Merge pull request #60 from PromptOn/google-oauth #83
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# See more: https://github.com/marketplace/actions/deploy-to-cloud-run | |
name: Server Build and Deploy | |
defaults: | |
run: | |
working-directory: server | |
on: | |
push: | |
paths: | |
- "server/**" | |
- ".github/workflows/**" | |
branches: | |
- staging | |
- main | |
workflow_dispatch: | |
jobs: | |
deploy-server: | |
environment: | |
name: ${{ github.ref == 'main' && 'production' || 'staging' }} | |
url: ${{ steps.deploy.outputs.url }} | |
env: | |
GITHUB_ENV: ${{ github.ref == 'main' && 'production' || 'staging' }} | |
PROJECT_ID: ${{ vars.GC_PROJECT_ID }} | |
GAR_LOCATION: ${{ vars.GC_GAR_LOCATION }} | |
SERVICE: ${{ vars.GC_SERVICE_NAME }} | |
REGION: ${{ vars.GC_SERVICE_REGION }} | |
IMAGE_URL: ${{ vars.GC_GAR_LOCATION }}-docker.pkg.dev/${{ vars.GC_PROJECT_ID }}/${{ vars.GC_ARTIFACTS_REPO_NAME }}/${{ vars.GC_SERVICE_NAME }} | |
# Add 'id-token' with the intended permissions for workload identity federation | |
permissions: | |
contents: "read" | |
id-token: "write" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: | | |
${{ env.IMAGE_URL}} | |
tags: | | |
type=sha | |
type=raw,value=${{ github.ref == 'main' && 'production' || 'staging' }} | |
type=pep440,pattern={{version}} | |
type=schedule | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: "server/" | |
- name: Google Auth | |
id: auth | |
uses: "google-github-actions/auth@v1" | |
with: | |
token_format: "access_token" | |
workload_identity_provider: "${{ secrets.GC_WIF_PROVIDER }}" # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider | |
service_account: "${{ secrets.GC_WIF_SERVICE_ACCOUNT }}" # e.g. - [email protected] | |
# BEGIN - Docker auth and build | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
# Authenticate Docker to Google Cloud Artifact Registry | |
- name: Docker Auth | |
id: docker-auth | |
uses: docker/login-action@v2 | |
with: | |
username: "oauth2accesstoken" | |
password: "${{ steps.auth.outputs.access_token }}" | |
registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev" | |
- name: Build Docker image and push to GC Artifact Registry | |
id: docker-build | |
uses: docker/build-push-action@v4 | |
with: | |
context: server | |
file: ./server/Dockerfile | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
# END - Docker auth and build | |
- name: Deploy Docker image to Cloud Run | |
id: deploy | |
uses: google-github-actions/deploy-cloudrun@v1 | |
with: | |
service: ${{ env.SERVICE }} | |
region: ${{ env.REGION }} | |
image: ${{ env.IMAGE_URL}}@${{ steps.docker-build.outputs.digest}} | |
flags: "--vpc-connector=${{vars.GC_VPC_CONNECTOR}} --vpc-egress=all-traffic" # see: https://cloud.google.com/run/docs/configuring/static-outbound-ip | |
env_vars: | | |
MONGO_DATABASE=${{ vars.MONGO_DATABASE }} | |
DATABASE_URL=${{ secrets.DATABASE_URL }} | |
JWT_SECRET_KEY=${{ secrets.JWT_SECRET_KEY }} | |
GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_CLIENT_ID }} | |
GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_CLIENT_SECRET }} | |
STARLETTE_SESSION_SECRET=${{ secrets.STARLETTE_SESSION_SECRET }} | |
GITHUB_SHA=${{ github.sha }} | |
GITHUB_ENV=${{ env.GITHUB_ENV }} | |
# TODO: JWT_SECRET_KEY and DATABASE_URL should be passed as secret b/c it's exposed in gcloud run logs | |
# secrets: | | |
- name: Summary | |
run: | | |
echo "Deploy url: ${{ steps.deploy.outputs.url }}" | |
echo "MONGO_DATABASE: ${{ vars.MONGO_DATABASE }}", | |
echo "GC_SERVICE_NAME :${{ env.SERVICE }}" | |
echo "github.ref: ${{ github.ref }}" | |
echo "github.ref_name: ${{ github.ref_name }}" | |
echo "github env calc: ${{ github.ref == 'main' && 'production' || 'staging' }}" | |
echo "GITHUB_ENV: ${{ env.GITHUB_ENV }}" | |
echo "github.sha: ${{ github.sha }}" | |
echo "github.job: ${{ github.job }}" |