWS_ECR_URL: ${{ env.AWS_ECR_URL }} | |
IMAGE_NAME: ${{ env.HASH_TEMPORAL_SETUP_RESOURCE_NAME }} | |
IMAGE_TAG: ${{ env.HASH_TEMPORAL_VERSION }} | |
BUILD_ARGS: | | |
TEMPORAL_VERSION=${{ env.HASH_TEMPORAL_VERSION }} | |
deploy-app: | |
name: Deploy HASH app images | |
runs-on: ubuntu-latest | |
needs: | |
- build-ts-worker | |
- build-api | |
- build-kratos | |
- build-hydra | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- uses: ./.github/actions/docker-ecr-login | |
with: | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
- name: Redeploy HASH backend service | |
run: | | |
aws ecs update-service --cluster ${{ env.HASH_ECS_CLUSTER_NAME }} --service ${{ env.HASH_APP_SERVICE_NAME }} --force-new-deployment 1> /dev/null | |
deploy-graph: | |
name: Deploy HASH graph images | |
runs-on: ubuntu-latest | |
needs: | |
- build-graph | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- uses: ./.github/actions/docker-ecr-login | |
with: | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
- name: Redeploy HASH graph service | |
run: | | |
aws ecs update-service --cluster ${{ env.HASH_ECS_CLUSTER_NAME }} --service ${{ env.HASH_GRAPH_SERVICE_NAME }} --force-new-deployment 1> /dev/null | |
deploy-workers: | |
name: Deploy HASH worker images | |
runs-on: ubuntu-latest | |
needs: | |
- build-integration-worker | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- uses: ./.github/actions/docker-ecr-login | |
with: | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
- name: Redeploy HASH worker service | |
run: | | |
aws ecs update-service --cluster ${{ env.HASH_ECS_CLUSTER_NAME }} --service ${{ env.HASH_WORKER_SERVICE_NAME }} --force-new-deployment 1> /dev/null | |
deploy-temporal: | |
name: Deploy Temporal images | |
runs-on: ubuntu-latest | |
needs: | |
- build-temporal-migrate | |
- build-temporal-setup | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Authenticate Vault | |
id: secrets | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
exportToken: true | |
url: ${{ env.VAULT_ADDR }} | |
method: jwt | |
role: prod | |
# Even though it could look like separate calls to fetch the secrets | |
# the responses here are cached, so we're only issuing a single set of credentials | |
secrets: | | |
aws/creds/prod-deploy access_key | AWS_ACCESS_KEY_ID ; | |
aws/creds/prod-deploy secret_key | AWS_SECRET_ACCESS_KEY ; | |
aws/creds/prod-deploy security_token | AWS_SESSION_TOKEN | |
- uses: ./.github/actions/docker-ecr-login | |
with: | |
AWS_ACCESS_KEY_ID: ${{ steps.secrets.outputs.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.secrets.outputs.AWS_SECRET_ACCESS_KEY }} | |
AWS_SESSION_TOKEN: ${{ steps.secrets.outputs.AWS_SESSION_TOKEN }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
- name: Redeploy Temporal service | |
run: | | |
aws ecs update-service --cluster ${{ env.HASH_TEMPORAL_ECS_CLUSTER_NAME }} --service ${{ env.HASH_TEMPORAL_SERVICE_NAME }} --force-new-deployment 1> /dev/null | |
notify-slack: | |
name: Notify Slack on failure | |
needs: | |
- deploy-app | |
- deploy-graph | |
- deploy-workers | |
- deploy-temporal | |
runs-on: ubuntu-latest | |
if: ${{ failure() }} | |
steps: | |
- name: Slack Notification | |
uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 | |
env: | |
SLACK_LINK_NAMES: true | |
SLACK_MESSAGE: "Error deploying the HASH backend <@U0143NL4GMP> <@U02NLJY0FGX>" # Notifies C & T | |
SLACK_TITLE: Backend deployment failed | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_USERNAME: GitHub | |
VAULT_ADDR: "" | |
VAULT_TOKEN: "" |