From 1974ef9332b19fbd795bc05757c62e9ed30fde27 Mon Sep 17 00:00:00 2001 From: Jamil Date: Mon, 17 Jun 2024 18:29:06 -0700 Subject: [PATCH] fix(infra): Copy artifacts from `github.sha` to `edge` in prod when deploying (#5416) This will allow us to run prod smoke tests using the `SHA` from `main` when deploying, without having to release/publish the Gateway first. Fixes this issue seen in logs: ``` { "insertId": "tz43hng1m3lbbe", "jsonPayload": { "message": "Jun 17 22:36:57 gateway-cn9m firezone-gateway-init[3413]: curl: (22) The requested URL returned error: 404" }, "resource": { "type": "gce_instance", "labels": { "project_id": "firezone-prod", "zone": "us-east1-d", "instance_id": "8536982484474988766" } }, "timestamp": "2024-06-17T22:36:57.601613147Z", "labels": { "compute.googleapis.com/resource_name": "gateway-cn9m" }, "logName": "projects/firezone-prod/logs/syslog", "receiveTimestamp": "2024-06-17T22:36:57.745513999Z" }, { "insertId": "tz43hng1m3lbbd", "jsonPayload": { "message": "Jun 17 22:36:57 gateway-cn9m firezone-gateway-init[3411]: Downloading 6c310610f363268056e40baffca804b517267d90 version from https://storage.googleapis.com/firezone-prod-artifacts/firezone-gateway..." }, "resource": { "type": "gce_instance", "labels": { "project_id": "firezone-prod", "zone": "us-east1-d", "instance_id": "8536982484474988766" } }, "timestamp": "2024-06-17T22:36:57.501343894Z", "labels": { "compute.googleapis.com/resource_name": "gateway-cn9m" }, "logName": "projects/firezone-prod/logs/syslog", "receiveTimestamp": "2024-06-17T22:36:57.745513999Z" } ``` --- .github/workflows/_deploy_production.yml | 36 ++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.github/workflows/_deploy_production.yml b/.github/workflows/_deploy_production.yml index 27ad2ad80..e7869145a 100644 --- a/.github/workflows/_deploy_production.yml +++ b/.github/workflows/_deploy_production.yml @@ -58,6 +58,42 @@ jobs: docker buildx imagetools create \ -t ${{ steps.login-production.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} \ $SOURCE_TAG + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions" + service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com" + export_environment_variables: true + create_credentials_file: true + - name: Copy Google Cloud Storage binaries to "edge" version + # TODO: Add relay here when we deploy Relay from prod artifacts instead of Docker + # To do that properly we need to: + # - Update publish.yml to publish versioned Relays too (and start versioning Relay changes) + # - Add arm64 and armv7l architectures to the Relay builds (we only build for amd64 currently because that's all we need to) + if: ${{ matrix.image == 'gateway' || matrix.image == 'client' }} + run: | + set -xe + + ARCHITECTURES=(x86_64 aarch64 armv7) + + for arch in "${ARCHITECTURES[@]}"; do + # Copy sha256sum.txt + gcloud storage cp \ + gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \ + gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}.sha256sum.txt + gcloud storage cp \ + gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \ + gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt + + # Copy binaries + gcloud storage cp \ + gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \ + gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch} + gcloud storage cp \ + gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \ + gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} + done deploy-production: needs: push