Skip to content

Merge pull request #6391 from akatsoulas/group-access-404 #126

Merge pull request #6391 from akatsoulas/group-access-404

Merge pull request #6391 from akatsoulas/group-access-404 #126

name: Build, test and push a Docker image
on:
push:
branches:
- main
- dev
tags:
- '*'
workflow_dispatch:
inputs:
ref:
description: 'ref to be deployed (e.g. "refs/heads/main", "v1.0.0", "2c0472cf")'
type: string
required: true
default: refs/heads/dev
env:
APP: sumo
APPLICATION_REPOSITORY: mozilla/kitsune
IMAGE_NAME: kitsune
GAR_LOCATION: us
GCP_PROJECT_ID: moz-fx-sumo-prod
GAR_REPOSITORY: sumo-prod
REF_ID: ${{ github.ref }}
jobs:
build:
permissions:
contents: read
deployments: write
id-token: write
runs-on: ubuntu-latest
outputs:
deployment_env: ${{ env.DEPLOYMENT_ENV }}
deployment_realm: ${{ env.DEPLOYMENT_REALM }}
image_tag: ${{ env.TAG }}
steps:
- uses: actions/checkout@v4
- name: Create version.json
run: |
# create a version.json per
# https://github.com/mozilla-services/Dockerflow/blob/master/docs/version_object.md
printf '{"commit":"%s","version":"%s","source":"%s","build":"%s"}\n' \
"$GITHUB_SHA" \
"$GITHUB_REF_NAME" \
"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \
"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > version.json
- id: checkout_application_repo
name: checkout application repo
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
ref: ${{ env.REF_ID }}
- id: dev_image_tag
name: Set Docker Stag image tag for updates of the DEV branch
if: github.ref == 'refs/heads/dev'
run: |
echo TAG="dev-$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV"
# Updates to the main branch are deployed to stage.
echo DEPLOYMENT_ENV=dev >> "$GITHUB_ENV"
echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV"
- id: stage_image_tag
name: Set Docker Stag image tag for updates of the main branch
if: github.ref == 'refs/heads/main'
run: |
echo TAG="$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV"
# Updates to the main branch are deployed to stage.
echo DEPLOYMENT_ENV=stage >> "$GITHUB_ENV"
echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV"
- id: prod_image_tag
name: Set Docker image tag to the git tag for tagged builds
if: startsWith(github.ref, 'refs/tags/')
run: |
echo TAG="$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV"
# Version tags are deployed to prod.
echo DEPLOYMENT_ENV=prod >> "$GITHUB_ENV"
echo DEPLOYMENT_REALM=prod >> "$GITHUB_ENV"
- uses: docker/setup-buildx-action@v3
- id: gcp_auth
name: GCP authentication
uses: google-github-actions/auth@v2
with:
token_format: access_token
service_account: artifact-writer@${{ env.GCP_PROJECT_ID }}.iam.gserviceaccount.com
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
- id: docker_login
name: Log in to the container registry
uses: docker/login-action@v3
with:
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.gcp_auth.outputs.access_token }}
- id: build_and_push
name: Build and push image
uses: docker/build-push-action@v5
with:
context: .
tags: |
${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
upload-static-assets:
name: upload static assets
environment: ${{ needs.build.outputs.deployment_env }}
runs-on: ubuntu-latest
needs:
- build
permissions:
contents: read
id-token: write
steps:
- id: gcp_auth
name: gcp auth
uses: google-github-actions/auth@v2
with:
token_format: access_token
service_account: deploy-${{ needs.build.outputs.deployment_env }}@moz-fx-sumo-${{ needs.build.outputs.deployment_realm }}.iam.gserviceaccount.com
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
- id: docker_login
name: docker login
uses: docker/login-action@v3
with:
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.gcp_auth.outputs.access_token }}
- id: setup-gcloud
uses: google-github-actions/setup-gcloud@v2
- id: upload-assets
name: upload static assets
run: |-
TMP_DIR=static-upload
TMP_DIR_HASHED=static-upload-hashed
docker create --name tmp $GAR_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GAR_REPOSITORY/$IMAGE_NAME:${{ needs.build.outputs.image_tag }}
mkdir -p ./$TMP_DIR ./$TMP_DIR_HASHED
docker cp tmp:/app/static/. ./$TMP_DIR/
find $TMP_DIR -maxdepth 1 -type f -regextype sed -regex ".*\.[0-9a-f]\{16\}\..*" -exec mv -t $TMP_DIR_HASHED {} +
gsutil -m rsync -r ./$TMP_DIR_HASHED/ gs://$APP-${{ needs.build.outputs.deployment_realm }}-${{ needs.build.outputs.deployment_env }}-assets-bucket/static/
gsutil -m rsync -r ./$TMP_DIR/ gs://$APP-${{ needs.build.outputs.deployment_realm }}-${{ needs.build.outputs.deployment_env }}-assets-bucket/static/
docker rm tmp