Skip to content
Main Deployment Workflow

Main Deployment Run #85 (via @jeffwecan) #85

Sign in to view logs

Main Deployment Run #85 (via @jeffwecan)

Main Deployment Run #85 (via @jeffwecan) #85

Workflow file for this run

.github/workflows/main.yml at a980bbb
name: Main Deployment Workflow
run-name: "Main Deployment Run #${{ github.run_number }} (via @${{ github.actor }})"
concurrency:
group: "deploy"
cancel-in-progress: false
on:
push:
branches: [main]
workflow_dispatch: {}
# jscpd:ignore-start
jobs:
build_images:
name: Build Images
uses: ./.github/workflows/image_build_and_publish.yml
deploy-infra-and-services:
name: Deploy Infrastructure & Services
runs-on: ubuntu-latest
needs: [build_images]
environment:
name: production
url: "https://card.losverd.es"
# TODO: maybe don't have a static URL here? I.e.:
# url: ${{ steps.build-and-publish.outputs.site_url }}
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup just
uses: taiki-e/install-action@v2
with:
tool: just
- name: Utilize .terraform cache
uses: actions/cache@v3
with:
path: terraform/.terraform
key: ${{ hashFiles('terraform/.terraform.lock.hcl') }}
- name: Read .terraform-version
id: read_tf_version
run: just set-tf-ver-output
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.read_tf_version.outputs.terraform_version }}
terraform_wrapper: false
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
id: auth
with:
workload_identity_provider: "projects/567739286055/locations/global/workloadIdentityPools/los-verdes-digital-membership/providers/los-verdes-digital-membership"
service_account: "[email protected]"
access_token_scopes: "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.admin"
token_format: access_token
access_token_lifetime: 1800s
- name: Plan
run: |
just tf init
just tf plan
env:
TF_VAR_website_image: "gcr.io/lv-digital-membership/website:sha-${{ needs.build_images.outputs.short_sha_tag }}"
TF_VAR_worker_image: "gcr.io/lv-digital-membership/worker:sha-${{ needs.build_images.outputs.short_sha_tag }}"
TF_VAR_management_sql_user_password: ${{ secrets.management_sql_user_password }}
- name: Apply
run: just tf apply -auto-approve
env:
TF_VAR_website_image: "gcr.io/lv-digital-membership/website:sha-${{ needs.build_images.outputs.short_sha_tag }}"
TF_VAR_worker_image: "gcr.io/lv-digital-membership/worker:sha-${{ needs.build_images.outputs.short_sha_tag }}"
TF_VAR_management_sql_user_password: ${{ secrets.management_sql_user_password }}
upload-statics-to-gcs:
name: Upload Statics to GCS
needs: deploy-infra-and-services
permissions:
contents: "read"
id-token: "write"
uses: los-verdes/digital-membership/.github/workflows/just_cloudbuild.yml@main
with:
# TODO: add a CloudFlare cache purge somewhere 'round here....
command: cloudbuild-upload-statics
apply-database-config:
name: Apply Database Configuration
runs-on: ubuntu-latest
needs: deploy-infra-and-services
permissions:
contents: "read"
id-token: "write"
outputs:
management_sql_user_name: ${{ steps.just-configure-database.outputs.management_sql_user_name }}
management_sql_user_password: ${{ steps.just-configure-database.outputs.management_sql_user_password }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup just
uses: taiki-e/install-action@v2
with:
tool: just
- name: Utilize .terraform cache
uses: actions/cache@v3
with:
path: terraform/.terraform
key: ${{ hashFiles('terraform/.terraform.lock.hcl') }}
- name: Read .terraform-version
id: read_tf_version
run: just set-tf-ver-output
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.read_tf_version.outputs.terraform_version }}
terraform_wrapper: false
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
id: auth
with:
workload_identity_provider: "projects/567739286055/locations/global/workloadIdentityPools/los-verdes-digital-membership/providers/los-verdes-digital-membership"
service_account: "[email protected]"
access_token_scopes: "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.admin"
token_format: access_token
access_token_lifetime: 1800s
- name: Create Google application creds secret
id: google-app-creds
run: |
creds="$(cat '${{ env.GOOGLE_APPLICATION_CREDENTIALS }}')"
echo "::add-mask::$creds"
echo "creds=$creds" | tee --append "$GITHUB_OUTPUT"
- name: Start Google Cloud SQL Proxy
uses: mattes/gce-cloudsql-proxy-action@v1
with:
creds: ${{ steps.google-app-creds.outputs.creds }}
# TODO: load instance from TF outputs...
instance: lv-digital-membership:us-central1:lv-digital-membership-6b6a7153
- name: Configure Database ACLs
id: just-configure-database
run: just configure-database
- name: TMP print sql username
run: echo ${{ steps.just-configure-database.outputs.management_sql_user_name }}
apply-database-migrations:
name: Apple Database Migrations
needs: apply-database-config
permissions:
contents: "read"
id-token: "write"
uses: los-verdes/digital-membership/.github/workflows/flask_command.yml@main
with:
command: apply-migrations
flask_env: "remote-sql"
management_sql_user_name: ${{ needs.apply-database-config.outputs.management_sql_user_name }}
secrets:
management_sql_user_password: ${{ secrets.management_sql_user_password }}
# jscpd:ignore-end