-
Notifications
You must be signed in to change notification settings - Fork 13
94 lines (82 loc) · 3.27 KB
/
at_server_prod_deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: at_root deploy (prod)
on:
push:
tags:
- 'r*.*.*'
paths:
- packages/*_root_server/**
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
Docker_Build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
digest: ${{ steps.docker_build.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# Extract branch for docker tag
- name: Get branch name
run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Login to DockerHub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# Build the Docker image for Dev
- name: Build and push
id: docker_build
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
with:
file: packages/at_root_server/Dockerfile
context: packages/at_root_server
push: true
tags: |
atsigncompany/root:prod
atsigncompany/root:prod-gha${{ github.run_number }}
atsigncompany/root:prod-${{ env.BRANCH }}-gha${{ github.run_number }}
provenance:
needs: [Docker_Build]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: "atsigncompany/root"
digest: ${{ needs.Docker_Build.outputs.digest }}
secrets:
registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
Deploy_On_Prod_K8:
needs: Docker_Build
runs-on: [self-hosted, linux, x64, K8s]
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# Extract branch for docker tag
- name: Get branch name
run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV
# Setup gcloud CLI
- id: 'auth'
uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
with:
credentials_json: '${{ secrets.GKE_SA_PROD_KEY }}'
- name: 'Set up Cloud SDK'
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
# Get the GKE credentials so we can deploy to the cluster
- uses: google-github-actions/get-gke-credentials@d0cee45012069b163a631894b98904a9e6723729 # v2.3.3
with:
cluster_name: ${{ secrets.GKE_PROD_CLUSTER }}
location: ${{ secrets.GKE_PROD_ZONE }}
# Deploy the Docker image to the GKE cluster
- name: Deploy
run: |-
kubectl -n root set image deployment/root root=atsigncompany/root:prod-gha${{ github.run_number }}
kubectl rollout restart deployment root -n root