zebra/.github/workflows/cd.yml

name: CD

on:
  push:
    branches:
      - main
      - gcloud

env:
  PROJECT_ID: zealous-zebra

jobs:
  build:
    name: Google Cloud / Test, Build, and Deploy
    runs-on: ubuntu-latest
    steps:

    - name: Checkout
      uses: actions/checkout@master

    - name: Set project and image names
      run: |
        SHORT_BRANCH_NAME=$(expr $GITHUB_REF : '.*/\(.*\)') && \
        SHORT_BRANCH_NAME=${SHORT_BRANCH_NAME,,} && \
        BRANCH_NAME=$GITHUB_REPOSITORY/$SHORT_BRANCH_NAME && \
        BRANCH_NAME=${BRANCH_NAME,,} && \
        echo "::set-env name=SHORT_BRANCH_NAME::$SHORT_BRANCH_NAME" && \
        echo "::set-env name=BRANCH_NAME::$BRANCH_NAME" && \
        echo "::set-env name=SHA7::$(git rev-parse --short=7 $GITHUB_SHA)"

    # Setup gcloud CLI
    - name: Set up gcloud Cloud SDK environment
      uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
      with:
        project_id: ${{ env.PROJECT_ID }}
        service_account_key: ${{ secrets.GCLOUD_AUTH }}

    # Build and push image to Google Container Registry
    - name: Build
      # Tagging w/ the commit SHA blocks the :latest tag on GCR
      run: |
        gcloud builds submit \
          --tag "gcr.io/$PROJECT_ID/$BRANCH_NAME:$SHA7" \
          --machine-type n1-highcpu-32 \
          --timeout 3600s \

    # Create an attestation on the new image with our existing attestor
    - name: Create attestation
      run: |
        ARTIFACT_URL=$(gcloud container images describe "gcr.io/$PROJECT_ID/$BRANCH_NAME:$SHA7" \
          --format="value(image_summary.fully_qualified_digest)");

        gcloud alpha container binauthz attestations sign-and-create \
          --quiet \
          --artifact-url="${ARTIFACT_URL}" \
          --attestor="projects/zealous-zebra/attestors/zebrad-attestor" \
          --keyversion="projects/zealous-zebra/locations/global/keyRings/binary-authorization/cryptoKeys/zebrad-attestor/cryptoKeyVersions/1";

    # Create instance template from container image
    - name: Create instance template
      run: |
        gcloud compute instance-templates create-with-container "zebrad-$SHORT_BRANCH_NAME-$SHA7" \
          --container-image "gcr.io/$PROJECT_ID/$BRANCH_NAME:$SHA7" \
          --machine-type n1-highmem-8 \
          --service-account cos-vm@zealous-zebra.iam.gserviceaccount.com \
          --scopes cloud-platform \
          --tags zebrad \

    # Run once: create firewall rule to allow healthchecks
    # - name: Create healthcheck firewall rule
    #   run: |
    #     gcloud compute firewall-rules create "allow-tracing-health-check" \
    #     --target-tags zebrad \
    #     --allow tcp:3000 \
    #     --source-ranges 130.211.0.0/22,35.191.0.0/16 \
    #     --description="Allow HTTP requests to our tracing endpoint from Google's probes" \

    # Run once: create firewall rule to allow incoming traffic to the nodes
    # - name: Create Zcash incoming traffic firewall rule
    #   run: |
    #     gcloud compute firewall-rules create "allow-zcash" \
    #     --target-tags zebrad \
    #     --allow tcp:8233,tcp:18233 \
    #     --source-ranges 0.0.0.0/0 \
    #     --description="Allow incoming Zcash traffic from anywhere" \

    # Check if our destination instance group exists already
    - name: Check if instance group exists
      id: does-group-exist
      continue-on-error: true
      run: |
        gcloud compute instance-groups list | grep "zebrad-$SHORT_BRANCH_NAME"

    # Deploy new managed instance group using the new instance template
    - name: Create managed instance group
      if: steps.does-group-exist.outcome == 'failure'
      run: |
        gcloud compute instance-groups managed create \
          "zebrad-$SHORT_BRANCH_NAME" \
          --template "zebrad-$SHORT_BRANCH_NAME-$SHA7" \
          --health-check zebrad-tracing-filter \
          --initial-delay 30 \
          --region us-central1 \
          --size 2

    # Rolls out update to existing group using the new instance template
    - name: Update managed instance group
      if: steps.does-group-exist.outcome == 'success'
      run: |
        gcloud compute instance-groups managed rolling-action start-update \
          "zebrad-$SHORT_BRANCH_NAME" \
          --version template="zebrad-$SHORT_BRANCH_NAME-$SHA7" \
          --region us-central1 \
Create instance group if it doesn't exist, update it if it does (#513) * Deploy instance group if it doesn't exist, update it if it does * Rename push.yml to cd.yml * Rename some CD steps 2020-06-21 01:39:47 -07:00			`name: CD`
Turn off the project workflow, reorg some CI jobs (#451) * Remove 'assign to project' workflow Doesn't work with external PRs. * Reorg CI jobs a bit * Also upgrade gcloud sdk to version 295.0.0 2020-06-08 18:03:51 -07:00
			`on:`
			`push:`
Scope deploys to main, gcloud branches; shorten initial delay 2020-06-18 23:14:10 -07:00			`branches:`
			`- main`
			`- gcloud`
Turn off the project workflow, reorg some CI jobs (#451) * Remove 'assign to project' workflow Doesn't work with external PRs. * Reorg CI jobs a bit * Also upgrade gcloud sdk to version 295.0.0 2020-06-08 18:03:51 -07:00
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00			`env:`
			`PROJECT_ID: zealous-zebra`

Turn off the project workflow, reorg some CI jobs (#451) * Remove 'assign to project' workflow Doesn't work with external PRs. * Reorg CI jobs a bit * Also upgrade gcloud sdk to version 295.0.0 2020-06-08 18:03:51 -07:00			`jobs:`
			`build:`
Remove cloudbuild.yml, tidy gcloud deploy workflow 2020-06-15 02:16:18 -07:00			`name: Google Cloud / Test, Build, and Deploy`
Turn off the project workflow, reorg some CI jobs (#451) * Remove 'assign to project' workflow Doesn't work with external PRs. * Reorg CI jobs a bit * Also upgrade gcloud sdk to version 295.0.0 2020-06-08 18:03:51 -07:00			`runs-on: ubuntu-latest`
			`steps:`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00
			`- name: Checkout`
			`uses: actions/checkout@master`

			`- name: Set project and image names`
			`run: \|`
Remove cloudbuild.yml, tidy gcloud deploy workflow 2020-06-15 02:16:18 -07:00			`SHORT_BRANCH_NAME=$(expr $GITHUB_REF : './\(.\)') && \`
			`SHORT_BRANCH_NAME=${SHORT_BRANCH_NAME,,} && \`
			`BRANCH_NAME=$GITHUB_REPOSITORY/$SHORT_BRANCH_NAME && \`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00			`BRANCH_NAME=${BRANCH_NAME,,} && \`
Remove cloudbuild.yml, tidy gcloud deploy workflow 2020-06-15 02:16:18 -07:00			`echo "::set-env name=SHORT_BRANCH_NAME::$SHORT_BRANCH_NAME" && \`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00			`echo "::set-env name=BRANCH_NAME::$BRANCH_NAME" && \`
			`echo "::set-env name=SHA7::$(git rev-parse --short=7 $GITHUB_SHA)"`

			`# Setup gcloud CLI`
Create instance group if it doesn't exist, update it if it does (#513) * Deploy instance group if it doesn't exist, update it if it does * Rename push.yml to cd.yml * Rename some CD steps 2020-06-21 01:39:47 -07:00			`- name: Set up gcloud Cloud SDK environment`
			`uses: GoogleCloudPlatform/github-actions/setup-gcloud@master`
Turn off the project workflow, reorg some CI jobs (#451) * Remove 'assign to project' workflow Doesn't work with external PRs. * Reorg CI jobs a bit * Also upgrade gcloud sdk to version 295.0.0 2020-06-08 18:03:51 -07:00			`with:`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00			`project_id: ${{ env.PROJECT_ID }}`
Turn off the project workflow, reorg some CI jobs (#451) * Remove 'assign to project' workflow Doesn't work with external PRs. * Reorg CI jobs a bit * Also upgrade gcloud sdk to version 295.0.0 2020-06-08 18:03:51 -07:00			`service_account_key: ${{ secrets.GCLOUD_AUTH }}`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00
			`# Build and push image to Google Container Registry`
			`- name: Build`
			`# Tagging w/ the commit SHA blocks the :latest tag on GCR`
Turn off the project workflow, reorg some CI jobs (#451) * Remove 'assign to project' workflow Doesn't work with external PRs. * Reorg CI jobs a bit * Also upgrade gcloud sdk to version 295.0.0 2020-06-08 18:03:51 -07:00			`run: \|`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00			`gcloud builds submit \`
			`--tag "gcr.io/$PROJECT_ID/$BRANCH_NAME:$SHA7" \`
			`--machine-type n1-highcpu-32 \`
			`--timeout 3600s \`

Sign container images for later binary authorization 2020-06-23 23:28:47 -07:00			`# Create an attestation on the new image with our existing attestor`
			`- name: Create attestation`
			`run: \|`
			`ARTIFACT_URL=$(gcloud container images describe "gcr.io/$PROJECT_ID/$BRANCH_NAME:$SHA7" \`
			`--format="value(image_summary.fully_qualified_digest)");`

Revert "Move --quiet around" This reverts commit 01e6d01d9bb70b4714045c6a8ac82d157c502f87. 2020-06-25 14:01:32 -07:00			`gcloud alpha container binauthz attestations sign-and-create \`
			`--quiet \`
Sign container images for later binary authorization 2020-06-23 23:28:47 -07:00			`--artifact-url="${ARTIFACT_URL}" \`
			`--attestor="projects/zealous-zebra/attestors/zebrad-attestor" \`
			`--keyversion="projects/zealous-zebra/locations/global/keyRings/binary-authorization/cryptoKeys/zebrad-attestor/cryptoKeyVersions/1";`

gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00			`# Create instance template from container image`
			`- name: Create instance template`
			`run: \|`
Remove cloudbuild.yml, tidy gcloud deploy workflow 2020-06-15 02:16:18 -07:00			`gcloud compute instance-templates create-with-container "zebrad-$SHORT_BRANCH_NAME-$SHA7" \`
Add health check 2020-06-17 23:25:22 -07:00			`--container-image "gcr.io/$PROJECT_ID/$BRANCH_NAME:$SHA7" \`
Add 'zebrad' tags to instance templates And add 'one time' commands commented out for managing firewall rules. 2020-06-18 14:52:53 -07:00			`--machine-type n1-highmem-8 \`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00			`--service-account cos-vm@zealous-zebra.iam.gserviceaccount.com \`
			`--scopes cloud-platform \`
Add 'zebrad' tags to instance templates And add 'one time' commands commented out for managing firewall rules. 2020-06-18 14:52:53 -07:00			`--tags zebrad \`

			`# Run once: create firewall rule to allow healthchecks`
			`# - name: Create healthcheck firewall rule`
			`# run: \|`
			`# gcloud compute firewall-rules create "allow-tracing-health-check" \`
			`# --target-tags zebrad \`
			`# --allow tcp:3000 \`
			`# --source-ranges 130.211.0.0/22,35.191.0.0/16 \`
			`# --description="Allow HTTP requests to our tracing endpoint from Google's probes" \`

			`# Run once: create firewall rule to allow incoming traffic to the nodes`
			`# - name: Create Zcash incoming traffic firewall rule`
			`# run: \|`
			`# gcloud compute firewall-rules create "allow-zcash" \`
			`# --target-tags zebrad \`
			`# --allow tcp:8233,tcp:18233 \`
			`# --source-ranges 0.0.0.0/0 \`
			`# --description="Allow incoming Zcash traffic from anywhere" \`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00
Create instance group if it doesn't exist, update it if it does (#513) * Deploy instance group if it doesn't exist, update it if it does * Rename push.yml to cd.yml * Rename some CD steps 2020-06-21 01:39:47 -07:00			`# Check if our destination instance group exists already`
			`- name: Check if instance group exists`
			`id: does-group-exist`
			`continue-on-error: true`
			`run: \|`
			`gcloud compute instance-groups list \| grep "zebrad-$SHORT_BRANCH_NAME"`

			`# Deploy new managed instance group using the new instance template`
			`- name: Create managed instance group`
			`if: steps.does-group-exist.outcome == 'failure'`
			`run: \|`
			`gcloud compute instance-groups managed create \`
			`"zebrad-$SHORT_BRANCH_NAME" \`
			`--template "zebrad-$SHORT_BRANCH_NAME-$SHA7" \`
			`--health-check zebrad-tracing-filter \`
			`--initial-delay 30 \`
			`--region us-central1 \`
			`--size 2`
Update existing managed instance groups on deploy 2020-06-19 00:26:31 -07:00
			`# Rolls out update to existing group using the new instance template`
			`- name: Update managed instance group`
Create instance group if it doesn't exist, update it if it does (#513) * Deploy instance group if it doesn't exist, update it if it does * Rename push.yml to cd.yml * Rename some CD steps 2020-06-21 01:39:47 -07:00			`if: steps.does-group-exist.outcome == 'success'`
gcloud workflow to deploy containers via managed instance group Also default command to 'zebrad connect' until 'start' is fleshed out. 2020-06-15 01:32:51 -07:00			`run: \|`
Update existing managed instance groups on deploy 2020-06-19 00:26:31 -07:00			`gcloud compute instance-groups managed rolling-action start-update \`
			`"zebrad-$SHORT_BRANCH_NAME" \`
			`--version template="zebrad-$SHORT_BRANCH_NAME-$SHA7" \`
Add health check 2020-06-17 23:25:22 -07:00			`--region us-central1 \`