firezone/.github/workflows/cd.yml

name: Continuous Delivery
on:
  push:
    branches:
      - main

env:
  # mark:automatic-version
  VERSION: "1.20231001.0"

jobs:
  ci:
    uses: ./.github/workflows/ci.yml
    secrets: inherit

  deploy-staging:
    runs-on: ubuntu-22.04
    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
    permissions:
      contents: write
    # Cancel old workflow runs if new code is pushed
    concurrency:
      group: "staging-deploy-${{ github.workflow }}-${{ github.ref }}"
      cancel-in-progress: false
    needs:
      - ci
    env:
      TF_CLOUD_ORGANIZATION: "firezone"
      TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
      TF_WORKSPACE: "staging"
    steps:
      - name: Get Terraform Version
        run: |
          TERRAFORM_VERSION=$(cat .tool-versions | grep terraform | awk '{ print $NF; }')
          echo "TERRAFORM_VERSION=${TERRAFORM_VERSION}" >> $GITHUB_ENV
      - uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: ${{ env.TERRAFORM_VERSION }}
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.workflow_run.head_branch }}
      # - name: "Push Changed Application Tags"
      #   env:
      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      #     FILE_TO_COMMIT: terraform/environments/staging/versions.auto.tfvars
      #     DESTINATION_BRANCH: ${{ github.ref_name }}
      #   run: |
      #     sed -ri 's/^(\s*)(api_image_tag\s*=\s*"[^"]*"\s*$)/api_image_tag = "${{ github.sha }}"/' ./terraform/environments/staging/versions.auto.tfvars
      #     sed -ri 's/^(\s*)(web_image_tag\s*=\s*"[^"]*"\s*$)/web_image_tag = "${{ github.sha }}"/' ./terraform/environments/staging/versions.auto.tfvars
      #     cat ./terraform/environments/staging/versions.auto.tfvars

      #     export TODAY=$( date -u '+%Y-%m-%d' )
      #     export SHA=$( git rev-parse $DESTINATION_BRANCH:$FILE_TO_COMMIT )
      #     export CONTENT=$( base64 -i $FILE_TO_COMMIT )

      #     gh api \
      #       --method PUT /repos/${{ github.repository }}/contents/$FILE_TO_COMMIT \
      #       --field message="Push updated container versions [skip actions]" \
      #       --field content="$CONTENT" \
      #       --field encoding="base64" \
      #       --field branch="$DESTINATION_BRANCH" \
      #       --field sha="$SHA"
      - name: Upload Configuration
        uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.0.4
        id: apply-upload
        with:
          workspace: ${{ env.TF_WORKSPACE }}
          # Subdirectory is set in the project settings:
          # https://app.terraform.io/app/firezone/workspaces/staging/settings/general
          directory: "./"
      - name: Create Plan Run
        uses: hashicorp/tfc-workflows-github/actions/create-run@v1.0.4
        id: apply-run
        env:
          TF_VAR_image_tag: '"${{ env.VERSION }}-${{ github.sha }}"'
        with:
          workspace: ${{ env.TF_WORKSPACE }}
          configuration_version:
            ${{ steps.apply-upload.outputs.configuration_version_id }}
      - name: Apply
        uses: hashicorp/tfc-workflows-github/actions/apply-run@v1.0.4
        if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
        id: apply
        with:
          run: ${{ steps.apply-run.outputs.run_id }}
          comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"
      - name: Report Status
        if: failure()
        uses: rtCamp/action-slack-notify@v2
        env:
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_USERNAME: "GitHub Actions"
          SLACK_COLOR: "#ff0000"
          MSG_MINIMAL: "ref,actions url"
          SLACK_TITLE: "Deployment Failed"
          SLACK_MESSAGE:
            "Automatic deployment to ${{ env.TF_WORKSPACE }} failed"
        with:
          status: ${{ job.status }}
          notify_when: "failure"

  update-release-draft:
    needs: deploy-staging
    runs-on: ubuntu-22.04
    permissions:
      # write permission is required to create a github release
      contents: write
      # autolabeler
      pull-requests: write
    steps:
      - uses: release-drafter/release-drafter@v5
        id: update-release-draft
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          prerelease: true
          version: ${{ env.VERSION }}

  build-push-release-artifacts:
    permissions:
      id-token: write
      contents: write
    needs: update-release-draft
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: ./rust
    strategy:
      fail-fast: false
      matrix:
        arch:
          - target: x86_64-unknown-linux-musl
            platform: linux/amd64
          - target: aarch64-unknown-linux-musl # E.g. AWS Graviton
            platform: linux/arm64
          - target: armv7-unknown-linux-musleabihf # E.g. Raspberry Pi
            platform: linux/arm/v7
          # Requires ring v0.17 which a number of our dependencies don't yet support
          # - target: mips64-unknown-linux-muslabi64 # E.g. UniFi Routers
          #   platform: linux/mips64le
        name:
          - package: firezone-linux-client
            artifact: client
          - package: firezone-relay
            artifact: relay
          - package: firezone-gateway
            artifact: gateway
    env:
      BINARY_DEST_PATH: ${{ matrix.name.artifact }}-${{ matrix.arch.target }}
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/setup-rust
        with:
          targets: aarch64-unknown-linux-musl armv7-unknown-linux-musleabihf
      - uses: taiki-e/install-action@v2
        with:
          tool: cross
      - name: Build release binaries
        env:
          CARGO_OUTPUT_FILE:
            target/${{ matrix.arch.target }}/release/${{ matrix.name.package }}
        run: |
          dest="$BINARY_DEST_PATH-$VERSION"
          cross build --release -p ${{ matrix.name.package }} --target ${{ matrix.arch.target }}
          mv $CARGO_OUTPUT_FILE $dest
          cp $dest ${{ matrix.name.package }}
          sha256sum $dest > $dest.sha256sum.txt
      - name: Push binaries
        uses: softprops/action-gh-release@v1
        with:
          name: ${{ needs.update-release-draft.steps.update-release-draft.outputs.name }}
          draft: true
          files: |
            rust/${{ env.BINARY_DEST_PATH }}*
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          # We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
          # supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
          # We should for any updates on buildx and on the setup-buildx-action itself.
          driver-opts: |
            image=moby/buildkit:v0.12.0
      - uses: ./.github/actions/gcp-docker-login
        id: login
        with:
          project: firezone-staging
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ steps.login.outputs.registry }}/firezone/${{ matrix.name.artifact }}
          tags: |
            type=raw,value=${{ github.sha }}
            type=raw,value=${{ env.VERSION }}
      - name: Build and push release Docker images by digest
        id: build
        uses: docker/build-push-action@v5
        with:
          platforms: ${{ matrix.arch.platform }}
          build-args: |
            PACKAGE=${{ matrix.name.package }}
            TARGET=${{ matrix.arch.target }}
          context: rust
          cache-from: |
            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.artifact }}:main
          cache-to: |
            type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.artifact }}:main
          target: release
          outputs: type=image,name=${{ steps.login.outputs.registry }}/firezone/${{ matrix.name.artifact}},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
        run: |
          mkdir -p /tmp/digests/${{ matrix.name.artifact }}
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${{ matrix.name.artifact }}/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v3
        with:
          name: digests
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1

  merge-release-artifacts:
    permissions:
      id-token: write
    needs: build-push-release-artifacts
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        include:
          - image_name: relay
          - image_name: gateway
          - image_name: client
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/gcp-docker-login
        id: login
        with:
          project: firezone-staging
      - name: Download digests
        uses: actions/download-artifact@v3
        with:
          name: digests
          path: /tmp/digests
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images:
            ${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}
          tags: |
            type=raw,value=${{ github.sha }}
            type=raw,value=${{ env.VERSION }}
      - name: Create manifest list and push
        working-directory: /tmp/digests/${{ matrix.image_name }}
        run: |
          tags=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")
          sources=$(printf '${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}@sha256:%s ' *)
          echo "$sources"
          docker buildx imagetools create $tags $sources
          docker buildx imagetools inspect "${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}"