firezone/.github/workflows/cd.yml

name: Continuous Delivery
on:
  # Used for debugging the workflow by manually calling it
  workflow_dispatch:
    inputs:
      deploy-staging:
        description: "Also deploy to staging. By default the deploy is not executed when triggering this workflow manually."
        type: boolean
        default: false
        required: false
  push:
    branches:
      - main

env:
  # mark:automatic-version
  VERSION: "1.0.3"

jobs:
  # Builds images that match what's default in docker-compose.yml for
  # local development.
  build-dev-images:
    uses: ./.github/workflows/_build_artifacts.yml
    secrets: inherit
    with:
      tag_name: "${{ github.ref_name }}"
      image_prefix: "dev"
      stage: "debug"
      profile: "debug"

  # Re-run CI checks to make sure everything's green, since "Merging as administrator"
  # won't trigger these in the merge group.
  ci:
    uses: ./.github/workflows/ci.yml
    secrets: inherit
    with:
      profile: "release"
      stage: "release"

  deploy-staging:
    if: ${{ github.event_name != 'workflow_dispatch' || inputs.deploy-staging }}
    runs-on: ubuntu-22.04
    permissions:
      contents: write
    # Cancel old workflow runs if new code is pushed
    concurrency:
      group: "staging-deploy-${{ github.workflow }}-${{ github.ref }}"
      cancel-in-progress: false
    needs: ci
    env:
      TF_CLOUD_ORGANIZATION: "firezone"
      TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
      TF_WORKSPACE: "staging"
    steps:
      - uses: actions/checkout@v4
      - name: Tool Versions
        id: versions
        uses: marocchino/tool-versions-action@v1.2.0
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ steps.versions.outputs.terraform }}
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.workflow_run.head_branch }}
      - name: Upload Configuration
        uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.3.0
        id: apply-upload
        with:
          workspace: ${{ env.TF_WORKSPACE }}
          # Subdirectory is set in the project settings:
          # https://app.terraform.io/app/firezone/workspaces/staging/settings/general
          directory: "./"
      - name: Create Plan Run
        uses: hashicorp/tfc-workflows-github/actions/create-run@v1.3.0
        id: apply-run
        env:
          TF_VAR_image_tag: '"${{ env.VERSION }}-${{ github.sha }}"'
        with:
          workspace: ${{ env.TF_WORKSPACE }}
          configuration_version:
            ${{ steps.apply-upload.outputs.configuration_version_id }}
      - name: Apply
        uses: hashicorp/tfc-workflows-github/actions/apply-run@v1.3.0
        if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
        id: apply
        with:
          run: ${{ steps.apply-run.outputs.run_id }}
          comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"