-
Notifications
You must be signed in to change notification settings - Fork 0
177 lines (160 loc) · 6.92 KB
/
multi-cloud-deployment.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: "🚀 Multi-cloud deployment demo"
on:
workflow_dispatch:
release:
types: [published]
jobs:
# This job is about checking that the workflow has been triggered by a repo admin on a release tag (v*)
# If not, the workflow will fail with an error message.
prereq_checks:
name: Ensure this workflow has been triggered by and admin on a protected release tag (v*)
runs-on: ubuntu-latest
env:
TRIGGERING_ACTOR: ${{ github.triggering_actor }}
steps:
- name: Fail if the workflow has been triggered manually with a non-release tag (i.e. not using the 'v*' regex)
run: |
if [[ "$GITHUB_REF" != refs/tags/v* ]]; then
echo "Only 'v*' tags and associated releases can be deployed, exiting."
exit 1
else
echo "The workflow has been triggered on a release tag, continuing."
fi
- name: Fail if the workflow has been triggered by a non-admin user
uses: actions/github-script@v6
with:
script: |
const TRIGGERING_ACTOR = process.env.TRIGGERING_ACTOR
github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: TRIGGERING_ACTOR
}).then(response => {
if (response.data.permission == 'admin') {
core.info('The github actor has admin permission on this repository. Continuing.')
} else {
core.info('Only repository admins can trigger this workflow. Exiting.')
process.exit(1)
}
})
# This job is about building and testing the application.
# The resulting JAR file is then saved as a GitHub artifact for the next job.
build:
permissions:
contents: read
needs: [ prereq_checks ]
name: "🚧 - Build & Test"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
java-version: '17'
distribution: 'adopt'
cache: 'maven'
- name: Build with Maven Wrapper
run: ./mvnw -B package
- name: Save artifacts
uses: actions/upload-artifact@v2
with:
name: spring-petclinic.jar
path: target/spring-petclinic-*.jar
# This job is about building and publishing the container image to GitHub Container Registry (GHCR).
build_publish_container:
permissions:
contents: read
packages: write
name: "🐳 - Push container image to GitHub Container Registry (GHCR)"
needs: [ build ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Get Jar file artifact
uses: actions/download-artifact@v2
with:
name: spring-petclinic.jar
path: target
- name: GitHub Container Registry Login
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and Push Container
id: container_publish
uses: docker/build-push-action@v2
with:
context: .
build-args: |
VERSION=${{ github.ref_name }}
REPOSITORY_NAME=${{ github.repository }}
revision=${{ github.sha }}
push: true
tags: |
ghcr.io/${{ github.repository }}:${{ github.ref_name }}
# The three next jobs are using reusable workflows to deploy the application to the different cloud providers.
# The reusable workflows are located in the same folder as this workflow.
#
# Deploy the container image to Azure ACI
deploy-to-azure-aci-prod:
permissions:
id-token: write
contents: read
name: Azure ACI production deployment
uses: ./.github/workflows/deploy-to-azure-aci.yml
needs: [ build_publish_container ]
with:
environment: azure
container-image: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
resource-group: rg-spring-petclinic # must match the resource group defined in ../../docs/env-setup/env-setup.md
deployment-name: ghsioux-spring-petclinic
deployment-url-prefix: ghsioux-spring-petclinic
location: "east us" # must match the Azure region defined in ../../docs/env-setup/env-setup.md
ports: 8080
secrets:
az_client_id: ${{ secrets.AZURE_CLIENT_ID }}
az_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
az_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Deploy the container image to AWS ECS
deploy-to-aws-ecs:
permissions:
id-token: write
contents: read
name: AWS ECS production deployment
uses: ./.github/workflows/deploy-to-aws-ecs.yml
needs: [ build_publish_container ]
with:
environment: aws
container-image: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
ecs-cluster: demo-ecs-cluster # must match the ECS cluster defined in ../../docs/env-setup/env-setup.md
ecs-service: spring-petclinic # must match the ECS service defined in ../../docs/env-setup/env-setup.md
ecs-task-definition: ./assets/aws-petclinic-ecs-task-definition.json # must match the ECS task definition used in ../../docs/infra-setup/aws.md
container-name: petclinic-container # must match the container name defined in the aws-petclinic-ecs-task-definition.json
aws-region: ap-southeast-1 # must match the AWS region defined in ../../docs/env-setup/env-setup.md
secrets:
oidc-role-to-assume: ${{ secrets.OIDC_ROLE_TO_ASSUME }}
# Deploy the container image to GCP Cloud Run
# One specificity of this deployment is that the container image is pushed to Google Artifact Registry (GAR)
# before being deployed to Cloud Run. This is because GHCR is not supported by Cloud Run yet.
deploy-to-gcp-cloudrun:
permissions:
id-token: write
contents: read
name: GCP Cloud Run deployment
uses: ./.github/workflows/deploy-to-gcp-cloudrun.yml
needs: [ build_publish_container ]
with:
environment: gcp
container-image: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
cloudrun-service: spring-petclinic # must match the Cloud Run service defined in ../../docs/env-setup/env-setup.md
push-to-gar: true
# adapt the gar-target-image value below with your GCP region, project ID, and the name of the repository in GAR (defined in ../../docs/env-setup/env-setup.md)
gar-target-image: europe-west1-docker.pkg.dev/ghsioux-123456789/spring-petclinic-gar/${{ github.repository }}:${{ github.ref_name }}
region: europe-west1 # must match the GCP region defined in ../../docs/env-setup/env-setup.md
flags: --port=8080 --platform=managed --allow-unauthenticated
secrets:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}