forked from 2i2c-org/infrastructure
/
action.yaml
134 lines (124 loc) · 5.17 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# This is a _local composite GitHub action_ that helps us reuse CI logic across
# different workflows and jobs by referencing this action in a job's step.
#
# > A composite action allows you to combine multiple workflow steps within one
# > action.
#
# This local action can be referenced like this from a job:
#
# steps:
# - uses: ./.github/actions/setup-deploy
# with:
# provider: gcp
# GCP_KMS_DECRYPTOR_KEY: ${{ secrets.GCP_KMS_DECRYPTOR_KEY }}
#
# General action configuration reference:
# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#about-yaml-syntax-for-github-actions
#
name: "Setup the deployer script for use to deploy"
description: >-
Setups the deployer script by loading credentials and installing library
dependencies and relevant tools needed to interact with encrypted files,
kubernetes clusters, and container registries. `gcloud` already available in
the github virtual environment is not re-installed but `helm` is pinned to
avoid issues of a changing version.
# inputs configuration reference:
# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputs
#
inputs:
provider:
description: "Cloud provider a cluster runs on"
required: true
default: "gcp"
GCP_KMS_DECRYPTOR_KEY:
description: >-
A Google Cloud Service Account Key with KMS Decryption privileges. This allows
us to unlock our sops-encrypted secrets required for a deploy.
required: true
# runs (for composite actions) configuration reference:
# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-composite-actions
#
# Note that while this section looks almost like the steps of a job in a
# workflow, it is different!
#
runs:
using: "composite"
steps:
- uses: actions/setup-python@v5
with:
python-version: "3.9"
# There will always be a cache hit on the cache key when this composite
# action is run, as its only done after the "generate-jobs" job has been run
# which will save a cache.
- name: Restore pip's install cache
uses: actions/cache@v3
with:
path: ~/.cache/pip
# key determines if we define or re-use an existing cache or not. Our
# key ensure we cache within a workflow run and its attempts, but not
# between workflow runs.
key: "${{ github.run_id }}"
- name: Install the deployer
run: |
pip install --editable .
pip list
shell: bash
# This action use the github official cache mechanism internally
- uses: azure/setup-helm@v3
with:
# Manually update a pinning of helm to a minor version based on:
#
# - it seems to work
# - to avoid falling behind
#
# Related:
#
# - helm versions: https://github.com/helm/helm/releases
#
version: v3.12.0
# Manually update a pinning of kubectl to a minor version based on:
#
# - the current range of k8s version in our k8s clusters, as of 2023-05-24,
# this is k8s 1.22 - 1.25
# - the expected change in this range, as of 2023-05-24, is to expand to
# 1.22 - 1.26
# - the kubectl <-> k8s api-server skew policy of +/- one minor version
# - the policy of attempting to update our kubectl version here to be +/-
# one minor versions of future k8s clusters additions or upgrades, so that
# additions or upgrades of k8s clusters aren't unexpectedly held back
#
# As an example, we upgraded to kubectl to version 1.24 before we
# added/upgraded a k8s cluster to version 1.25.
#
# Related:
#
# - k8s versions: https://kubernetes.io/releases/
# - Kubectl version skew policy: https://kubernetes.io/releases/version-skew-policy/#kubectl
# - 2i2c, k8s upgrades tracked: https://github.com/2i2c-org/infrastructure/issues/2293
# - 2i2c, historical issue: https://github.com/2i2c-org/infrastructure/issues/1271
#
- uses: azure/setup-kubectl@v3
with:
version: "v1.25.10"
# This action use the github official cache mechanism internally
- name: Install sops
uses: mdgreenwald/mozilla-sops-action@v1.5.0
# Install pre-requisite for "gcloud container clusters get-credentials"
# command with a modern k8s client.
#
# A manual install step has been needed as they opted to not provide it in
# the github-runner image. See
# https://github.com/actions/runner-images/issues/5925#issuecomment-1216417721.
#
- name: Install gke-gcloud-auth-plugin
if: inputs.provider == 'gcp'
run: |
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
sudo apt-get update -y
sudo apt-get install -y google-cloud-sdk-gke-gcloud-auth-plugin
shell: bash
- name: Setup sops credentials to decrypt repo secrets
uses: google-github-actions/auth@v2
with:
credentials_json: "${{ inputs.GCP_KMS_DECRYPTOR_KEY }}"