zecfoundation
/
coredns-zcash
mirror of https://github.com/ZcashFoundation/coredns-zcash.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ref(workflows): align workflows with `zfnd` standards (#42) 

* ref(workflows): align workflows with `zfnd` standards

* imp(workflows): just build and push images if a PR is ready for review
This commit is contained in:
Gustavo Valverde 2024-07-29 18:11:10 +01:00 committed by GitHub
parent 2dbab2bd3f
commit 548a62476d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 98 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.github/workflows/cd-deploy-to-dev.yml vendored
View File

@ -2,10 +2,10 @@ name: Deploy to dev
on: on:
pull_request: pull_request:
types: [opened, synchronize, reopened, labeled] types: [ready_for_review, synchronize]
paths: paths:
- coredns/Corefile - '**/Corefile'
- docker/Dockerfile - '**/Dockerfile'
- .github/workflows/cd-deploy-to-dev.yml - .github/workflows/cd-deploy-to-dev.yml
- .github/workflows/sub-cloudrun-deploy.yml - .github/workflows/sub-cloudrun-deploy.yml
@ -16,6 +16,22 @@ concurrency:
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions:
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read
jobs: jobs:
# TODO: Add a job to run unit tests # TODO: Add a job to run unit tests
# test: # test:
@ -23,6 +39,7 @@ jobs:
build: build:
uses: ./.github/workflows/sub-build-docker-image.yml uses: ./.github/workflows/sub-build-docker-image.yml
if: ${{ !github.event.pull_request.draft }}
with: with:
environment: dev environment: dev
dockerfile_path: ./docker/Dockerfile dockerfile_path: ./docker/Dockerfile

23
.github/workflows/cd-deploy-to-prod.yml vendored
View File

@ -12,12 +12,23 @@ concurrency:
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions:
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read
jobs: jobs:
# TODO: Add a job to run unit tests
# test:
# uses: ./.github/workflows/sub-unit-tests.yml
build: build:
# needs: [test] # needs: [test]
uses: ./.github/workflows/sub-build-docker-image.yml uses: ./.github/workflows/sub-build-docker-image.yml
@ -40,7 +51,7 @@ jobs:
registry: ${{ vars.GAR_BASE }} registry: ${{ vars.GAR_BASE }}
image_digest: ${{ needs.build.outputs.image_digest }} image_digest: ${{ needs.build.outputs.image_digest }}
min_instances: '1' min_instances: '1'
max_instances: '100' max_instances: '10'
cpu: '1' cpu: '1'
memory: 1Gi memory: 1Gi
secrets: inherit secrets: inherit

22
.github/workflows/cd-deploy-to-test.yml vendored
View File

@ -3,10 +3,10 @@ name: Deploy to test
on: on:
push: push:
branches: branches:
- master - main
paths: paths:
- coredns/Corefile - '**/Corefile'
- docker/Dockerfile - '**/Dockerfile'
- .github/workflows/cd-deploy-to-test.yml - .github/workflows/cd-deploy-to-test.yml
- .github/workflows/sub-cloudrun-deploy.yml - .github/workflows/sub-cloudrun-deploy.yml
@ -17,6 +17,22 @@ concurrency:
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions:
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read
jobs: jobs:
# TODO: Add a job to run unit tests # TODO: Add a job to run unit tests
# test: # test:

16
.github/workflows/chore-clean-dev.yml vendored
View File

@ -4,30 +4,32 @@ on:
delete: delete:
pull_request: pull_request:
branches: branches:
- master - main
types: types:
- closed - closed
permissions: read-all
jobs: jobs:
delete: delete:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: 'read'
id-token: write id-token: 'write'
steps: steps:
- name: Inject slug/short variables - name: Inject slug/short variables
uses: rlespinasse/github-slug-action@v4.5.0 uses: rlespinasse/github-slug-action@v4.5.0
- name: Authenticate to Google Cloud - name: Authenticate to Google Cloud
id: auth id: auth
uses: google-github-actions/auth@v2.1.2 uses: google-github-actions/auth@v2.1.3
with: with:
workload_identity_provider: '${{ vars.GCP_WIF }}' workload_identity_provider: '${{ vars.GCP_WIF }}'
service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}' project_id: '${{ vars.GCP_PROJECT }}'
- name: Set up Cloud SDK - name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1.1.1 uses: google-github-actions/setup-gcloud@v2.1.0
- name: Removing CR service - name: Removing CR service
run: | run: |
gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GOOGLE_CLOUD_REGION }} --quiet gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GCP_REGION }} --quiet

6
.github/workflows/ci-lint-codebase.patch.yml vendored
View File

@ -4,10 +4,12 @@ on:
pull_request: pull_request:
branches: [main] branches: [main]
paths-ignore: paths-ignore:
- coredns/Corefile - '**/Corefile'
- docker/Dockerfile - '**/Dockerfile'
- .github/workflows/ci-lint-codebase.yml - .github/workflows/ci-lint-codebase.yml
permissions: read-all
jobs: jobs:
linter: linter:
runs-on: ubuntu-latest runs-on: ubuntu-latest

19
.github/workflows/ci-lint-codebase.yaml vendored
View File

@ -4,18 +4,15 @@ on:
pull_request: pull_request:
branches: [main] branches: [main]
paths: paths:
- '**.js*' - '**/Corefile'
- '**.ts*' - '**/Dockerfile'
- Dockerfile
- package.json
- pnpm-lock.yaml
- .github/workflows/ci-lint-codebase.yml - .github/workflows/ci-lint-codebase.yml
push: push:
branches: [main] branches: [main]
paths: paths:
- coredns/Corefile - '**/Corefile'
- docker/Dockerfile - '**/Dockerfile'
- .github/workflows/ci-lint-codebase.yml - .github/workflows/ci-lint-codebase.yml
concurrency: concurrency:
@ -25,6 +22,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions: read-all
jobs: jobs:
linter: linter:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -37,7 +36,7 @@ jobs:
fetch-depth: 0 fetch-depth: 0
- name: Lint Code Base - name: Lint Code Base
uses: super-linter/super-linter/slim@v5.2.1 uses: super-linter/super-linter/slim@v6.7.0
env: env:
LOG_LEVEL: ERROR LOG_LEVEL: ERROR
VALIDATE_ALL_CODEBASE: false VALIDATE_ALL_CODEBASE: false
@ -46,9 +45,9 @@ jobs:
VALIDATE_CSS: false VALIDATE_CSS: false
VALIDATE_EDITORCONFIG: false VALIDATE_EDITORCONFIG: false
VALIDATE_MARKDOWN: false VALIDATE_MARKDOWN: false
VALIDATE_JAVASCRIPT_ES: false
VALIDATE_JAVASCRIPT_STANDARD: false
VALIDATE_DOCKERFILE_HADOLINT: false VALIDATE_DOCKERFILE_HADOLINT: false
LINTER_RULES_PATH: / LINTER_RULES_PATH: /
JAVASCRIPT_DEFAULT_STYLE: prettier
TYPESCRIPT_DEFAULT_STYLE: prettier
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

12
.github/workflows/sub-build-docker-image.yml vendored
View File

@ -23,6 +23,8 @@ on:
description: The image digest to be used on a caller workflow description: The image digest to be used on a caller workflow
value: ${{ jobs.build.outputs.image_digest }} value: ${{ jobs.build.outputs.image_digest }}
permissions: read-all
jobs: jobs:
build: build:
name: Build images name: Build images
@ -46,7 +48,7 @@ jobs:
# Automatic tag management and OCI Image Format Specification for labels # Automatic tag management and OCI Image Format Specification for labels
- name: Docker meta - name: Docker meta
id: meta id: meta
uses: docker/metadata-action@v5.5.0 uses: docker/metadata-action@v5.5.1
with: with:
# list of Docker images to use as base name for tags # list of Docker images to use as base name for tags
images: | images: |
@ -68,11 +70,11 @@ jobs:
# Setup Docker Buildx to allow use of docker cache layers from GH # Setup Docker Buildx to allow use of docker cache layers from GH
- name: Set up Docker Buildx - name: Set up Docker Buildx
id: buildx id: buildx
uses: docker/setup-buildx-action@v3.0.0 uses: docker/setup-buildx-action@v3.4.0
- name: Authenticate to Google Cloud - name: Authenticate to Google Cloud
id: auth id: auth
uses: google-github-actions/auth@v2.1.2 uses: google-github-actions/auth@v2.1.3
with: with:
workload_identity_provider: '${{ vars.GCP_WIF }}' workload_identity_provider: '${{ vars.GCP_WIF }}'
service_account: '${{ vars.GCP_ARTIFACTS_SA }}' service_account: '${{ vars.GCP_ARTIFACTS_SA }}'
@ -83,7 +85,7 @@ jobs:
access_token_lifetime: 10800s access_token_lifetime: 10800s
- name: Login to Google Artifact Registry - name: Login to Google Artifact Registry
uses: docker/login-action@v3.0.0 uses: docker/login-action@v3.2.0
with: with:
registry: us-docker.pkg.dev registry: us-docker.pkg.dev
username: oauth2accesstoken username: oauth2accesstoken
@ -92,7 +94,7 @@ jobs:
# Build and push image to Google Artifact Registry, and possibly DockerHub # Build and push image to Google Artifact Registry, and possibly DockerHub
- name: Build & push - name: Build & push
id: docker_build id: docker_build
uses: docker/build-push-action@v5.1.0 uses: docker/build-push-action@v6.3.0
with: with:
target: ${{ inputs.dockerfile_target }} target: ${{ inputs.dockerfile_target }}
context: . context: .

19
.github/workflows/sub-cloudrun-deploy.yml vendored
View File

@ -14,7 +14,7 @@ on:
type: string type: string
description: The image digest to deploy description: The image digest to deploy
project_id: project_id:
required: true required: false
type: string type: string
description: The project to deploy to description: The project to deploy to
region: region:
@ -42,6 +42,8 @@ on:
type: string type: string
description: The amount of memory to use for the service description: The amount of memory to use for the service
permissions: read-all
jobs: jobs:
versioning: versioning:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -75,19 +77,23 @@ jobs:
- name: Inject slug/short variables - name: Inject slug/short variables
uses: rlespinasse/github-slug-action@v4.5.0 uses: rlespinasse/github-slug-action@v4.5.0
- uses: actions/checkout@v4.1.7
with:
persist-credentials: false
- name: Authenticate to Google Cloud - name: Authenticate to Google Cloud
id: auth id: auth
uses: google-github-actions/auth@v2.1.2 uses: google-github-actions/auth@v2.1.3
with: with:
workload_identity_provider: '${{ vars.GCP_WIF }}' workload_identity_provider: '${{ vars.GCP_WIF }}'
service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}' project_id: '${{ vars.GCP_PROJECT }}'
- name: Set up Cloud SDK - name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2.1.0 uses: google-github-actions/setup-gcloud@v2.1.0
- name: Deploy to cloud run - name: Deploy to cloud run
id: deploy id: deploy
uses: google-github-actions/deploy-cloudrun@v2.2.0 uses: google-github-actions/deploy-cloudrun@v2.6.0
with: with:
service: ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} service: ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }}
image: ${{ inputs.registry }}/${{ inputs.app_name }}@${{ inputs.image_digest }} image: ${{ inputs.registry }}/${{ inputs.app_name }}@${{ inputs.image_digest }}
@ -101,10 +107,11 @@ jobs:
--cpu=${{ inputs.cpu }} --cpu=${{ inputs.cpu }}
--memory=${{ inputs.memory }} --memory=${{ inputs.memory }}
--port=53 --port=53
--network=projects/zfnd-dev-net-spoke-0/global/networks/dev-spoke-0 --network=${{ vars.GCP_NETWORK }}
--subnet=projects/zfnd-dev-net-spoke-0/regions/us-east1/subnetworks/dev-default-ue1 --subnet=${{ vars.GCP_SUBNETWORK }}
- name: Allow unauthenticated calls to the service - name: Allow unauthenticated calls to the service
if: ${{ inputs.environment != 'prod' }}
run: | run: |
gcloud run services add-iam-policy-binding ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} \ gcloud run services add-iam-policy-binding ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} \
--region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet --region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet