CI: Build with Nix. (#137) #113
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: multi-architecture docker build | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- "v*" | |
jobs: | |
build_and_deploy: | |
name: build and deploy | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
steps: | |
- name: Checkout ποΈ | |
uses: actions/checkout@v4 | |
- name: Install Nix β | |
uses: cachix/install-nix-action@v22 | |
with: | |
github_access_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up the Nix Cache π | |
uses: cachix/cachix-action@v12 | |
with: | |
name: hasura-v3-dev | |
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
- id: gcloud-auth | |
name: Authenticate to Google Cloud π | |
uses: google-github-actions/auth@v1 | |
with: | |
token_format: access_token | |
service_account: "hasura-ci-docker-writer@hasura-ddn.iam.gserviceaccount.com" | |
workload_identity_provider: "projects/1025009031284/locations/global/workloadIdentityPools/hasura-ddn/providers/github" | |
- name: Login to Google Container Registry π¦ | |
uses: "docker/login-action@v3" | |
with: | |
registry: "us-docker.pkg.dev" | |
username: "oauth2accesstoken" | |
password: "${{ steps.gcloud-auth.outputs.access_token }}" | |
- name: Login to GitHub Container Registry π¦ | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and deploy Docker images to Google Container Registry π | |
run: nix run .#publish-docker-image '${{ github.ref }}' 'us-docker.pkg.dev/hasura-ddn/ddn/ndc-postgres' | |
- name: Build and deploy Docker images to GitHub Packages π | |
run: nix run .#publish-docker-image '${{ github.ref }}' 'ghcr.io/hasura/ndc-postgres' | |
- name: Deploy to staging | |
if: github.ref == 'refs/heads/main' | |
env: | |
BUILDKITE_AUTH_TOKEN: ${{ secrets.BUILDKITE_AUTH_TOKEN }} | |
run: | | |
long_sha=$(git rev-parse HEAD) | |
short_sha=$(git rev-parse --short=9 HEAD) | |
req_data=$(cat <<EOF | |
{ | |
"commit": "${long_sha}", | |
"branch": "main", | |
"message": "deploy ndc-postgres config server ${GITHUB_SHA} to staging :rocket:", | |
"author": { | |
"name": "Hasura Bot", | |
"email": "accounts+ci@hasura.io" | |
}, | |
"env": { | |
"RELEASE_VERSION": "dev-main-${short_sha}" | |
} | |
} | |
EOF) | |
curl -X POST "https://api.buildkite.com/v2/organizations/hasura/pipelines/release-ndc-postgres-config-server/builds" \ | |
-H "Content-Type: application/json" \ | |
-H "Authorization: Bearer ${BUILDKITE_AUTH_TOKEN}" \ | |
-d "$req_data" | |
# scream into Slack if something goes wrong | |
- name: Report Status | |
if: always() && github.ref == 'refs/heads/main' | |
uses: ravsamhq/notify-slack-action@v2 | |
with: | |
status: ${{ job.status }} | |
notify_when: failure | |
notification_title: "π§ Error on <{repo_url}|{repo}>" | |
message_format: "π΄ *{workflow}* {status_message} for <{repo_url}|{repo}>" | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.BROKEN_BUILD_SLACK_WEBHOOK_URL }} |