-
Notifications
You must be signed in to change notification settings - Fork 1
121 lines (105 loc) · 4.26 KB
/
gcr-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# See more: https://github.com/marketplace/actions/deploy-to-cloud-run
name: Server Build and Deploy
defaults:
run:
working-directory: server
on:
push:
paths:
- "server/**"
- ".github/workflows/**"
branches:
- staging
- main
workflow_dispatch:
jobs:
deploy-server:
environment:
name: ${{ github.ref == 'main' && 'production' || 'staging' }}
url: ${{ steps.deploy.outputs.url }}
env:
GITHUB_ENV: ${{ github.ref == 'main' && 'production' || 'staging' }}
PROJECT_ID: ${{ vars.GC_PROJECT_ID }}
GAR_LOCATION: ${{ vars.GC_GAR_LOCATION }}
SERVICE: ${{ vars.GC_SERVICE_NAME }}
REGION: ${{ vars.GC_SERVICE_REGION }}
IMAGE_URL: ${{ vars.GC_GAR_LOCATION }}-docker.pkg.dev/${{ vars.GC_PROJECT_ID }}/${{ vars.GC_ARTIFACTS_REPO_NAME }}/${{ vars.GC_SERVICE_NAME }}
# Add 'id-token' with the intended permissions for workload identity federation
permissions:
contents: "read"
id-token: "write"
runs-on: ubuntu-latest
steps:
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: |
${{ env.IMAGE_URL}}
tags: |
type=sha
type=raw,value=${{ github.ref == 'main' && 'production' || 'staging' }}
type=pep440,pattern={{version}}
type=schedule
- name: Checkout
uses: actions/checkout@v3
with:
sparse-checkout: "server/"
- name: Google Auth
id: auth
uses: "google-github-actions/auth@v1"
with:
token_format: "access_token"
workload_identity_provider: "${{ secrets.GC_WIF_PROVIDER }}" # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
service_account: "${{ secrets.GC_WIF_SERVICE_ACCOUNT }}" # e.g. - [email protected]
# BEGIN - Docker auth and build
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
# Authenticate Docker to Google Cloud Artifact Registry
- name: Docker Auth
id: docker-auth
uses: docker/login-action@v2
with:
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev"
- name: Build Docker image and push to GC Artifact Registry
id: docker-build
uses: docker/build-push-action@v4
with:
context: server
file: ./server/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# END - Docker auth and build
- name: Deploy Docker image to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v1
with:
service: ${{ env.SERVICE }}
region: ${{ env.REGION }}
image: ${{ env.IMAGE_URL}}@${{ steps.docker-build.outputs.digest}}
flags: "--vpc-connector=${{vars.GC_VPC_CONNECTOR}} --vpc-egress=all-traffic" # see: https://cloud.google.com/run/docs/configuring/static-outbound-ip
env_vars: |
MONGO_DATABASE=${{ vars.MONGO_DATABASE }}
DATABASE_URL=${{ secrets.DATABASE_URL }}
JWT_SECRET_KEY=${{ secrets.JWT_SECRET_KEY }}
GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_CLIENT_ID }}
GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_CLIENT_SECRET }}
STARLETTE_SESSION_SECRET=${{ secrets.STARLETTE_SESSION_SECRET }}
GITHUB_SHA=${{ github.sha }}
GITHUB_ENV=${{ env.GITHUB_ENV }}
# TODO: JWT_SECRET_KEY and DATABASE_URL should be passed as secret b/c it's exposed in gcloud run logs
# secrets: |
- name: Summary
run: |
echo "Deploy url: ${{ steps.deploy.outputs.url }}"
echo "MONGO_DATABASE: ${{ vars.MONGO_DATABASE }}",
echo "GC_SERVICE_NAME :${{ env.SERVICE }}"
echo "github.ref: ${{ github.ref }}"
echo "github.ref_name: ${{ github.ref_name }}"
echo "github env calc: ${{ github.ref == 'main' && 'production' || 'staging' }}"
echo "GITHUB_ENV: ${{ env.GITHUB_ENV }}"
echo "github.sha: ${{ github.sha }}"
echo "github.job: ${{ github.job }}"