-
Notifications
You must be signed in to change notification settings - Fork 319
chore(ci): Add cloud ci #1429
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
chore(ci): Add cloud ci #1429
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
9e15fd1
wip
brendan-kellam 4d9b37f
Merge branch 'main' into bkellam/upgrade-sentry
brendan-kellam a1b71c3
ci: build prod image with Sentry and publish to ECR
brendan-kellam efade0f
fix(web): enable Sentry tracing and restore client-side Sentry
brendan-kellam ca52435
s
brendan-kellam 9743698
ci: harden the cloud build workflow
brendan-kellam ec42097
ci: run the Prisma drift check on cloud builds
brendan-kellam File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,157 @@ | ||
| # Internal reusable workflow for building a non-OSS ("cloud") Docker image and | ||
| # pushing it to Amazon ECR. | ||
| name: Build Cloud Image | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| environment: | ||
| description: "GitHub Environment supplying the Sentry vars/secrets. Also scopes the OIDC subject used to assume the ECR push role." | ||
| required: true | ||
| type: string | ||
| git_ref: | ||
| description: "Git ref to checkout and build" | ||
| required: true | ||
| type: string | ||
| docker_tags: | ||
| description: "Docker tags configuration for docker/metadata-action" | ||
| required: true | ||
| type: string | ||
| aws_region: | ||
| description: "Region the ECR repository lives in" | ||
| required: false | ||
| type: string | ||
| default: us-west-1 | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| environment: ${{ inputs.environment }} | ||
| permissions: | ||
| contents: read | ||
| # Required to request the OIDC token that assumes the AWS role. | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ inputs.git_ref }} | ||
| submodules: "true" | ||
| fetch-depth: 0 | ||
| # Nothing after checkout talks to the remote, so don't leave the token | ||
| # behind in the workspace's .git/config. | ||
| persist-credentials: false | ||
|
|
||
| - name: Resolve build commit SHA | ||
| id: commit | ||
| run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Validate environment configuration | ||
| env: | ||
| ENVIRONMENT: ${{ inputs.environment }} | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| AWS_ECR_ROLE_ARN: ${{ vars.AWS_ECR_ROLE_ARN }} | ||
| NEXT_PUBLIC_SENTRY_ENVIRONMENT: ${{ vars.NEXT_PUBLIC_SENTRY_ENVIRONMENT }} | ||
| NEXT_PUBLIC_SENTRY_WEBAPP_DSN: ${{ vars.NEXT_PUBLIC_SENTRY_WEBAPP_DSN }} | ||
| NEXT_PUBLIC_SENTRY_BACKEND_DSN: ${{ vars.NEXT_PUBLIC_SENTRY_BACKEND_DSN }} | ||
| SENTRY_ORG: ${{ vars.SENTRY_ORG }} | ||
| SENTRY_WEBAPP_PROJECT: ${{ vars.SENTRY_WEBAPP_PROJECT }} | ||
| SENTRY_BACKEND_PROJECT: ${{ vars.SENTRY_BACKEND_PROJECT }} | ||
| run: | | ||
| missing=0 | ||
| for name in SENTRY_AUTH_TOKEN AWS_ECR_ROLE_ARN \ | ||
| NEXT_PUBLIC_SENTRY_ENVIRONMENT \ | ||
| NEXT_PUBLIC_SENTRY_WEBAPP_DSN \ | ||
| NEXT_PUBLIC_SENTRY_BACKEND_DSN \ | ||
| SENTRY_ORG SENTRY_WEBAPP_PROJECT SENTRY_BACKEND_PROJECT; do | ||
| if [ -z "${!name}" ]; then | ||
| echo "::error::${name} is not set on the '${ENVIRONMENT}' environment (or the repository)." | ||
| missing=1 | ||
| else | ||
| echo "ok: ${name}" | ||
| fi | ||
| done | ||
| if [ "$missing" -ne 0 ]; then | ||
| echo "::error::Refusing to build: the image would ship without Sentry wiring." | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Check Prisma migrations | ||
| uses: ./.github/actions/check-prisma-migrations | ||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| role-to-assume: ${{ vars.AWS_ECR_ROLE_ARN }} | ||
| aws-region: ${{ inputs.aws_region }} | ||
|
|
||
| - name: Login to Amazon ECR | ||
| id: ecr | ||
| uses: aws-actions/amazon-ecr-login@v2 | ||
|
|
||
| # Each environment publishes to its own registry (see CicdStack), so a | ||
| # staging build can never overwrite a prod tag. | ||
| - name: Extract Docker metadata | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ${{ steps.ecr.outputs.registry }}/sourcebot-${{ inputs.environment }} | ||
| tags: ${{ inputs.docker_tags }} | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Build and push Docker image | ||
|
brendan-kellam marked this conversation as resolved.
|
||
| uses: docker/build-push-action@v7 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64 | ||
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| # SENTRY_RELEASE is the commit SHA rather than SOURCEBOT_VERSION so that | ||
| # every prod build gets a distinct release (prod tracks `main`, where the | ||
| # version only moves on a tagged release). packages/backend/src/instrument.ts | ||
| # reports NEXT_PUBLIC_BUILD_COMMIT_SHA as its release to match; the webapp | ||
| # gets SENTRY_RELEASE injected into its bundle by withSentryConfig. | ||
| build-args: | | ||
| NEXT_PUBLIC_BUILD_COMMIT_SHA=${{ steps.commit.outputs.sha }} | ||
| NEXT_PUBLIC_SENTRY_ENVIRONMENT=${{ vars.NEXT_PUBLIC_SENTRY_ENVIRONMENT }} | ||
| NEXT_PUBLIC_SENTRY_WEBAPP_DSN=${{ vars.NEXT_PUBLIC_SENTRY_WEBAPP_DSN }} | ||
| NEXT_PUBLIC_SENTRY_BACKEND_DSN=${{ vars.NEXT_PUBLIC_SENTRY_BACKEND_DSN }} | ||
| NEXT_PUBLIC_LANGFUSE_PUBLIC_KEY=${{ vars.NEXT_PUBLIC_LANGFUSE_PUBLIC_KEY }} | ||
| NEXT_PUBLIC_LANGFUSE_BASE_URL=${{ vars.NEXT_PUBLIC_LANGFUSE_BASE_URL }} | ||
| SENTRY_ORG=${{ vars.SENTRY_ORG }} | ||
| SENTRY_WEBAPP_PROJECT=${{ vars.SENTRY_WEBAPP_PROJECT }} | ||
| SENTRY_BACKEND_PROJECT=${{ vars.SENTRY_BACKEND_PROJECT }} | ||
| SENTRY_RELEASE=${{ steps.commit.outputs.sha }} | ||
| # Passed as a secret, not a build-arg: build args are recorded in layer | ||
| # metadata that `mode=max` exports to the cache. @see: Dockerfile | ||
| secrets: | | ||
| sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| # Cache scope is per-environment, and distinct from the OSS build's | ||
| # (which is keyed on platform alone). Sharing a scope would let a build | ||
| # that never sees SENTRY_AUTH_TOKEN restore layers from one that did. | ||
| cache-from: type=gha,scope=cloud-${{ inputs.environment }}-amd64 | ||
| cache-to: type=gha,mode=max,scope=cloud-${{ inputs.environment }}-amd64 | ||
|
|
||
| - name: Summarize | ||
| env: | ||
| ENVIRONMENT: ${{ inputs.environment }} | ||
| COMMIT_SHA: ${{ steps.commit.outputs.sha }} | ||
| TAGS: ${{ steps.meta.outputs.tags }} | ||
| run: | | ||
| { | ||
| echo "### Pushed to ECR" | ||
| echo | ||
| echo "| | |" | ||
| echo "|---|---|" | ||
| echo "| Environment | \`${ENVIRONMENT}\` |" | ||
| echo "| Commit | \`${COMMIT_SHA}\` |" | ||
| echo "| Sentry release | \`${COMMIT_SHA}\` |" | ||
| echo | ||
| echo '```' | ||
| echo "$TAGS" | ||
| echo '```' | ||
| } >> "$GITHUB_STEP_SUMMARY" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| name: Release Sourcebot (Cloud - Production) | ||
|
|
||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| on: | ||
| push: | ||
| branches: ["main"] | ||
| tags: ["v*.*.*"] | ||
| workflow_dispatch: | ||
|
|
||
| concurrency: | ||
| group: release-cloud-prod-${{ github.ref }} | ||
| cancel-in-progress: false | ||
|
brendan-kellam marked this conversation as resolved.
|
||
|
|
||
| jobs: | ||
| build: | ||
| uses: ./.github/workflows/_build-cloud.yml | ||
| with: | ||
| environment: prod | ||
| git_ref: ${{ github.ref }} | ||
| docker_tags: | | ||
| type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }} | ||
| type=sha,format=long,enable=${{ github.ref == 'refs/heads/main' }} | ||
| type=semver,pattern=v{{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} | ||
| type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }} | ||
| secrets: inherit | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.