ref(workflows): align workflows with `zfnd` standards (#42)
* ref(workflows): align workflows with `zfnd` standards * imp(workflows): just build and push images if a PR is ready for review
This commit is contained in:
parent
2dbab2bd3f
commit
548a62476d
|
@ -2,10 +2,10 @@ name: Deploy to dev
|
|||
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, reopened, labeled]
|
||||
types: [ready_for_review, synchronize]
|
||||
paths:
|
||||
- coredns/Corefile
|
||||
- docker/Dockerfile
|
||||
- '**/Corefile'
|
||||
- '**/Dockerfile'
|
||||
- .github/workflows/cd-deploy-to-dev.yml
|
||||
- .github/workflows/sub-cloudrun-deploy.yml
|
||||
|
||||
|
@ -16,6 +16,22 @@ concurrency:
|
|||
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
actions: read
|
||||
attestations: read
|
||||
checks: read
|
||||
contents: read
|
||||
deployments: read
|
||||
id-token: write
|
||||
issues: read
|
||||
discussions: read
|
||||
packages: read
|
||||
pages: read
|
||||
pull-requests: read
|
||||
repository-projects: read
|
||||
security-events: read
|
||||
statuses: read
|
||||
|
||||
jobs:
|
||||
# TODO: Add a job to run unit tests
|
||||
# test:
|
||||
|
@ -23,6 +39,7 @@ jobs:
|
|||
|
||||
build:
|
||||
uses: ./.github/workflows/sub-build-docker-image.yml
|
||||
if: ${{ !github.event.pull_request.draft }}
|
||||
with:
|
||||
environment: dev
|
||||
dockerfile_path: ./docker/Dockerfile
|
||||
|
|
|
@ -12,12 +12,23 @@ concurrency:
|
|||
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
actions: read
|
||||
attestations: read
|
||||
checks: read
|
||||
contents: read
|
||||
deployments: read
|
||||
id-token: write
|
||||
issues: read
|
||||
discussions: read
|
||||
packages: read
|
||||
pages: read
|
||||
pull-requests: read
|
||||
repository-projects: read
|
||||
security-events: read
|
||||
statuses: read
|
||||
|
||||
jobs:
|
||||
# TODO: Add a job to run unit tests
|
||||
# test:
|
||||
# uses: ./.github/workflows/sub-unit-tests.yml
|
||||
|
||||
|
||||
build:
|
||||
# needs: [test]
|
||||
uses: ./.github/workflows/sub-build-docker-image.yml
|
||||
|
@ -40,7 +51,7 @@ jobs:
|
|||
registry: ${{ vars.GAR_BASE }}
|
||||
image_digest: ${{ needs.build.outputs.image_digest }}
|
||||
min_instances: '1'
|
||||
max_instances: '100'
|
||||
max_instances: '10'
|
||||
cpu: '1'
|
||||
memory: 1Gi
|
||||
secrets: inherit
|
||||
|
|
|
@ -3,10 +3,10 @@ name: Deploy to test
|
|||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
- main
|
||||
paths:
|
||||
- coredns/Corefile
|
||||
- docker/Dockerfile
|
||||
- '**/Corefile'
|
||||
- '**/Dockerfile'
|
||||
- .github/workflows/cd-deploy-to-test.yml
|
||||
- .github/workflows/sub-cloudrun-deploy.yml
|
||||
|
||||
|
@ -17,6 +17,22 @@ concurrency:
|
|||
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
actions: read
|
||||
attestations: read
|
||||
checks: read
|
||||
contents: read
|
||||
deployments: read
|
||||
id-token: write
|
||||
issues: read
|
||||
discussions: read
|
||||
packages: read
|
||||
pages: read
|
||||
pull-requests: read
|
||||
repository-projects: read
|
||||
security-events: read
|
||||
statuses: read
|
||||
|
||||
jobs:
|
||||
# TODO: Add a job to run unit tests
|
||||
# test:
|
||||
|
|
|
@ -4,30 +4,32 @@ on:
|
|||
delete:
|
||||
pull_request:
|
||||
branches:
|
||||
- master
|
||||
- main
|
||||
types:
|
||||
- closed
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
delete:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
steps:
|
||||
- name: Inject slug/short variables
|
||||
uses: rlespinasse/github-slug-action@v4.5.0
|
||||
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v2.1.2
|
||||
uses: google-github-actions/auth@v2.1.3
|
||||
with:
|
||||
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
||||
service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
|
||||
project_id: '${{ vars.GCP_PROJECT }}'
|
||||
|
||||
- name: Set up Cloud SDK
|
||||
uses: google-github-actions/setup-gcloud@v1.1.1
|
||||
uses: google-github-actions/setup-gcloud@v2.1.0
|
||||
|
||||
- name: Removing CR service
|
||||
run: |
|
||||
gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GOOGLE_CLOUD_REGION }} --quiet
|
||||
gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GCP_REGION }} --quiet
|
||||
|
|
|
@ -4,10 +4,12 @@ on:
|
|||
pull_request:
|
||||
branches: [main]
|
||||
paths-ignore:
|
||||
- coredns/Corefile
|
||||
- docker/Dockerfile
|
||||
- '**/Corefile'
|
||||
- '**/Dockerfile'
|
||||
- .github/workflows/ci-lint-codebase.yml
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
linter:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
@ -4,18 +4,15 @@ on:
|
|||
pull_request:
|
||||
branches: [main]
|
||||
paths:
|
||||
- '**.js*'
|
||||
- '**.ts*'
|
||||
- Dockerfile
|
||||
- package.json
|
||||
- pnpm-lock.yaml
|
||||
- '**/Corefile'
|
||||
- '**/Dockerfile'
|
||||
- .github/workflows/ci-lint-codebase.yml
|
||||
|
||||
push:
|
||||
branches: [main]
|
||||
paths:
|
||||
- coredns/Corefile
|
||||
- docker/Dockerfile
|
||||
- '**/Corefile'
|
||||
- '**/Dockerfile'
|
||||
- .github/workflows/ci-lint-codebase.yml
|
||||
|
||||
concurrency:
|
||||
|
@ -25,6 +22,8 @@ concurrency:
|
|||
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
linter:
|
||||
runs-on: ubuntu-latest
|
||||
|
@ -37,7 +36,7 @@ jobs:
|
|||
fetch-depth: 0
|
||||
|
||||
- name: Lint Code Base
|
||||
uses: super-linter/super-linter/slim@v5.2.1
|
||||
uses: super-linter/super-linter/slim@v6.7.0
|
||||
env:
|
||||
LOG_LEVEL: ERROR
|
||||
VALIDATE_ALL_CODEBASE: false
|
||||
|
@ -46,9 +45,9 @@ jobs:
|
|||
VALIDATE_CSS: false
|
||||
VALIDATE_EDITORCONFIG: false
|
||||
VALIDATE_MARKDOWN: false
|
||||
VALIDATE_JAVASCRIPT_ES: false
|
||||
VALIDATE_JAVASCRIPT_STANDARD: false
|
||||
VALIDATE_DOCKERFILE_HADOLINT: false
|
||||
LINTER_RULES_PATH: /
|
||||
JAVASCRIPT_DEFAULT_STYLE: prettier
|
||||
TYPESCRIPT_DEFAULT_STYLE: prettier
|
||||
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
@ -23,6 +23,8 @@ on:
|
|||
description: The image digest to be used on a caller workflow
|
||||
value: ${{ jobs.build.outputs.image_digest }}
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build images
|
||||
|
@ -46,7 +48,7 @@ jobs:
|
|||
# Automatic tag management and OCI Image Format Specification for labels
|
||||
- name: Docker meta
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5.5.0
|
||||
uses: docker/metadata-action@v5.5.1
|
||||
with:
|
||||
# list of Docker images to use as base name for tags
|
||||
images: |
|
||||
|
@ -68,11 +70,11 @@ jobs:
|
|||
# Setup Docker Buildx to allow use of docker cache layers from GH
|
||||
- name: Set up Docker Buildx
|
||||
id: buildx
|
||||
uses: docker/setup-buildx-action@v3.0.0
|
||||
uses: docker/setup-buildx-action@v3.4.0
|
||||
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v2.1.2
|
||||
uses: google-github-actions/auth@v2.1.3
|
||||
with:
|
||||
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
||||
service_account: '${{ vars.GCP_ARTIFACTS_SA }}'
|
||||
|
@ -83,7 +85,7 @@ jobs:
|
|||
access_token_lifetime: 10800s
|
||||
|
||||
- name: Login to Google Artifact Registry
|
||||
uses: docker/login-action@v3.0.0
|
||||
uses: docker/login-action@v3.2.0
|
||||
with:
|
||||
registry: us-docker.pkg.dev
|
||||
username: oauth2accesstoken
|
||||
|
@ -92,7 +94,7 @@ jobs:
|
|||
# Build and push image to Google Artifact Registry, and possibly DockerHub
|
||||
- name: Build & push
|
||||
id: docker_build
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
uses: docker/build-push-action@v6.3.0
|
||||
with:
|
||||
target: ${{ inputs.dockerfile_target }}
|
||||
context: .
|
||||
|
|
|
@ -14,7 +14,7 @@ on:
|
|||
type: string
|
||||
description: The image digest to deploy
|
||||
project_id:
|
||||
required: true
|
||||
required: false
|
||||
type: string
|
||||
description: The project to deploy to
|
||||
region:
|
||||
|
@ -42,6 +42,8 @@ on:
|
|||
type: string
|
||||
description: The amount of memory to use for the service
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
versioning:
|
||||
runs-on: ubuntu-latest
|
||||
|
@ -75,19 +77,23 @@ jobs:
|
|||
- name: Inject slug/short variables
|
||||
uses: rlespinasse/github-slug-action@v4.5.0
|
||||
|
||||
- uses: actions/checkout@v4.1.7
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Authenticate to Google Cloud
|
||||
id: auth
|
||||
uses: google-github-actions/auth@v2.1.2
|
||||
uses: google-github-actions/auth@v2.1.3
|
||||
with:
|
||||
workload_identity_provider: '${{ vars.GCP_WIF }}'
|
||||
service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
|
||||
project_id: '${{ vars.GCP_PROJECT }}'
|
||||
|
||||
- name: Set up Cloud SDK
|
||||
uses: google-github-actions/setup-gcloud@v2.1.0
|
||||
|
||||
- name: Deploy to cloud run
|
||||
id: deploy
|
||||
uses: google-github-actions/deploy-cloudrun@v2.2.0
|
||||
uses: google-github-actions/deploy-cloudrun@v2.6.0
|
||||
with:
|
||||
service: ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }}
|
||||
image: ${{ inputs.registry }}/${{ inputs.app_name }}@${{ inputs.image_digest }}
|
||||
|
@ -101,10 +107,11 @@ jobs:
|
|||
--cpu=${{ inputs.cpu }}
|
||||
--memory=${{ inputs.memory }}
|
||||
--port=53
|
||||
--network=projects/zfnd-dev-net-spoke-0/global/networks/dev-spoke-0
|
||||
--subnet=projects/zfnd-dev-net-spoke-0/regions/us-east1/subnetworks/dev-default-ue1
|
||||
--network=${{ vars.GCP_NETWORK }}
|
||||
--subnet=${{ vars.GCP_SUBNETWORK }}
|
||||
|
||||
- name: Allow unauthenticated calls to the service
|
||||
if: ${{ inputs.environment != 'prod' }}
|
||||
run: |
|
||||
gcloud run services add-iam-policy-binding ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} \
|
||||
--region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet
|
||||
|
|
Loading…
Reference in New Issue