mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-28 10:18:51 +00:00
d26df944c0
To improve supply-chain security, reference all GitHub actions using the hash of the released tag. GitHub recommends to do this for third-party actions (https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions). In order to make our CI more deterministic, I opted to do it for all our actions. This means any change to our workflow configuration requires a source code change and thus passing CI on our end. Dependabot will automatically issue PRs for these actions and update the comment with the new version next to them. Resolves: #2497.
209 lines
8.8 KiB
YAML
209 lines
8.8 KiB
YAML
name: Deploy Production
|
|
run-name: Triggered by ${{ github.actor }}
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
tag:
|
|
description: "Image tag to deploy. Defaults to the last commit SHA in the branch."
|
|
type: string
|
|
default: ${{ github.sha }}
|
|
required: false
|
|
|
|
concurrency:
|
|
group: "production-deploy"
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
sanity-check:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Ensure CI passed for the given sha
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
gh api \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"repos/firezone/firezone/actions/runs?head_sha=${{ inputs.tag }}&status=success" \
|
|
| jq -e '.workflow_runs | length > 0' || exit 1
|
|
|
|
push:
|
|
needs: sanity-check
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
packages: write
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image: [domain, api, web, gateway, relay, client]
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- name: Login to staging registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-staging
|
|
with:
|
|
project: firezone-staging
|
|
- name: Login to production registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-production
|
|
with:
|
|
project: firezone-prod
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
|
|
with:
|
|
# We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
|
|
# supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
|
|
# We should for any updates on buildx and on the setup-buildx-action itself.
|
|
driver-opts: |
|
|
image=moby/buildkit:v0.15.1
|
|
- name: Pull and push images
|
|
run: |
|
|
set -xe
|
|
|
|
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
|
|
|
|
docker buildx imagetools create \
|
|
-t ${{ steps.login-production.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} \
|
|
$SOURCE_TAG
|
|
- name: Authenticate to Google Cloud
|
|
id: auth
|
|
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
|
|
with:
|
|
workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions"
|
|
service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com"
|
|
export_environment_variables: true
|
|
create_credentials_file: true
|
|
- name: Copy Google Cloud Storage binaries to "edge" version
|
|
# TODO: Add relay here when we deploy Relay from prod artifacts instead of Docker
|
|
# To do that properly we need to:
|
|
# - Update publish.yml to publish versioned Relays too (and start versioning Relay changes)
|
|
# - Add arm64 and armv7l architectures to the Relay builds (we only build for amd64 currently because that's all we need to)
|
|
if: ${{ matrix.image == 'gateway' || matrix.image == 'client' }}
|
|
run: |
|
|
set -xe
|
|
|
|
ARCHITECTURES=(x86_64 aarch64 armv7)
|
|
|
|
for arch in "${ARCHITECTURES[@]}"; do
|
|
# Copy sha256sum.txt
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}.sha256sum.txt
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt
|
|
|
|
# Copy binaries
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}
|
|
gcloud storage cp \
|
|
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
|
|
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}
|
|
done
|
|
|
|
deploy-production:
|
|
needs: push
|
|
runs-on: ubuntu-22.04
|
|
environment: gcp_production
|
|
permissions:
|
|
contents: write
|
|
env:
|
|
TF_CLOUD_ORGANIZATION: "firezone"
|
|
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
|
|
TF_WORKSPACE: "production"
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- name: Tool Versions
|
|
id: versions
|
|
uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0
|
|
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
|
|
with:
|
|
terraform_version: ${{ steps.versions.outputs.terraform }}
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ github.event.workflow_run.head_branch }}
|
|
- name: Upload Configuration
|
|
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
id: apply-upload
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
# Subdirectory is set in the project settings:
|
|
# https://app.terraform.io/app/firezone/workspaces/production/settings/general
|
|
directory: "./"
|
|
- name: Create Plan Run
|
|
uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
id: apply-run
|
|
env:
|
|
TF_VAR_image_tag: '"${{ inputs.tag }}"'
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
|
|
- name: Apply
|
|
uses: hashicorp/tfc-workflows-github/actions/apply-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
|
|
if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
|
|
id: apply
|
|
with:
|
|
run: ${{ steps.apply-run.outputs.run_id }}
|
|
comment: "Apply Run from GitHub Actions CI ${{ inputs.tag }}"
|
|
|
|
# Some intrepid users are self-hosting these, so support them as best we can by making our
|
|
# infrastructure images available to them.
|
|
publish-infra-images:
|
|
# Only publish if our own deploy was successful
|
|
needs: deploy-production
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
packages: write
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
image: [domain, api, web, relay]
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- name: Login to staging registry
|
|
uses: ./.github/actions/gcp-docker-login
|
|
id: login-staging
|
|
with:
|
|
project: firezone-staging
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
|
|
with:
|
|
# We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
|
|
# supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
|
|
# We should for any updates on buildx and on the setup-buildx-action itself.
|
|
driver-opts: |
|
|
image=moby/buildkit:v0.15.1
|
|
- name: Pull and push
|
|
run: |
|
|
set -xe
|
|
|
|
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
|
|
|
|
docker buildx imagetools create \
|
|
-t ghcr.io/firezone/${{ matrix.image }}:${{ inputs.tag }} \
|
|
-t ghcr.io/firezone/${{ matrix.image }}:latest \
|
|
$SOURCE_TAG
|
|
|
|
update-vercel:
|
|
needs: deploy-production
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
VERCEL_TEAM_ID: firezone
|
|
VERCEL_EDGE_CONFIG_ID: ecfg_hmorgeez26rwyncgsuj1yaibfx4p
|
|
steps:
|
|
- name: Update FIREZONE_DEPLOYED_SHA
|
|
run: |
|
|
curl --fail -X PATCH "https://api.vercel.com/v1/edge-config/${VERCEL_EDGE_CONFIG_ID}/items?teamId=${VERCEL_TEAM_ID}" \
|
|
-H "Authorization: Bearer ${{ secrets.VERCEL_TOKEN }}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{ "items": [ { "operation": "upsert", "key": "deployed_sha", "value": "${{ inputs.tag }}" } ] }'
|