mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-02-06 01:06:29 +00:00
7a4a1cccc3
Bumps [hashicorp/tfc-workflows-github](https://github.com/hashicorp/tfc-workflows-github) from 1.3.1 to 1.3.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/tfc-workflows-github/releases">hashicorp/tfc-workflows-github's releases</a>.</em></p> <blockquote> <h2>v1.3.2</h2> <ul> <li>Bug fixes and enhancements from <a href="https://github.com/hashicorp/tfc-workflows-tooling/releases/tag/v1.3.2">tfc-workflows-tooling@v1.3.2</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/tfc-workflows-github/blob/main/CHANGELOG.md">hashicorp/tfc-workflows-github's changelog</a>.</em></p> <blockquote> <h1>v1.3.2</h1> <ul> <li>Bug fixes and enhancements from <a href="https://github.com/hashicorp/tfc-workflows-tooling/releases/tag/v1.3.2">tfc-workflows-tooling@v1.3.2</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="8e08d1ba95"><code>8e08d1b</code></a> Prepare v1.3.2 release (<a href="https://redirect.github.com/hashicorp/tfc-workflows-github/issues/2981">#2981</a>)</li> <li><a href="2a0a556cba"><code>2a0a556</code></a> [COMPLIANCE] Update MPL-2.0 LICENSE (<a href="https://redirect.github.com/hashicorp/tfc-workflows-github/issues/2980">#2980</a>)</li> <li><a href="b15578fa52"><code>b15578f</code></a> Merge pull request <a href="https://redirect.github.com/hashicorp/tfc-workflows-github/issues/2976">#2976</a> from salilsub/main</li> <li><a href="030a2307e5"><code>030a230</code></a> Adding GITHUB_TOKEN link to README</li> <li><a href="833d60e689"><code>833d60e</code></a> Adding information about setting the GITHUB_TOKEN permissions</li> <li>See full diff in <a href="https://github.com/hashicorp/tfc-workflows-github/compare/v1.3.1...v1.3.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
209 lines
8.2 KiB
YAML
209 lines
8.2 KiB
YAML
name: Deploy Production
|
|
run-name: Triggered by ${{ github.actor }}
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
tag:
|
|
description: "Image tag to deploy. Defaults to the last commit SHA in the branch."
|
|
type: string
|
|
default: ${{ github.sha }}
|
|
required: false
|
|
|
|
concurrency:
|
|
group: "production-deploy"
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
sanity-check:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Ensure CI passed for the given sha
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
gh api \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"repos/firezone/firezone/actions/runs?head_sha=${{ inputs.tag }}&status=success" \
|
|
| jq -e '.workflow_runs | length > 0' || exit 1
|
|
|
|
push:
|
|
needs: sanity-check
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
packages: write
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image: [domain, api, web, gateway, relay, client]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Login to staging registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-staging
|
|
with:
|
|
project: firezone-staging
|
|
- name: Login to production registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-production
|
|
with:
|
|
project: firezone-prod
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
# We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
|
|
# supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
|
|
# We should for any updates on buildx and on the setup-buildx-action itself.
|
|
driver-opts: |
|
|
image=moby/buildkit:v0.15.1
|
|
- name: Pull and push images
|
|
run: |
|
|
set -xe
|
|
|
|
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
|
|
|
|
docker buildx imagetools create \
|
|
-t ${{ steps.login-production.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} \
|
|
$SOURCE_TAG
|
|
- name: Authenticate to Google Cloud
|
|
id: auth
|
|
uses: google-github-actions/auth@v2
|
|
with:
|
|
workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions"
|
|
service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com"
|
|
export_environment_variables: true
|
|
create_credentials_file: true
|
|
- name: Copy Google Cloud Storage binaries to "edge" version
|
|
# TODO: Add relay here when we deploy Relay from prod artifacts instead of Docker
|
|
# To do that properly we need to:
|
|
# - Update publish.yml to publish versioned Relays too (and start versioning Relay changes)
|
|
# - Add arm64 and armv7l architectures to the Relay builds (we only build for amd64 currently because that's all we need to)
|
|
if: ${{ matrix.image == 'gateway' || matrix.image == 'client' }}
|
|
run: |
|
|
set -xe
|
|
|
|
ARCHITECTURES=(x86_64 aarch64 armv7)
|
|
|
|
for arch in "${ARCHITECTURES[@]}"; do
|
|
# Copy sha256sum.txt
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}.sha256sum.txt
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt
|
|
|
|
# Copy binaries
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}
|
|
done
|
|
|
|
deploy-production:
|
|
needs: push
|
|
runs-on: ubuntu-22.04
|
|
environment: gcp_production
|
|
permissions:
|
|
contents: write
|
|
env:
|
|
TF_CLOUD_ORGANIZATION: "firezone"
|
|
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
|
|
TF_WORKSPACE: "production"
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Tool Versions
|
|
id: versions
|
|
uses: marocchino/tool-versions-action@v1.2.0
|
|
- uses: hashicorp/setup-terraform@v3
|
|
with:
|
|
terraform_version: ${{ steps.versions.outputs.terraform }}
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.workflow_run.head_branch }}
|
|
- name: Upload Configuration
|
|
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.3.2
|
|
id: apply-upload
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
# Subdirectory is set in the project settings:
|
|
# https://app.terraform.io/app/firezone/workspaces/production/settings/general
|
|
directory: "./"
|
|
- name: Create Plan Run
|
|
uses: hashicorp/tfc-workflows-github/actions/create-run@v1.3.2
|
|
id: apply-run
|
|
env:
|
|
TF_VAR_image_tag: '"${{ inputs.tag }}"'
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
|
|
- name: Apply
|
|
uses: hashicorp/tfc-workflows-github/actions/apply-run@v1.3.2
|
|
if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
|
|
id: apply
|
|
with:
|
|
run: ${{ steps.apply-run.outputs.run_id }}
|
|
comment: "Apply Run from GitHub Actions CI ${{ inputs.tag }}"
|
|
|
|
# Some intrepid users are self-hosting these, so support them as best we can by making our
|
|
# infrastructure images available to them.
|
|
publish-infra-images:
|
|
# Only publish if our own deploy was successful
|
|
needs: deploy-production
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
packages: write
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image: [domain, api, web, relay]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Login to staging registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-staging
|
|
with:
|
|
project: firezone-staging
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
# We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
|
|
# supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
|
|
# We should for any updates on buildx and on the setup-buildx-action itself.
|
|
driver-opts: |
|
|
image=moby/buildkit:v0.15.1
|
|
- name: Pull and push
|
|
run: |
|
|
set -xe
|
|
|
|
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
|
|
|
|
docker buildx imagetools create \
|
|
-t ghcr.io/firezone/${{ matrix.image }}:${{ inputs.tag }} \
|
|
-t ghcr.io/firezone/${{ matrix.image }}:latest \
|
|
$SOURCE_TAG
|
|
|
|
update-vercel:
|
|
needs: deploy-production
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
VERCEL_TEAM_ID: firezone
|
|
VERCEL_EDGE_CONFIG_ID: ecfg_hmorgeez26rwyncgsuj1yaibfx4p
|
|
steps:
|
|
- name: Update FIREZONE_DEPLOYED_SHA
|
|
run: |
|
|
curl --fail -X PATCH "https://api.vercel.com/v1/edge-config/${VERCEL_EDGE_CONFIG_ID}/items?teamId=${VERCEL_TEAM_ID}" \
|
|
-H "Authorization: Bearer ${{ secrets.VERCEL_TOKEN }}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{ "items": [ { "operation": "upsert", "key": "deployed_sha", "value": "${{ inputs.tag }}" } ] }'
|