diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml index 3ee3eee82..5ebb1962e 100644 --- a/.github/workflows/build-all.yml +++ b/.github/workflows/build-all.yml @@ -9,10 +9,6 @@ on: version: default: '0.0.1' type: string - secrets: - GH_PAT: - required: true - jobs: build-all: if: ${{ inputs.build-services == 'contract' }} @@ -45,7 +41,9 @@ jobs: run: curl https://raw.githubusercontent.com/Tenderly/tenderly-cli/master/scripts/install-linux.sh | sudo sh - name: Deploy contracts - run: yarn contracts deploy:devnet + run: | + mv ./packages/relay/.env.example /packages/relay/.env + yarn contracts deploy:devnet env: TENDERLY_ACCESS_KEY: ${{ secrets.TENDERLY_ACCESS_KEY }} TENDERLY_PROJECT_SLUG: ${{ secrets.TENDERLY_PROJECT_SLUG }} @@ -57,6 +55,15 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_PAT }} + - name: Authenticate to Google Cloud + id: auth + uses: 'google-github-actions/auth@v1' + with: + token_format: access_token + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' + access_token_lifetime: 300s + - name: Login Registry id: docker-auth uses: docker/login-action@v1 @@ -65,21 +72,15 @@ jobs: username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - - name: lower case repository - run: | - REPO_STR=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]') - echo $REPO_STR - echo "REPO_STR=$REPO_STR" >> $GITHUB_ENV - - name: push relay image run: | - docker build -t ghcr.io/$REPO_STR/${{vars.BACKEND_SERVICE}}:${{inputs.version}} -f ./packages/relay/Dockerfile . - docker push ghcr.io/$REPO_STR/${{vars.BACKEND_SERVICE}}:${{inputs.version}} + docker build -t ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.BACKEND_SERVICE }}:${{ inputs.version }} -f ./packages/relay/Dockerfile . + docker push ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.BACKEND_SERVICE }}:${{ inputs.version }} - name: push frontend image run: | - docker build -t ghcr.io/$REPO_STR/${{vars.FRONTEND_SERVICE}}:${{inputs.version}} -f ./packages/frontend/Dockerfile . - docker push ghcr.io/$REPO_STR/${{vars.FRONTEND_SERVICE}}:${{inputs.version}} + docker build -t ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.FRONTEND_SERVICE }}:${{ inputs.version }} -f ./packages/frontend/Dockerfile . + docker push ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.FRONTEND_SERVICE }}:${{ inputs.version }} build-relay-frontend: if: ${{ inputs.build-services == 'relay-frontend'}} @@ -108,6 +109,15 @@ jobs: - name: Install and build packages run: yarn && yarn build + - name: Authenticate to Google Cloud + id: auth + uses: 'google-github-actions/auth@v1' + with: + token_format: access_token + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' + access_token_lifetime: 300s + - name: Login Registry id: docker-auth uses: docker/login-action@v1 @@ -116,18 +126,12 @@ jobs: username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - - name: lower case repository - run: | - REPO_STR=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]') - echo $REPO_STR - echo "REPO_STR=$REPO_STR" >> $GITHUB_ENV - - name: push relay image run: | - docker build -t ghcr.io/$REPO_STR/${{vars.BACKEND_SERVICE}}:${{inputs.version}} -f ./packages/relay/Dockerfile . - docker push ghcr.io/$REPO_STR/${{vars.BACKEND_SERVICE}}:${{inputs.version}} + docker build -t ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.BACKEND_SERVICE }}:${{ inputs.version }} -f ./packages/relay/Dockerfile . + docker push ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.BACKEND_SERVICE }}:${{ inputs.version }} - name: push frontend image run: | - docker build -t ghcr.io/$REPO_STR/${{vars.FRONTEND_SERVICE}}:${{inputs.version}} -f ./packages/frontend/Dockerfile . - docker push ghcr.io/$REPO_STR/${{vars.FRONTEND_SERVICE}}:${{inputs.version}} + docker build -t ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.FRONTEND_SERVICE }}:${{ inputs.version }} -f ./packages/frontend/Dockerfile . + docker push ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.FRONTEND_SERVICE }}:${{ inputs.version }} diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index c75e62dbd..171b66bbf 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -16,7 +16,7 @@ jobs: name: Build and Test runs-on: ubuntu-22.04 container: - image: ghcr.io/lisooo790926/circom_node_env:0.0.1 + image: ghcr.io/social-tw/circom_node_env:0.0.1 credentials: username: ${{ github.actor }} password: ${{ secrets.CR_PAT }} diff --git a/.github/workflows/deploy-frontend.yml b/.github/workflows/deploy-frontend.yml new file mode 100644 index 000000000..09e7f33d3 --- /dev/null +++ b/.github/workflows/deploy-frontend.yml @@ -0,0 +1,60 @@ +name: CD-Manual-Frontend-Deploy + +on: + workflow_dispatch: + workflow_call: + branches: ['feat_system_cicd_enhancment'] + inputs: + version: + description: 'current deploy version' + required: true + default: '0.0.1' + +jobs: + frontend: + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Production Code + uses: 'actions/checkout@v3' + + - name: Authenticate to Google Cloud + id: auth + uses: 'google-github-actions/auth@v1' + with: + token_format: access_token + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' + access_token_lifetime: 900s + + ## artifact registry auth setup + - name: Login to Artifact Registry + id: docker-auth + uses: docker/login-action@v1 + with: + registry: ${{ vars.GAR_LOCATION }}-docker.pkg.dev + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ vars.FRONTEND_SERVICE }} + region: ${{ vars.REGION }} + image: ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.FRONTEND_SERVICE }}:${{ inputs.version }} + ## set --max-old-space-size=8192 for node.js to increase memory limit + env_vars: | + ENV=${{ vars.ENV }} + STAGE_SERVER=${{ vars.ENV }}_SERVER + NODE_OPTIONS=${{ vars.NODE_OPTIONS }} + + - name: Allow public access + id: unauthenticated + run: gcloud run services add-iam-policy-binding ${{ vars.FRONTEND_SERVICE }} --region=${{ vars.REGION }} --member="allUsers" --role="roles/run.invoker" + + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/.github/workflows/deploy-relay.yml b/.github/workflows/deploy-relay.yml new file mode 100644 index 000000000..c9556320f --- /dev/null +++ b/.github/workflows/deploy-relay.yml @@ -0,0 +1,61 @@ +name: CD-Manual-Relay-Deploy + +on: + workflow_dispatch: + workflow_call: + branches: ['feat_system_cicd_enhancment'] + inputs: + version: + description: 'current deploy version' + required: true + default: '0.0.1' + +jobs: + relay: + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Production Code + uses: 'actions/checkout@v3' + + - name: Authenticate to Google Cloud + id: auth + uses: 'google-github-actions/auth@v1' + with: + token_format: access_token + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' + access_token_lifetime: 300s + + ## artifact registry auth setup + - name: Login to Artifact Registry + id: docker-auth + uses: docker/login-action@v1 + with: + registry: ${{ vars.GAR_LOCATION }}-docker.pkg.dev + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ vars.BACKEND_SERVICE }} + region: ${{ vars.REGION }} + image: ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.BACKEND_SERVICE }}:${{ inputs.version }} + # add ENV as below + env_vars: | + TWITTER_CLIENT_ID=${{ secrets.TWITTER_CLIENT_ID }} + TWITTER_CLIENT_KEY=${{ secrets.TWITTER_CLIENT_KEY }} + CLIENT_URL=${{ vars.CLIENT_URL }} + CALLBACK_URL=${{ vars.CALLBACK_URL }} + + - name: Allow public access + id: unauthenticated + run: gcloud run services add-iam-policy-binding ${{ vars.BACKEND_SERVICE }} --region=${{ vars.REGION }} --member="allUsers" --role="roles/run.invoker" + + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/.github/workflows/main-cd.yml b/.github/workflows/main-cd.yml index f33878368..c0c58a58c 100644 --- a/.github/workflows/main-cd.yml +++ b/.github/workflows/main-cd.yml @@ -2,7 +2,6 @@ name: CD-Main run-name: ${{ github.actor }} acitvates the actions 🚀 on: - push: workflow_dispatch: branches: ['feat_system_cicd_enhancment'] inputs: @@ -21,107 +20,31 @@ on: jobs: build: + permissions: + contents: 'read' + id-token: 'write' uses: ./.github/workflows/build-all.yml with: build-services: ${{ inputs.build-services }} version: ${{ inputs.version }} - secrets: - GH_PAT: ${{ secrets.GH_PAT }} + secrets: inherit - backend: + relay: needs: build permissions: contents: 'read' id-token: 'write' + uses: ./.github/workflows/deploy-relay.yml + with: + version: ${{ inputs.version }} + secrets: inherit - runs-on: ubuntu-latest - steps: - - name: Production Code - uses: 'actions/checkout@v3' - - - name: Authenticate to Google Cloud - id: auth - uses: 'google-github-actions/auth@v1' - with: - token_format: access_token - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' - access_token_lifetime: 300s - - ## artifact registry auth setup - - name: Login to Artifact Registry - id: docker-auth - uses: docker/login-action@v1 - with: - registry: ${{ vars.GAR_LOCATION }}-docker.pkg.dev - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v0 - with: - service: ${{ vars.BACKEND_SERVICE }} - region: ${{ vars.REGION }} - image: ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.BACKEND_SERVICE }}:${{ github.sha }} - # add ENV as below - env_vars: | - TWITTER_CLIENT_ID=${{ secrets.TWITTER_CLIENT_ID }} - TWITTER_CLIENT_KEY=${{ secrets.TWITTER_CLIENT_KEY }} - CLIENT_URL=${{ vars.CLIENT_URL }} - CALLBACK_URL=${{ vars.CALLBACK_URL }} - - - name: Allow public access - id: unauthenticated - run: gcloud run services add-iam-policy-binding ${{ vars.BACKEND_SERVICE }} --region=${{ vars.REGION }} --member="allUsers" --role="roles/run.invoker" - - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} frontend: needs: build permissions: contents: 'read' id-token: 'write' - - runs-on: ubuntu-latest - steps: - - name: Production Code - uses: 'actions/checkout@v3' - - - name: Authenticate to Google Cloud - id: auth - uses: 'google-github-actions/auth@v1' - with: - token_format: access_token - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' - access_token_lifetime: 900s - - ## artifact registry auth setup - - name: Login to Artifact Registry - id: docker-auth - uses: docker/login-action@v1 - with: - registry: ${{ vars.GAR_LOCATION }}-docker.pkg.dev - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v0 - with: - service: ${{ vars.FRONTEND_SERVICE }} - region: ${{ vars.REGION }} - image: ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ vars.REPOSITORY }}/${{ vars.FRONTEND_SERVICE }}:${{ github.sha }} - ## set --max-old-space-size=8192 for node.js to increase memory limit - env_vars: | - ENV=${{ vars.ENV }} - STAGE_SERVER=${{ vars.ENV }}_SERVER - NODE_OPTIONS=${{ vars.NODE_OPTIONS }} - - - name: Allow public access - id: unauthenticated - run: gcloud run services add-iam-policy-binding ${{ vars.FRONTEND_SERVICE }} --region=${{ vars.REGION }} --member="allUsers" --role="roles/run.invoker" - - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} + uses: ./.github/workflows/deploy-frontend.yml + with: + version: ${{ inputs.version }} + secrets: inherit