mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
d26df944c0
To improve supply-chain security, reference all GitHub actions using the hash of the released tag. GitHub recommends to do this for third-party actions (https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions). In order to make our CI more deterministic, I opted to do it for all our actions. This means any change to our workflow configuration requires a source code change and thus passing CI on our end. Dependabot will automatically issue PRs for these actions and update the comment with the new version next to them. Resolves: #2497.
93 lines
3.4 KiB
YAML
93 lines
3.4 KiB
YAML
name: Continuous Delivery
|
|
on:
|
|
# Used for debugging the workflow by manually calling it
|
|
workflow_dispatch:
|
|
inputs:
|
|
deploy-staging:
|
|
description: "Also deploy to staging. By default the deploy is not executed when triggering this workflow manually."
|
|
type: boolean
|
|
default: false
|
|
required: false
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
# Builds images that match what's default in docker-compose.yml for
|
|
# local development.
|
|
build-dev-images:
|
|
uses: ./.github/workflows/_build_artifacts.yml
|
|
secrets: inherit
|
|
with:
|
|
image_prefix: "dev"
|
|
stage: "debug"
|
|
profile: "debug"
|
|
|
|
# Builds debug images with release binaries for compatibility tests in case the merge_group was skipped.
|
|
build-test-images:
|
|
uses: ./.github/workflows/_build_artifacts.yml
|
|
secrets: inherit
|
|
with:
|
|
image_prefix: "debug"
|
|
stage: "debug"
|
|
profile: "release"
|
|
|
|
# Re-run CI checks to make sure everything's green, since "Merging as administrator"
|
|
# won't trigger these in the merge group.
|
|
ci:
|
|
uses: ./.github/workflows/ci.yml
|
|
secrets: inherit
|
|
with:
|
|
profile: "release"
|
|
stage: "release"
|
|
|
|
deploy-staging:
|
|
if: ${{ github.event_name != 'workflow_dispatch' || inputs.deploy-staging }}
|
|
runs-on: ubuntu-22.04
|
|
environment: gcp_staging
|
|
permissions:
|
|
contents: write
|
|
# Cancel old workflow runs if new code is pushed
|
|
concurrency:
|
|
group: "staging-deploy-${{ github.workflow }}-${{ github.ref }}"
|
|
cancel-in-progress: false
|
|
needs: ci
|
|
env:
|
|
TF_CLOUD_ORGANIZATION: "firezone"
|
|
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
|
|
TF_WORKSPACE: "staging"
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- name: Tool Versions
|
|
id: versions
|
|
uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0
|
|
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
|
|
with:
|
|
terraform_version: ${{ steps.versions.outputs.terraform }}
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ github.event.workflow_run.head_branch }}
|
|
- name: Upload Configuration
|
|
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
id: apply-upload
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
# Subdirectory is set in the project settings:
|
|
# https://app.terraform.io/app/firezone/workspaces/staging/settings/general
|
|
directory: "./"
|
|
- name: Create Plan Run
|
|
uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
id: apply-run
|
|
env:
|
|
TF_VAR_image_tag: '"${{ github.sha }}"'
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
|
|
- name: Apply
|
|
uses: hashicorp/tfc-workflows-github/actions/apply-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
|
|
id: apply
|
|
with:
|
|
run: ${{ steps.apply-run.outputs.run_id }}
|
|
comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"
|