From 368fc7f8bb9b42a17de07440651cd9256f972a43 Mon Sep 17 00:00:00 2001 From: Kristaps Berzinch Date: Sun, 3 Mar 2024 12:28:41 -0500 Subject: [PATCH] Fiddling with deployments --- .github/workflows/build.yml | 16 +++++++++ .github/workflows/deploy.yml | 66 ++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f23eb848..82cb2b5fe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -162,6 +162,7 @@ jobs: echo '{"github-oauth":{"github.com":"${{ github.token }}"},"http-basic":{"nova.laravel.com":{"username":"${{ secrets.LARAVEL_NOVA_USERNAME }}","password":"${{ secrets.LARAVEL_NOVA_PASSWORD }}"}}}' > auth.json - name: Build and push + id: build uses: docker/build-push-action@v5 with: tags: registry.bcdc.robojackets.net/apiary:latest @@ -172,3 +173,18 @@ jobs: target: ${{ github.ref == 'refs/heads/main' && 'backend-compressed' || 'backend-uncompressed' }} cache-from: type=gha cache-to: type=gha,mode=max + + outputs: + image-digest: ${{ steps.build.outputs.digest }} + + deploy-test: + name: Deploy Test + needs: [lint, test, docs, docker] + uses: ./.github/workflows/deploy.yml + if: ${{ github.ref == 'refs/heads/main' }} + concurrency: + group: deploy-test + with: + image-ref: ${{ needs.docker.outputs.image-digest }} + environment: test + precompressed-assets: true diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 000000000..6416b1e98 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,66 @@ +name: Deploy + +on: + workflow_call: + inputs: + image-ref: + required: true + type: string + environment: + required: true + type: string + precompressed-assets: + required: true + type: boolean + workflow_dispatch: + inputs: + image-ref: + required: true + type: string + environment: + required: true + type: environment + precompressed-assets: + required: true + type: boolean + +jobs: + deploy: + name: ${{ inputs.environment }} + environment: + name: ${{ inputs.environment }} + permissions: + id-token: write + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Nomad + uses: lucasmelin/setup-nomad@v2.0.0 + + - name: Get JWT endpoint + id: script + uses: actions/github-script@v6 + timeout-minutes: 1 + with: + script: | + const token = process.env['ACTIONS_RUNTIME_TOKEN'] + const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL'] + core.setOutput('TOKEN', token.trim()) + core.setOutput('IDTOKENURL', runtimeUrl.trim()) + + - name: Exchange GitHub token for JWT + id: jwt + run: | + IDTOKEN=$(curl -H "Authorization: bearer ${{steps.script.outputs.TOKEN}}" ${{steps.script.outputs.IDTOKENURL}} -H "Accept: application/json; api-version=2.0" -H "Content-Type: application/json" -d "{}" | jq -r '.value') + echo $IDTOKEN + jwtd() { + if [[ -x $(command -v jq) ]]; then + jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "${1}" + echo "Signature: $(echo "${1}" | awk -F'.' '{print $3}')" + fi + } + jwtd $IDTOKEN + echo "${IDTOKEN}" >> $GITHUB_OUTPUT