Merge pull request #6286 from akatsoulas/default-fitlering #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build, test and push a Docker image | |
on: | |
push: | |
branches: | |
- main | |
- dev | |
tags: | |
- '*' | |
workflow_dispatch: | |
inputs: | |
ref: | |
description: 'ref to be deployed (e.g. "refs/heads/main", "v1.0.0", "2c0472cf")' | |
type: string | |
required: true | |
default: refs/heads/dev | |
env: | |
APP: sumo | |
APPLICATION_REPOSITORY: mozilla/kitsune | |
IMAGE_NAME: kitsune | |
GAR_LOCATION: us | |
GCP_PROJECT_ID: moz-fx-sumo-prod | |
GAR_REPOSITORY: sumo-prod | |
REF_ID: ${{ github.ref }} | |
jobs: | |
build: | |
permissions: | |
contents: read | |
deployments: write | |
id-token: write | |
runs-on: ubuntu-latest | |
outputs: | |
deployment_env: ${{ env.DEPLOYMENT_ENV }} | |
deployment_realm: ${{ env.DEPLOYMENT_REALM }} | |
image_tag: ${{ env.TAG }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Create version.json | |
run: | | |
# create a version.json per | |
# https://github.com/mozilla-services/Dockerflow/blob/master/docs/version_object.md | |
printf '{"commit":"%s","version":"%s","source":"%s","build":"%s"}\n' \ | |
"$GITHUB_SHA" \ | |
"$GITHUB_REF_NAME" \ | |
"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > version.json | |
- id: checkout_application_repo | |
name: checkout application repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
ref: ${{ env.REF_ID }} | |
- id: dev_image_tag | |
name: Set Docker Stag image tag for updates of the DEV branch | |
if: github.ref == 'refs/heads/dev' | |
run: | | |
echo TAG="dev-$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV" | |
# Updates to the main branch are deployed to stage. | |
echo DEPLOYMENT_ENV=dev >> "$GITHUB_ENV" | |
echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV" | |
- id: stage_image_tag | |
name: Set Docker Stag image tag for updates of the main branch | |
if: github.ref == 'refs/heads/main' | |
run: | | |
echo TAG="$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV" | |
# Updates to the main branch are deployed to stage. | |
echo DEPLOYMENT_ENV=stage >> "$GITHUB_ENV" | |
echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV" | |
- id: prod_image_tag | |
name: Set Docker image tag to the git tag for tagged builds | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
echo TAG="$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV" | |
# Version tags are deployed to prod. | |
echo DEPLOYMENT_ENV=prod >> "$GITHUB_ENV" | |
echo DEPLOYMENT_REALM=prod >> "$GITHUB_ENV" | |
- uses: docker/setup-buildx-action@v3 | |
- id: gcp_auth | |
name: GCP authentication | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: access_token | |
service_account: artifact-writer@${{ env.GCP_PROJECT_ID }}.iam.gserviceaccount.com | |
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }} | |
- id: docker_login | |
name: Log in to the container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev | |
username: oauth2accesstoken | |
password: ${{ steps.gcp_auth.outputs.access_token }} | |
- id: build_and_push | |
name: Build and push image | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
tags: | | |
${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} | |
push: true | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
upload-static-assets: | |
name: upload static assets | |
environment: ${{ needs.build.outputs.deployment_env }} | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- id: gcp_auth | |
name: gcp auth | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: access_token | |
service_account: deploy-${{ needs.build.outputs.deployment_env }}@moz-fx-sumo-${{ needs.build.outputs.deployment_realm }}.iam.gserviceaccount.com | |
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }} | |
- id: docker_login | |
name: docker login | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev | |
username: oauth2accesstoken | |
password: ${{ steps.gcp_auth.outputs.access_token }} | |
- id: setup-gcloud | |
uses: google-github-actions/setup-gcloud@v2 | |
- id: upload-assets | |
name: upload static assets | |
run: |- | |
TMP_DIR=static-upload | |
TMP_DIR_HASHED=static-upload-hashed | |
docker create --name tmp $GAR_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GAR_REPOSITORY/$IMAGE_NAME:${{ needs.build.outputs.image_tag }} | |
mkdir -p ./$TMP_DIR ./$TMP_DIR_HASHED | |
docker cp tmp:/app/static/. ./$TMP_DIR/ | |
find $TMP_DIR -maxdepth 1 -type f -regextype sed -regex ".*\.[0-9a-f]\{16\}\..*" -exec mv -t $TMP_DIR_HASHED {} + | |
gsutil -m rsync -r ./$TMP_DIR_HASHED/ gs://$APP-${{ needs.build.outputs.deployment_realm }}-${{ needs.build.outputs.deployment_env }}-assets-bucket/static/ | |
gsutil -m rsync -r ./$TMP_DIR/ gs://$APP-${{ needs.build.outputs.deployment_realm }}-${{ needs.build.outputs.deployment_env }}-assets-bucket/static/ | |
docker rm tmp |