firezone/.github/workflows/_deploy_production.yml

name: Deploy Production
run-name: Triggered by ${{ github.actor }}
on:
  workflow_call:
    inputs:
      tag:
        description: "Image tag to deploy. Defaults to the last commit SHA in the branch."
        type: string
        default: ${{ github.sha }}
        required: false

concurrency:
  group: "production-deploy"
  cancel-in-progress: false

jobs:
  sanity-check:
    runs-on: ubuntu-22.04
    steps:
      - name: Ensure CI passed for the given sha
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh api \
            -H "Accept: application/vnd.github+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            "repos/firezone/firezone/actions/runs?head_sha=${{ inputs.tag }}&status=success" \
            | jq -e '.workflow_runs | length > 0' || exit 1

  push:
    needs: sanity-check
    runs-on: ubuntu-22.04
    permissions:
      packages: write
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        image: [domain, api, web, gateway, relay, client]
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Login to staging registry
        uses: ./.github/actions/gcp-docker-login
        id: login-staging
        with:
          project: firezone-staging
      - name: Login to production registry
        uses: ./.github/actions/gcp-docker-login
        id: login-production
        with:
          project: firezone-prod
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        with:
          # We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
          # supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
          # We should for any updates on buildx and on the setup-buildx-action itself.
          driver-opts: |
            image=moby/buildkit:v0.15.1
      - name: Pull and push images
        run: |
          set -xe

          SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}

          docker buildx imagetools create \
            -t ${{ steps.login-production.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} \
            $SOURCE_TAG
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
        with:
          workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions"
          service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com"
          export_environment_variables: true
          create_credentials_file: true
      - name: Copy Google Cloud Storage binaries to "edge" version
        # TODO: Add relay here when we deploy Relay from prod artifacts instead of Docker
        # To do that properly we need to:
        #   - Update publish.yml to publish versioned Relays too (and start versioning Relay changes)
        #   - Add arm64 and armv7l architectures to the Relay builds (we only build for amd64 currently because that's all we need to)
        if: ${{ matrix.image == 'gateway' || matrix.image == 'client' }}
        run: |
          set -xe

          ARCHITECTURES=(x86_64 aarch64 armv7)

          for arch in "${ARCHITECTURES[@]}"; do
            # Copy sha256sum.txt
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
              gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}.sha256sum.txt
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
              gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt

            # Copy binaries
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
              gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
              gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}
          done

  deploy-production:
    needs: push
    runs-on: ubuntu-22.04
    environment: gcp_production
    permissions:
      contents: write
    env:
      TF_CLOUD_ORGANIZATION: "firezone"
      TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
      TF_WORKSPACE: "production"
    steps:
      # First, checkout the main ref for setting up Terraform
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          submodules: true
          ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
      - name: Tool Versions
        id: versions
        uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0
      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: ${{ steps.versions.outputs.terraform }}
      # Then, checkout the ref specified in the workflow run
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.workflow_run.head_branch }}
          submodules: true
          ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
      - name: Upload Configuration
        uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
        id: apply-upload
        with:
          workspace: ${{ env.TF_WORKSPACE }}
          # Subdirectory is set in the project settings:
          # https://app.terraform.io/app/firezone/workspaces/production/settings/general
          directory: "./"
      - name: Create Plan Run
        uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
        id: apply-run
        env:
          TF_VAR_image_tag: '"${{ inputs.tag }}"'
        with:
          workspace: ${{ env.TF_WORKSPACE }}
          configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
      - name: Apply
        uses: hashicorp/tfc-workflows-github/actions/apply-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
        if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
        id: apply
        with:
          run: ${{ steps.apply-run.outputs.run_id }}
          comment: "Apply Run from GitHub Actions CI ${{ inputs.tag }}"

  # Some intrepid users are self-hosting these, so support them as best we can by making our
  # infrastructure images available to them.
  publish-infra-images:
    # Only publish if our own deploy was successful
    needs: deploy-production
    runs-on: ubuntu-22.04
    permissions:
      packages: write
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        image: [domain, api, web, relay]
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Login to staging registry
        uses: ./.github/actions/gcp-docker-login
        id: login-staging
        with:
          project: firezone-staging
      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        with:
          # We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
          # supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
          # We should for any updates on buildx and on the setup-buildx-action itself.
          driver-opts: |
            image=moby/buildkit:v0.15.1
      - name: Pull and push
        run: |
          set -xe

          SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}

          docker buildx imagetools create \
            -t ghcr.io/firezone/${{ matrix.image }}:${{ inputs.tag }} \
            -t ghcr.io/firezone/${{ matrix.image }}:latest \
            $SOURCE_TAG

  update-vercel:
    needs: deploy-production
    runs-on: ubuntu-22.04
    env:
      VERCEL_TEAM_ID: firezone
      VERCEL_EDGE_CONFIG_ID: ecfg_hmorgeez26rwyncgsuj1yaibfx4p
    steps:
      - name: Update FIREZONE_DEPLOYED_SHA
        run: |
          curl --fail -X PATCH "https://api.vercel.com/v1/edge-config/${VERCEL_EDGE_CONFIG_ID}/items?teamId=${VERCEL_TEAM_ID}" \
            -H "Authorization: Bearer ${{ secrets.VERCEL_TOKEN }}" \
            -H "Content-Type: application/json" \
            -d '{ "items": [ { "operation": "upsert", "key": "deployed_sha", "value": "${{ inputs.tag }}" } ] }'