ref(workflows): align workflows with `zfnd` standards (#42)
* ref(workflows): align workflows with `zfnd` standards * imp(workflows): just build and push images if a PR is ready for review
This commit is contained in:
parent
2dbab2bd3f
commit
548a62476d
|
@ -2,10 +2,10 @@ name: Deploy to dev
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request:
|
pull_request:
|
||||||
types: [opened, synchronize, reopened, labeled]
|
types: [ready_for_review, synchronize]
|
||||||
paths:
|
paths:
|
||||||
- coredns/Corefile
|
- '**/Corefile'
|
||||||
- docker/Dockerfile
|
- '**/Dockerfile'
|
||||||
- .github/workflows/cd-deploy-to-dev.yml
|
- .github/workflows/cd-deploy-to-dev.yml
|
||||||
- .github/workflows/sub-cloudrun-deploy.yml
|
- .github/workflows/sub-cloudrun-deploy.yml
|
||||||
|
|
||||||
|
@ -16,6 +16,22 @@ concurrency:
|
||||||
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
||||||
cancel-in-progress: true
|
cancel-in-progress: true
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
actions: read
|
||||||
|
attestations: read
|
||||||
|
checks: read
|
||||||
|
contents: read
|
||||||
|
deployments: read
|
||||||
|
id-token: write
|
||||||
|
issues: read
|
||||||
|
discussions: read
|
||||||
|
packages: read
|
||||||
|
pages: read
|
||||||
|
pull-requests: read
|
||||||
|
repository-projects: read
|
||||||
|
security-events: read
|
||||||
|
statuses: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
# TODO: Add a job to run unit tests
|
# TODO: Add a job to run unit tests
|
||||||
# test:
|
# test:
|
||||||
|
@ -23,6 +39,7 @@ jobs:
|
||||||
|
|
||||||
build:
|
build:
|
||||||
uses: ./.github/workflows/sub-build-docker-image.yml
|
uses: ./.github/workflows/sub-build-docker-image.yml
|
||||||
|
if: ${{ !github.event.pull_request.draft }}
|
||||||
with:
|
with:
|
||||||
environment: dev
|
environment: dev
|
||||||
dockerfile_path: ./docker/Dockerfile
|
dockerfile_path: ./docker/Dockerfile
|
||||||
|
|
|
@ -12,12 +12,23 @@ concurrency:
|
||||||
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
||||||
cancel-in-progress: true
|
cancel-in-progress: true
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
actions: read
|
||||||
|
attestations: read
|
||||||
|
checks: read
|
||||||
|
contents: read
|
||||||
|
deployments: read
|
||||||
|
id-token: write
|
||||||
|
issues: read
|
||||||
|
discussions: read
|
||||||
|
packages: read
|
||||||
|
pages: read
|
||||||
|
pull-requests: read
|
||||||
|
repository-projects: read
|
||||||
|
security-events: read
|
||||||
|
statuses: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
# TODO: Add a job to run unit tests
|
|
||||||
# test:
|
|
||||||
# uses: ./.github/workflows/sub-unit-tests.yml
|
|
||||||
|
|
||||||
|
|
||||||
build:
|
build:
|
||||||
# needs: [test]
|
# needs: [test]
|
||||||
uses: ./.github/workflows/sub-build-docker-image.yml
|
uses: ./.github/workflows/sub-build-docker-image.yml
|
||||||
|
@ -40,7 +51,7 @@ jobs:
|
||||||
registry: ${{ vars.GAR_BASE }}
|
registry: ${{ vars.GAR_BASE }}
|
||||||
image_digest: ${{ needs.build.outputs.image_digest }}
|
image_digest: ${{ needs.build.outputs.image_digest }}
|
||||||
min_instances: '1'
|
min_instances: '1'
|
||||||
max_instances: '100'
|
max_instances: '10'
|
||||||
cpu: '1'
|
cpu: '1'
|
||||||
memory: 1Gi
|
memory: 1Gi
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
|
|
|
@ -3,10 +3,10 @@ name: Deploy to test
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- master
|
- main
|
||||||
paths:
|
paths:
|
||||||
- coredns/Corefile
|
- '**/Corefile'
|
||||||
- docker/Dockerfile
|
- '**/Dockerfile'
|
||||||
- .github/workflows/cd-deploy-to-test.yml
|
- .github/workflows/cd-deploy-to-test.yml
|
||||||
- .github/workflows/sub-cloudrun-deploy.yml
|
- .github/workflows/sub-cloudrun-deploy.yml
|
||||||
|
|
||||||
|
@ -17,6 +17,22 @@ concurrency:
|
||||||
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
||||||
cancel-in-progress: true
|
cancel-in-progress: true
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
actions: read
|
||||||
|
attestations: read
|
||||||
|
checks: read
|
||||||
|
contents: read
|
||||||
|
deployments: read
|
||||||
|
id-token: write
|
||||||
|
issues: read
|
||||||
|
discussions: read
|
||||||
|
packages: read
|
||||||
|
pages: read
|
||||||
|
pull-requests: read
|
||||||
|
repository-projects: read
|
||||||
|
security-events: read
|
||||||
|
statuses: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
# TODO: Add a job to run unit tests
|
# TODO: Add a job to run unit tests
|
||||||
# test:
|
# test:
|
||||||
|
|
|
@ -4,30 +4,32 @@ on:
|
||||||
delete:
|
delete:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches:
|
branches:
|
||||||
- master
|
- main
|
||||||
types:
|
types:
|
||||||
- closed
|
- closed
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
delete:
|
delete:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: 'read'
|
||||||
id-token: write
|
id-token: 'write'
|
||||||
steps:
|
steps:
|
||||||
- name: Inject slug/short variables
|
- name: Inject slug/short variables
|
||||||
uses: rlespinasse/github-slug-action@v4.5.0
|
uses: rlespinasse/github-slug-action@v4.5.0
|
||||||
|
|
||||||
- name: Authenticate to Google Cloud
|
- name: Authenticate to Google Cloud
|
||||||
id: auth
|
id: auth
|
||||||
uses: google-github-actions/auth@v2.1.2
|
uses: google-github-actions/auth@v2.1.3
|
||||||
with:
|
with:
|
||||||
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
||||||
service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
|
project_id: '${{ vars.GCP_PROJECT }}'
|
||||||
|
|
||||||
- name: Set up Cloud SDK
|
- name: Set up Cloud SDK
|
||||||
uses: google-github-actions/setup-gcloud@v1.1.1
|
uses: google-github-actions/setup-gcloud@v2.1.0
|
||||||
|
|
||||||
- name: Removing CR service
|
- name: Removing CR service
|
||||||
run: |
|
run: |
|
||||||
gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GOOGLE_CLOUD_REGION }} --quiet
|
gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GCP_REGION }} --quiet
|
||||||
|
|
|
@ -4,10 +4,12 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
paths-ignore:
|
paths-ignore:
|
||||||
- coredns/Corefile
|
- '**/Corefile'
|
||||||
- docker/Dockerfile
|
- '**/Dockerfile'
|
||||||
- .github/workflows/ci-lint-codebase.yml
|
- .github/workflows/ci-lint-codebase.yml
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
linter:
|
linter:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
|
@ -4,18 +4,15 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
paths:
|
paths:
|
||||||
- '**.js*'
|
- '**/Corefile'
|
||||||
- '**.ts*'
|
- '**/Dockerfile'
|
||||||
- Dockerfile
|
|
||||||
- package.json
|
|
||||||
- pnpm-lock.yaml
|
|
||||||
- .github/workflows/ci-lint-codebase.yml
|
- .github/workflows/ci-lint-codebase.yml
|
||||||
|
|
||||||
push:
|
push:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
paths:
|
paths:
|
||||||
- coredns/Corefile
|
- '**/Corefile'
|
||||||
- docker/Dockerfile
|
- '**/Dockerfile'
|
||||||
- .github/workflows/ci-lint-codebase.yml
|
- .github/workflows/ci-lint-codebase.yml
|
||||||
|
|
||||||
concurrency:
|
concurrency:
|
||||||
|
@ -25,6 +22,8 @@ concurrency:
|
||||||
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
|
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
|
||||||
cancel-in-progress: true
|
cancel-in-progress: true
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
linter:
|
linter:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
@ -37,7 +36,7 @@ jobs:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
- name: Lint Code Base
|
- name: Lint Code Base
|
||||||
uses: super-linter/super-linter/slim@v5.2.1
|
uses: super-linter/super-linter/slim@v6.7.0
|
||||||
env:
|
env:
|
||||||
LOG_LEVEL: ERROR
|
LOG_LEVEL: ERROR
|
||||||
VALIDATE_ALL_CODEBASE: false
|
VALIDATE_ALL_CODEBASE: false
|
||||||
|
@ -46,9 +45,9 @@ jobs:
|
||||||
VALIDATE_CSS: false
|
VALIDATE_CSS: false
|
||||||
VALIDATE_EDITORCONFIG: false
|
VALIDATE_EDITORCONFIG: false
|
||||||
VALIDATE_MARKDOWN: false
|
VALIDATE_MARKDOWN: false
|
||||||
|
VALIDATE_JAVASCRIPT_ES: false
|
||||||
|
VALIDATE_JAVASCRIPT_STANDARD: false
|
||||||
VALIDATE_DOCKERFILE_HADOLINT: false
|
VALIDATE_DOCKERFILE_HADOLINT: false
|
||||||
LINTER_RULES_PATH: /
|
LINTER_RULES_PATH: /
|
||||||
JAVASCRIPT_DEFAULT_STYLE: prettier
|
|
||||||
TYPESCRIPT_DEFAULT_STYLE: prettier
|
|
||||||
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
|
@ -23,6 +23,8 @@ on:
|
||||||
description: The image digest to be used on a caller workflow
|
description: The image digest to be used on a caller workflow
|
||||||
value: ${{ jobs.build.outputs.image_digest }}
|
value: ${{ jobs.build.outputs.image_digest }}
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
name: Build images
|
name: Build images
|
||||||
|
@ -46,7 +48,7 @@ jobs:
|
||||||
# Automatic tag management and OCI Image Format Specification for labels
|
# Automatic tag management and OCI Image Format Specification for labels
|
||||||
- name: Docker meta
|
- name: Docker meta
|
||||||
id: meta
|
id: meta
|
||||||
uses: docker/metadata-action@v5.5.0
|
uses: docker/metadata-action@v5.5.1
|
||||||
with:
|
with:
|
||||||
# list of Docker images to use as base name for tags
|
# list of Docker images to use as base name for tags
|
||||||
images: |
|
images: |
|
||||||
|
@ -68,11 +70,11 @@ jobs:
|
||||||
# Setup Docker Buildx to allow use of docker cache layers from GH
|
# Setup Docker Buildx to allow use of docker cache layers from GH
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
id: buildx
|
id: buildx
|
||||||
uses: docker/setup-buildx-action@v3.0.0
|
uses: docker/setup-buildx-action@v3.4.0
|
||||||
|
|
||||||
- name: Authenticate to Google Cloud
|
- name: Authenticate to Google Cloud
|
||||||
id: auth
|
id: auth
|
||||||
uses: google-github-actions/auth@v2.1.2
|
uses: google-github-actions/auth@v2.1.3
|
||||||
with:
|
with:
|
||||||
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
||||||
service_account: '${{ vars.GCP_ARTIFACTS_SA }}'
|
service_account: '${{ vars.GCP_ARTIFACTS_SA }}'
|
||||||
|
@ -83,7 +85,7 @@ jobs:
|
||||||
access_token_lifetime: 10800s
|
access_token_lifetime: 10800s
|
||||||
|
|
||||||
- name: Login to Google Artifact Registry
|
- name: Login to Google Artifact Registry
|
||||||
uses: docker/login-action@v3.0.0
|
uses: docker/login-action@v3.2.0
|
||||||
with:
|
with:
|
||||||
registry: us-docker.pkg.dev
|
registry: us-docker.pkg.dev
|
||||||
username: oauth2accesstoken
|
username: oauth2accesstoken
|
||||||
|
@ -92,7 +94,7 @@ jobs:
|
||||||
# Build and push image to Google Artifact Registry, and possibly DockerHub
|
# Build and push image to Google Artifact Registry, and possibly DockerHub
|
||||||
- name: Build & push
|
- name: Build & push
|
||||||
id: docker_build
|
id: docker_build
|
||||||
uses: docker/build-push-action@v5.1.0
|
uses: docker/build-push-action@v6.3.0
|
||||||
with:
|
with:
|
||||||
target: ${{ inputs.dockerfile_target }}
|
target: ${{ inputs.dockerfile_target }}
|
||||||
context: .
|
context: .
|
||||||
|
|
|
@ -14,7 +14,7 @@ on:
|
||||||
type: string
|
type: string
|
||||||
description: The image digest to deploy
|
description: The image digest to deploy
|
||||||
project_id:
|
project_id:
|
||||||
required: true
|
required: false
|
||||||
type: string
|
type: string
|
||||||
description: The project to deploy to
|
description: The project to deploy to
|
||||||
region:
|
region:
|
||||||
|
@ -42,6 +42,8 @@ on:
|
||||||
type: string
|
type: string
|
||||||
description: The amount of memory to use for the service
|
description: The amount of memory to use for the service
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
versioning:
|
versioning:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
@ -75,19 +77,23 @@ jobs:
|
||||||
- name: Inject slug/short variables
|
- name: Inject slug/short variables
|
||||||
uses: rlespinasse/github-slug-action@v4.5.0
|
uses: rlespinasse/github-slug-action@v4.5.0
|
||||||
|
|
||||||
|
- uses: actions/checkout@v4.1.7
|
||||||
|
with:
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Authenticate to Google Cloud
|
- name: Authenticate to Google Cloud
|
||||||
id: auth
|
id: auth
|
||||||
uses: google-github-actions/auth@v2.1.2
|
uses: google-github-actions/auth@v2.1.3
|
||||||
with:
|
with:
|
||||||
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
||||||
service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
|
project_id: '${{ vars.GCP_PROJECT }}'
|
||||||
|
|
||||||
- name: Set up Cloud SDK
|
- name: Set up Cloud SDK
|
||||||
uses: google-github-actions/setup-gcloud@v2.1.0
|
uses: google-github-actions/setup-gcloud@v2.1.0
|
||||||
|
|
||||||
- name: Deploy to cloud run
|
- name: Deploy to cloud run
|
||||||
id: deploy
|
id: deploy
|
||||||
uses: google-github-actions/deploy-cloudrun@v2.2.0
|
uses: google-github-actions/deploy-cloudrun@v2.6.0
|
||||||
with:
|
with:
|
||||||
service: ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }}
|
service: ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }}
|
||||||
image: ${{ inputs.registry }}/${{ inputs.app_name }}@${{ inputs.image_digest }}
|
image: ${{ inputs.registry }}/${{ inputs.app_name }}@${{ inputs.image_digest }}
|
||||||
|
@ -101,10 +107,11 @@ jobs:
|
||||||
--cpu=${{ inputs.cpu }}
|
--cpu=${{ inputs.cpu }}
|
||||||
--memory=${{ inputs.memory }}
|
--memory=${{ inputs.memory }}
|
||||||
--port=53
|
--port=53
|
||||||
--network=projects/zfnd-dev-net-spoke-0/global/networks/dev-spoke-0
|
--network=${{ vars.GCP_NETWORK }}
|
||||||
--subnet=projects/zfnd-dev-net-spoke-0/regions/us-east1/subnetworks/dev-default-ue1
|
--subnet=${{ vars.GCP_SUBNETWORK }}
|
||||||
|
|
||||||
- name: Allow unauthenticated calls to the service
|
- name: Allow unauthenticated calls to the service
|
||||||
|
if: ${{ inputs.environment != 'prod' }}
|
||||||
run: |
|
run: |
|
||||||
gcloud run services add-iam-policy-binding ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} \
|
gcloud run services add-iam-policy-binding ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} \
|
||||||
--region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet
|
--region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet
|
||||||
|
|
Loading…
Reference in New Issue