v2.1.0 #43
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Deploy Update to Live Server" | |
on: | |
release: | |
branches: [master] | |
types: [published] | |
permissions: | |
contents: read | |
jobs: | |
build: | |
strategy: | |
matrix: | |
component: [frontend, backend, maintenance, database] | |
runs-on: ubuntu-latest | |
outputs: | |
image_tag: ${{ steps.build_combine.outputs.image_tag }} | |
steps: | |
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on | |
# configuring harden-runner and identifying allowed endpoints. | |
- name: Harden Runner | |
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
*.actions.githubusercontent.com:443 | |
*.data.mcr.microsoft.com:443 | |
api.ecr-public.us-east-1.amazonaws.com:443 | |
api.github.com:443 | |
api.nuget.org:443 | |
archive.ubuntu.com:80 | |
auth.docker.io:443 | |
dc.services.visualstudio.com:443 | |
deb.debian.org:80 | |
docker.io:443 | |
dotnetcli.azureedge.net:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
mcr.microsoft.com:443 | |
production.cloudflare.docker.com:443 | |
public.ecr.aws:443 | |
pypi.org:443 | |
registry-1.docker.io:443 | |
registry.npmjs.org:443 | |
security.debian.org:80 | |
security.ubuntu.com:80 | |
storage.googleapis.com:443 | |
sts.us-east-1.amazonaws.com:443 | |
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
- name: Build The Combine | |
id: build_combine | |
uses: ./.github/actions/combine-build | |
with: | |
image_registry: public.ecr.aws | |
image_registry_alias: "/thecombine" | |
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
# Note that the region for the public registries is always us-east-1 regardless of | |
# the account's default region. See the section "To authenticate Docker to an Amazon | |
# ECR registry with get-login-password in | |
# https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html | |
aws_default_region: us-east-1 | |
build_component: ${{ matrix.component }} | |
deploy_update: | |
needs: build | |
runs-on: [self-hosted, thecombine] | |
steps: | |
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
with: | |
fetch-depth: 0 | |
- name: Deploy The Combine Update to QA | |
uses: ./.github/actions/combine-deploy-update | |
with: | |
image_registry: public.ecr.aws | |
image_registry_alias: "/thecombine" | |
image_tag: ${{ needs.build.outputs.image_tag }} | |
kube_context: ${{ secrets.LTOPS_K8S_STAGING_CONTEXT }} | |
kubectl_version: ${{ vars.KUBECTL_VERSION }} | |
update_cert_proxy: false | |
- name: Deploy The Combine Update to Production | |
uses: ./.github/actions/combine-deploy-update | |
with: | |
image_registry: public.ecr.aws | |
image_registry_alias: "/thecombine" | |
image_tag: ${{ needs.build.outputs.image_tag }} | |
kube_context: ${{ secrets.LTOPS_K8S_PRODUCTION_CONTEXT }} | |
kubectl_version: ${{ vars.KUBECTL_VERSION }} | |
update_cert_proxy: true |