Reinstate github repository into deployment database as it was intended #204
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Google Artifact Registry images -> Chart -> Rollout | GitHub Release | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - master | |
| paths-ignore: | |
| - '.github/workflows/codeql-analysis.yml' | |
| - '.github/workflows/test-*.yaml' | |
| - 'actions/testoidc/*' | |
| - 'deploy/testdata/*' | |
| - '*.md' | |
| env: | |
| GOOGLE_REGISTRY: "europe-north1-docker.pkg.dev" | |
| jobs: | |
| build_and_push: | |
| name: Build, push and sign images | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| strategy: | |
| matrix: | |
| component: | |
| - hookd | |
| - deploy | |
| - deployd | |
| - canary-deployer | |
| - deploy-action | |
| include: | |
| - component: hookd | |
| chart: true | |
| - component: deployd | |
| chart: true | |
| steps: | |
| - uses: actions/checkout@v4 # ratchet:exclude | |
| - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # ratchet:azure/setup-helm@v3 | |
| if: matrix.chart | |
| with: | |
| version: "v3.11.1" | |
| - name: "Build and push image" | |
| uses: nais/platform-build-push-sign@main # ratchet:exclude | |
| id: build_push_sign | |
| with: | |
| dockerfile: Dockerfile.${{ matrix.component }} | |
| name: ${{ matrix.component }} | |
| google_service_account: gh-deploy | |
| workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} | |
| push: ${{ github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master' }} | |
| - name: "Package chart" | |
| if: matrix.chart | |
| id: package_chart | |
| env: | |
| CHART_PATH: ./charts/${{ matrix.component }} | |
| run: | | |
| base_version="$(yq '.version' < "${{ env.CHART_PATH }}/Chart.yaml")" | |
| chart_version="${base_version}-${{ steps.build_push_sign.outputs.version }}" | |
| yq eval \ | |
| '.version="'"$chart_version"'"' \ | |
| "${{ env.CHART_PATH }}/Chart.yaml" --inplace | |
| yq eval \ | |
| '.image.tag="${{ steps.build_push_sign.outputs.version }}"' \ | |
| "${{ env.CHART_PATH }}/values.yaml" --inplace | |
| # helm dependency update "${{ env.CHART_PATH }}" | |
| helm package "${{ env.CHART_PATH }}" --destination . | |
| name=$(yq '.name' < "${{ env.CHART_PATH }}/Chart.yaml") | |
| echo "${{ matrix.component }}_name=$name" >> $GITHUB_OUTPUT | |
| echo "${{ matrix.component }}_version=$chart_version" >> $GITHUB_OUTPUT | |
| echo "archive=$name-$chart_version.tgz" >> $GITHUB_OUTPUT | |
| - name: "Authenticate to Google Cloud" | |
| if: matrix.chart && github.ref == 'refs/heads/master' | |
| id: "auth" | |
| uses: "google-github-actions/auth@v1" # ratchet:exclude | |
| with: | |
| workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: "gh-deploy@nais-io.iam.gserviceaccount.com" | |
| token_format: "access_token" | |
| - name: "Log in to Google Artifact Registry" | |
| if: matrix.chart && github.ref == 'refs/heads/master' | |
| run: |- | |
| echo '${{ steps.auth.outputs.access_token }}' | docker login -u oauth2accesstoken --password-stdin https://${{ env.GOOGLE_REGISTRY }} | |
| - name: "Push Chart" | |
| if: matrix.chart && github.ref == 'refs/heads/master' | |
| run: |- | |
| chart="${{ steps.package_chart.outputs.archive }}" | |
| echo "Pushing: $chart" | |
| helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature | |
| outputs: | |
| hookd_chart_name: ${{ steps.package_chart.outputs.hookd_name }} | |
| hookd_chart_version: ${{ steps.package_chart.outputs.hookd_version }} | |
| deployd_chart_name: ${{ steps.package_chart.outputs.deployd_name }} | |
| deployd_chart_version: ${{ steps.package_chart.outputs.deployd_version }} | |
| rollout: | |
| runs-on: fasit-deploy | |
| if: github.ref == 'refs/heads/master' | |
| permissions: | |
| id-token: write | |
| needs: | |
| - build_and_push | |
| steps: | |
| - name: "Rollout hookd" | |
| uses: nais/fasit-deploy@v2 # ratchet:exclude | |
| with: | |
| chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build_and_push.outputs.hookd_chart_name }} | |
| version: ${{ needs.build_and_push.outputs.hookd_chart_version }} | |
| - name: "Rollout deployd" | |
| uses: nais/fasit-deploy@v2 # ratchet:exclude | |
| with: | |
| chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build_and_push.outputs.deployd_chart_name }} | |
| version: ${{ needs.build_and_push.outputs.deployd_chart_version }} | |
| release: | |
| name: Release GitHub Action / binaries | |
| if: github.ref == 'refs/heads/master' | |
| needs: | |
| - build_and_push | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 # ratchet:exclude | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: 'stable' | |
| - name: Force create tag | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| git remote set-url origin "https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" | |
| git tag -f $(cat actions/deploy/version) | |
| git push -f --tags | |
| - name: Create deploy binaries | |
| run: | | |
| make deploy-release-linux | |
| make deploy-release-darwin | |
| make deploy-release-windows | |
| - name: Delete release if exists | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| latest=$(curl https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest) | |
| tag=$(echo $latest | jq .tag_name | xargs) # xargs strips quotes | |
| if grep -q "$tag" actions/deploy/version; then | |
| release_id=$(echo $latest | jq .id) | |
| curl -X DELETE https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@api.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id} | |
| fi | |
| - name: Create Release | |
| id: create_release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| release=$(curl -X POST \ | |
| -d '{"tag_name": "'"$(cat actions/deploy/version)"'"}' \ | |
| -H "Content-Type: application/json" \ | |
| https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@api.github.com/repos/${GITHUB_REPOSITORY}/releases) | |
| echo "release_id=$(echo $release | jq .id)" >> ${GITHUB_OUTPUT} | |
| - name: Upload Linux Asset | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| BINARY: deploy-linux | |
| run: | | |
| curl -X POST \ | |
| -H 'Content-Type: application/x-executable' \ | |
| --data-binary @${BINARY} \ | |
| https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${{ steps.create_release.outputs.release_id }}/assets?name=${BINARY} | |
| - name: Upload Darwin Asset | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| BINARY: deploy-darwin | |
| run: | | |
| curl -X POST \ | |
| -H 'Content-Type: application/x-executable' \ | |
| --data-binary @${BINARY} \ | |
| https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${{ steps.create_release.outputs.release_id }}/assets?name=${BINARY} | |
| - name: Upload Windows Asset | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| BINARY: deploy-windows | |
| run: | | |
| curl -X POST \ | |
| -H 'Content-Type: application/x-executable' \ | |
| --data-binary @${BINARY} \ | |
| https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${{ steps.create_release.outputs.release_id }}/assets?name=${BINARY} |