mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
c7827b9687
Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.8 to 2.1.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google-github-actions/auth/releases">google-github-actions/auth's releases</a>.</em></p> <blockquote> <h2>v2.1.10</h2> <h2>What's Changed</h2> <ul> <li>Declare workflow permissions by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/482">google-github-actions/auth#482</a></li> <li>Document that the OIDC token expires in 5min by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/483">google-github-actions/auth#483</a></li> <li>Release: v2.1.10 by <a href="https://github.com/google-github-actions-bot"><code>@google-github-actions-bot</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/484">google-github-actions/auth#484</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google-github-actions/auth/compare/v2.1.9...v2.1.10">https://github.com/google-github-actions/auth/compare/v2.1.9...v2.1.10</a></p> <h2>v2.1.9</h2> <h2>What's Changed</h2> <ul> <li>Use our custom boolean parsing by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/478">google-github-actions/auth#478</a></li> <li>Update deps by <a href="https://github.com/sethvargo"><code>@sethvargo</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/479">google-github-actions/auth#479</a></li> <li>Release: v2.1.9 by <a href="https://github.com/google-github-actions-bot"><code>@google-github-actions-bot</code></a> in <a href="https://redirect.github.com/google-github-actions/auth/pull/480">google-github-actions/auth#480</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google-github-actions/auth/compare/v2.1.8...v2.1.9">https://github.com/google-github-actions/auth/compare/v2.1.8...v2.1.9</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="ba79af0395"><code>ba79af0</code></a> Release: v2.1.10 (<a href="https://redirect.github.com/google-github-actions/auth/issues/484">#484</a>)</li> <li><a href="bfaa66bd66"><code>bfaa66b</code></a> Document that the OIDC token expires in 5min (<a href="https://redirect.github.com/google-github-actions/auth/issues/483">#483</a>)</li> <li><a href="d0822ad9bf"><code>d0822ad</code></a> Declare workflow permissions (<a href="https://redirect.github.com/google-github-actions/auth/issues/482">#482</a>)</li> <li><a href="7b53cdc2a3"><code>7b53cdc</code></a> Release: v2.1.9 (<a href="https://redirect.github.com/google-github-actions/auth/issues/480">#480</a>)</li> <li><a href="a9cfddf5d2"><code>a9cfddf</code></a> Update deps (<a href="https://redirect.github.com/google-github-actions/auth/issues/479">#479</a>)</li> <li><a href="b011f3988e"><code>b011f39</code></a> Use our custom boolean parsing (<a href="https://redirect.github.com/google-github-actions/auth/issues/478">#478</a>)</li> <li>See full diff in <a href="71f986410d...ba79af0395">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
204 lines
8.3 KiB
YAML
204 lines
8.3 KiB
YAML
name: Deploy Production
|
|
run-name: Triggered by ${{ github.actor }}
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
tag:
|
|
description: "Image tag to deploy. Defaults to the last commit SHA in the branch."
|
|
type: string
|
|
default: ${{ github.sha }}
|
|
required: false
|
|
|
|
concurrency:
|
|
group: "production-deploy"
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
sanity-check:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Ensure CI passed for the given sha
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
gh api \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"repos/firezone/firezone/actions/runs?head_sha=${{ inputs.tag }}&status=success" \
|
|
| jq -e '.workflow_runs | length > 0' || exit 1
|
|
|
|
push:
|
|
needs: sanity-check
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
packages: write
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image: [domain, api, web, gateway, relay, client]
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- name: Login to staging registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-staging
|
|
with:
|
|
project: firezone-staging
|
|
- name: Login to production registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-production
|
|
with:
|
|
project: firezone-prod
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
|
|
- name: Pull and push images
|
|
run: |
|
|
set -xe
|
|
|
|
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
|
|
|
|
docker buildx imagetools create \
|
|
-t ${{ steps.login-production.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} \
|
|
$SOURCE_TAG
|
|
- name: Authenticate to Google Cloud
|
|
id: auth
|
|
uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
|
|
with:
|
|
workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions"
|
|
service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com"
|
|
export_environment_variables: true
|
|
create_credentials_file: true
|
|
- name: Copy Google Cloud Storage binaries to "edge" version
|
|
# TODO: Add relay here when we deploy Relay from prod artifacts instead of Docker
|
|
# To do that properly we need to:
|
|
# - Update publish.yml to publish versioned Relays too (and start versioning Relay changes)
|
|
# - Add arm64 and armv7l architectures to the Relay builds (we only build for amd64 currently because that's all we need to)
|
|
if: ${{ matrix.image == 'gateway' || matrix.image == 'client' }}
|
|
run: |
|
|
set -xe
|
|
|
|
ARCHITECTURES=(x86_64 aarch64 armv7)
|
|
|
|
for arch in "${ARCHITECTURES[@]}"; do
|
|
# Copy sha256sum.txt
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}.sha256sum.txt
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt
|
|
|
|
# Copy binaries
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}
|
|
done
|
|
|
|
deploy-production:
|
|
needs: push
|
|
runs-on: ubuntu-22.04
|
|
environment: gcp_production
|
|
permissions:
|
|
contents: write
|
|
env:
|
|
TF_CLOUD_ORGANIZATION: "firezone"
|
|
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
|
|
TF_WORKSPACE: "production"
|
|
steps:
|
|
# First, checkout the main ref for setting up Terraform
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
submodules: true
|
|
ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
|
|
- name: Tool Versions
|
|
id: versions
|
|
uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0
|
|
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
|
|
with:
|
|
terraform_version: ${{ steps.versions.outputs.terraform }}
|
|
# Then, checkout the ref specified in the workflow run
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ github.event.workflow_run.head_branch }}
|
|
submodules: true
|
|
ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
|
|
- name: Upload Configuration
|
|
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
id: apply-upload
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
# Subdirectory is set in the project settings:
|
|
# https://app.terraform.io/app/firezone/workspaces/production/settings/general
|
|
directory: "./"
|
|
- name: Create Plan Run
|
|
uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
id: apply-run
|
|
env:
|
|
TF_VAR_image_tag: '"${{ inputs.tag }}"'
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
|
|
- name: Apply
|
|
uses: hashicorp/tfc-workflows-github/actions/apply-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
|
|
id: apply
|
|
with:
|
|
run: ${{ steps.apply-run.outputs.run_id }}
|
|
comment: "Apply Run from GitHub Actions CI ${{ inputs.tag }}"
|
|
|
|
# Some intrepid users are self-hosting these, so support them as best we can by making our
|
|
# infrastructure images available to them.
|
|
publish-infra-images:
|
|
# Only publish if our own deploy was successful
|
|
needs: deploy-production
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
packages: write
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image: [domain, api, web, relay]
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- name: Login to staging registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-staging
|
|
with:
|
|
project: firezone-staging
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
|
|
- name: Pull and push
|
|
run: |
|
|
set -xe
|
|
|
|
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
|
|
|
|
docker buildx imagetools create \
|
|
-t ghcr.io/firezone/${{ matrix.image }}:${{ inputs.tag }} \
|
|
-t ghcr.io/firezone/${{ matrix.image }}:latest \
|
|
$SOURCE_TAG
|
|
|
|
update-vercel:
|
|
needs: deploy-production
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
VERCEL_TEAM_ID: firezone
|
|
VERCEL_EDGE_CONFIG_ID: ecfg_hmorgeez26rwyncgsuj1yaibfx4p
|
|
steps:
|
|
- name: Update FIREZONE_DEPLOYED_SHA
|
|
run: |
|
|
curl --fail -X PATCH "https://api.vercel.com/v1/edge-config/${VERCEL_EDGE_CONFIG_ID}/items?teamId=${VERCEL_TEAM_ID}" \
|
|
-H "Authorization: Bearer ${{ secrets.VERCEL_TOKEN }}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{ "items": [ { "operation": "upsert", "key": "deployed_sha", "value": "${{ inputs.tag }}" } ] }'
|