github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
62dfe65679a0bb2abffffbaeff6f8f44ee44abe2
firezone/.github/workflows/_deploy_production.yml
Jamil 6f7f6a4f34 style: Enforce code style across all supported languages using Prettier (#7322) 
This ensure that we run prettier across all supported filetypes to check
for any formatting / style inconsistencies. Previously, it was only run
for files in the website/ directory using a deprecated pre-commit
plugin.

The benefit to keeping this in our pre-commit config is that devs can
optionally run these checks locally with `pre-commit run --config
.github/pre-commit-config.yaml`.

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
2024-11-13 00:19:15 +00:00

209 lines
8.2 KiB
YAML
Raw Blame History

name: Deploy Production
run-name: Triggered by ${{ github.actor }}
on:
workflow_call:
inputs:
tag:
description: "Image tag to deploy. Defaults to the last commit SHA in the branch."
type: string
default: ${{ github.sha }}
required: false
concurrency:
group: "production-deploy"
cancel-in-progress: false
jobs:
sanity-check:
runs-on: ubuntu-22.04
steps:
- name: Ensure CI passed for the given sha
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"repos/firezone/firezone/actions/runs?head_sha=${{ inputs.tag }}&status=success" \
| jq -e '.workflow_runs | length > 0' || exit 1
push:
needs: sanity-check
runs-on: ubuntu-22.04
permissions:
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image: [domain, api, web, gateway, relay, client]
steps:
- uses: actions/checkout@v4
- name: Login to staging registry
uses: ./.github/actions/gcp-docker-login
id: login-staging
with:
project: firezone-staging
- name: Login to production registry
uses: ./.github/actions/gcp-docker-login
id: login-production
with:
project: firezone-prod
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
# We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
# supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
# We should for any updates on buildx and on the setup-buildx-action itself.
driver-opts: |
image=moby/buildkit:v0.15.1
- name: Pull and push images
run: |
set -xe
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
docker buildx imagetools create \
-t ${{ steps.login-production.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} \
$SOURCE_TAG
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions"
service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com"
export_environment_variables: true
create_credentials_file: true
- name: Copy Google Cloud Storage binaries to "edge" version
# TODO: Add relay here when we deploy Relay from prod artifacts instead of Docker
# To do that properly we need to:
# - Update publish.yml to publish versioned Relays too (and start versioning Relay changes)
# - Add arm64 and armv7l architectures to the Relay builds (we only build for amd64 currently because that's all we need to)
if: ${{ matrix.image == 'gateway' || matrix.image == 'client' }}
run: |
set -xe
ARCHITECTURES=(x86_64 aarch64 armv7)
for arch in "${ARCHITECTURES[@]}"; do
# Copy sha256sum.txt
gcloud storage cp \
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}.sha256sum.txt
gcloud storage cp \
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt
# Copy binaries
gcloud storage cp \
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}
gcloud storage cp \
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}
done
deploy-production:
needs: push
runs-on: ubuntu-22.04
environment: gcp_production
permissions:
contents: write
env:
TF_CLOUD_ORGANIZATION: "firezone"
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
TF_WORKSPACE: "production"
steps:
- uses: actions/checkout@v4
- name: Tool Versions
id: versions
uses: marocchino/tool-versions-action@v1.2.0
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.versions.outputs.terraform }}
- uses: actions/checkout@v4
with:
ref: ${{ github.event.workflow_run.head_branch }}
- name: Upload Configuration
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.3.1
id: apply-upload
with:
workspace: ${{ env.TF_WORKSPACE }}
# Subdirectory is set in the project settings:
# https://app.terraform.io/app/firezone/workspaces/production/settings/general
directory: "./"
- name: Create Plan Run
uses: hashicorp/tfc-workflows-github/actions/create-run@v1.3.1
id: apply-run
env:
TF_VAR_image_tag: '"${{ inputs.tag }}"'
with:
workspace: ${{ env.TF_WORKSPACE }}
configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
- name: Apply
uses: hashicorp/tfc-workflows-github/actions/apply-run@v1.3.1
if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
id: apply
with:
run: ${{ steps.apply-run.outputs.run_id }}
comment: "Apply Run from GitHub Actions CI ${{ inputs.tag }}"
# Some intrepid users are self-hosting these, so support them as best we can by making our
# infrastructure images available to them.
publish-infra-images:
# Only publish if our own deploy was successful
needs: deploy-production
runs-on: ubuntu-22.04
permissions:
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image: [domain, api, web, relay]
steps:
- uses: actions/checkout@v4
- name: Login to staging registry
uses: ./.github/actions/gcp-docker-login
id: login-staging
with:
project: firezone-staging
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
# We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
# supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
# We should for any updates on buildx and on the setup-buildx-action itself.
driver-opts: |
image=moby/buildkit:v0.15.1
- name: Pull and push
run: |
set -xe
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
docker buildx imagetools create \
-t ghcr.io/firezone/${{ matrix.image }}:${{ inputs.tag }} \
-t ghcr.io/firezone/${{ matrix.image }}:latest \
$SOURCE_TAG
update-vercel:
needs: deploy-production
runs-on: ubuntu-22.04
env:
VERCEL_TEAM_ID: firezone
VERCEL_EDGE_CONFIG_ID: ecfg_hmorgeez26rwyncgsuj1yaibfx4p
steps:
- name: Update FIREZONE_DEPLOYED_SHA
run: |
curl --fail -X PATCH "https://api.vercel.com/v1/edge-config/${VERCEL_EDGE_CONFIG_ID}/items?teamId=${VERCEL_TEAM_ID}" \
-H "Authorization: Bearer ${{ secrets.VERCEL_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{ "items": [ { "operation": "upsert", "key": "deployed_sha", "value": "${{ inputs.tag }}" } ] }'
Reference in New Issue View Git Blame Copy Permalink