name: Deploy Production run-name: Triggered by ${{ github.actor }} on: workflow_call: inputs: tag: description: "Image tag to deploy. Defaults to the last commit SHA in the branch." type: string default: ${{ github.sha }} required: false concurrency: group: "production-deploy" cancel-in-progress: false jobs: sanity-check: runs-on: ubuntu-22.04 steps: - name: Ensure CI passed for the given sha env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ "repos/firezone/firezone/actions/runs?head_sha=${{ inputs.tag }}&status=success" \ | jq -e '.workflow_runs | length > 0' || exit 1 push: needs: sanity-check runs-on: ubuntu-22.04 permissions: packages: write id-token: write strategy: fail-fast: false matrix: image: [domain, api, web, gateway, relay, client] steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Login to staging registry uses: ./.github/actions/gcp-docker-login id: login-staging with: project: firezone-staging - name: Login to production registry uses: ./.github/actions/gcp-docker-login id: login-production with: project: firezone-prod - name: Set up Docker Buildx uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 with: # We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX # supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9. # We should for any updates on buildx and on the setup-buildx-action itself. driver-opts: | image=moby/buildkit:v0.15.1 - name: Pull and push images run: | set -xe SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} docker buildx imagetools create \ -t ${{ steps.login-production.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} \ $SOURCE_TAG - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions" service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com" export_environment_variables: true create_credentials_file: true - name: Copy Google Cloud Storage binaries to "edge" version # TODO: Add relay here when we deploy Relay from prod artifacts instead of Docker # To do that properly we need to: # - Update publish.yml to publish versioned Relays too (and start versioning Relay changes) # - Add arm64 and armv7l architectures to the Relay builds (we only build for amd64 currently because that's all we need to) if: ${{ matrix.image == 'gateway' || matrix.image == 'client' }} run: | set -xe ARCHITECTURES=(x86_64 aarch64 armv7) for arch in "${ARCHITECTURES[@]}"; do # Copy sha256sum.txt gcloud storage cp \ gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \ gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}.sha256sum.txt gcloud storage cp \ gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \ gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt # Copy binaries gcloud storage cp \ gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \ gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch} gcloud storage cp \ gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \ gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} done deploy-production: needs: push runs-on: ubuntu-22.04 environment: gcp_production permissions: contents: write env: TF_CLOUD_ORGANIZATION: "firezone" TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}" TF_WORKSPACE: "production" steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Tool Versions id: versions uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0 - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 with: terraform_version: ${{ steps.versions.outputs.terraform }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.workflow_run.head_branch }} - name: Upload Configuration uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2 id: apply-upload with: workspace: ${{ env.TF_WORKSPACE }} # Subdirectory is set in the project settings: # https://app.terraform.io/app/firezone/workspaces/production/settings/general directory: "./" - name: Create Plan Run uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2 id: apply-run env: TF_VAR_image_tag: '"${{ inputs.tag }}"' with: workspace: ${{ env.TF_WORKSPACE }} configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }} - name: Apply uses: hashicorp/tfc-workflows-github/actions/apply-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2 if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable id: apply with: run: ${{ steps.apply-run.outputs.run_id }} comment: "Apply Run from GitHub Actions CI ${{ inputs.tag }}" # Some intrepid users are self-hosting these, so support them as best we can by making our # infrastructure images available to them. publish-infra-images: # Only publish if our own deploy was successful needs: deploy-production runs-on: ubuntu-22.04 permissions: packages: write id-token: write strategy: fail-fast: false matrix: image: [domain, api, web, relay] steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Login to staging registry uses: ./.github/actions/gcp-docker-login id: login-staging with: project: firezone-staging - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 with: # We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX # supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9. # We should for any updates on buildx and on the setup-buildx-action itself. driver-opts: | image=moby/buildkit:v0.15.1 - name: Pull and push run: | set -xe SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} docker buildx imagetools create \ -t ghcr.io/firezone/${{ matrix.image }}:${{ inputs.tag }} \ -t ghcr.io/firezone/${{ matrix.image }}:latest \ $SOURCE_TAG update-vercel: needs: deploy-production runs-on: ubuntu-22.04 env: VERCEL_TEAM_ID: firezone VERCEL_EDGE_CONFIG_ID: ecfg_hmorgeez26rwyncgsuj1yaibfx4p steps: - name: Update FIREZONE_DEPLOYED_SHA run: | curl --fail -X PATCH "https://api.vercel.com/v1/edge-config/${VERCEL_EDGE_CONFIG_ID}/items?teamId=${VERCEL_TEAM_ID}" \ -H "Authorization: Bearer ${{ secrets.VERCEL_TOKEN }}" \ -H "Content-Type: application/json" \ -d '{ "items": [ { "operation": "upsert", "key": "deployed_sha", "value": "${{ inputs.tag }}" } ] }'