feat: update envoy lds config with auth jwks, oidc URLs, strip `sb-op… #242
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release AMI Nix | |
on: | |
push: | |
branches: | |
- develop | |
- release/* | |
paths: | |
- '.github/workflows/ami-release-nix.yml' | |
- 'common-nix.vars.pkr.hcl' | |
workflow_dispatch: | |
jobs: | |
build: | |
strategy: | |
matrix: | |
include: | |
- runner: arm-runner | |
arch: arm64 | |
ubuntu_release: focal | |
ubuntu_version: 20.04 | |
mcpu: neoverse-n1 | |
runs-on: ${{ matrix.runner }} | |
timeout-minutes: 150 | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@v3 | |
- name: Run checks if triggered manually | |
if: ${{ github.event_name == 'workflow_dispatch' }} | |
# Update `ci.yaml` too if changing constraints. | |
run: | | |
SUFFIX=$(sed -E 's/postgres-version = "[0-9\.]+(.*)"/\1/g' common-nix.vars.pkr.hcl) | |
if [[ -z $SUFFIX ]] ; then | |
echo "Version must include non-numeric characters if built manually." | |
exit 1 | |
fi | |
# extensions are build in nix prior to this step | |
# so we can just use the binaries from the nix store | |
# for postgres, extensions and wrappers | |
- name: Build AMI stage 1 | |
run: | | |
packer init amazon-arm64-nix.pkr.hcl | |
GIT_SHA=${{github.sha}} | |
packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" amazon-arm64-nix.pkr.hcl | |
- name: Build AMI stage 2 | |
run: | | |
packer init stage2-nix-psql.pkr.hcl | |
GIT_SHA=${{github.sha}} | |
packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl | |
- name: Grab release version | |
id: process_release_version | |
run: | | |
VERSION=$(sed -e 's/postgres-version = "\(.*\)"/\1/g' common-nix.vars.pkr.hcl) | |
echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
- name: Create nix flake revision tarball | |
run: | | |
GIT_SHA=${{github.sha}} | |
MAJOR_VERSION=$(echo "${{ steps.process_release_version.outputs.version }}" | cut -d. -f1) | |
mkdir -p "/tmp/pg_upgrade_bin/${MAJOR_VERSION}" | |
echo "$GIT_SHA" >> "/tmp/pg_upgrade_bin/${MAJOR_VERSION}/nix_flake_version" | |
tar -czf "/tmp/pg_binaries.tar.gz" -C "/tmp/pg_upgrade_bin" . | |
- name: configure aws credentials - staging | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.DEV_AWS_ROLE }} | |
aws-region: "us-east-1" | |
- name: Upload software manifest to s3 staging | |
run: | | |
cd ansible | |
ansible-playbook -i localhost \ | |
-e "ami_release_version=${{ steps.process_release_version.outputs.version }}" \ | |
-e "internal_artifacts_bucket=${{ secrets.ARTIFACTS_BUCKET }}" \ | |
manifest-playbook.yml | |
- name: Upload nix flake revision to s3 staging | |
run: | | |
aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz | |
#Our self hosted github runner already has permissions to publish images | |
#but they're limited to only that; | |
#so if we want s3 access we'll need to config credentials with the below steps | |
# (which overwrites existing perms) after the ami build | |
- name: configure aws credentials - prod | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.PROD_AWS_ROLE }} | |
aws-region: "us-east-1" | |
- name: Upload software manifest to s3 prod | |
run: | | |
cd ansible | |
ansible-playbook -i localhost \ | |
-e "ami_release_version=${{ steps.process_release_version.outputs.version }}" \ | |
-e "internal_artifacts_bucket=${{ secrets.PROD_ARTIFACTS_BUCKET }}" \ | |
manifest-playbook.yml | |
- name: Upload nix flake revision to s3 prod | |
run: | | |
aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz | |
- name: Create release | |
uses: softprops/action-gh-release@v1 | |
with: | |
name: ${{ steps.process_release_version.outputs.version }} | |
tag_name: ${{ steps.process_release_version.outputs.version }} | |
target_commitish: ${{github.sha}} | |
- name: Slack Notification on Failure | |
if: ${{ failure() }} | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_WEBHOOK: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK }} | |
SLACK_USERNAME: 'gha-failures-notifier' | |
SLACK_COLOR: 'danger' | |
SLACK_MESSAGE: 'Building Postgres AMI failed' | |
SLACK_FOOTER: '' | |
- name: Cleanup resources on build cancellation | |
if: ${{ always() }} | |
run: | | |
aws ec2 describe-instances --filters "Name=tag:packerExecutionId,Values=${GITHUB_RUN_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -n 1 -I {} aws ec2 terminate-instances --instance-ids {} | |
- name: Cleanup resources on build cancellation | |
if: ${{ cancelled() }} | |
run: | | |
aws ec2 describe-instances --filters "Name=tag:packerExecutionId,Values=${GITHUB_RUN_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -n 1 -I {} aws ec2 terminate-instances --instance-ids {} |