Yubico.NET.SDK/.github/workflows/deploy-docs.yml at develop · Yubico/Yubico.NET.SDK · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Deploy documentation

on:
  workflow_dispatch:
    inputs:
      gitops-branch:
        type: choice
        description: Environment to deploy to
        required: true
        options:
          - dev
          - stage
          - prod
      image-tag:
        type: string
        description: Image tag to deploy
        required: true

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    name: Deploy docs
    runs-on: ubuntu-latest

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: audit

      - name: Check out current repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          path: self
          persist-credentials: false

      - id: auth
        name: Authenticate to Google Cloud
        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093  # v3.0.0
        with:
          workload_identity_provider: ${{ vars.GLOBAL_GCP_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: yubico-docs@prod-github-apps-845651.iam.gserviceaccount.com

      - name: Generate GitHub App token
        id: generate_token
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3  # v3.1.1
        with:
          app-id: 800408 # Yubico Docs
          owner: Yubico
          repositories: docs-gitops
          private-key: ${{ secrets.GH_APP_YUBICO_DOCS_PRIVATE_KEY }}

      - name: Check out docs-gitops repo (${{ inputs.gitops-branch }} branch)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          repository: Yubico/docs-gitops
          ref: ${{ inputs.gitops-branch }}
          token: ${{ steps.generate_token.outputs.token }}
          path: gitops
          persist-credentials: true

      - name: Update GitOps resources
        run: sed -i "s#/yesdk/yesdk-docserver:.*\$#/yesdk/yesdk-docserver:$IMAGE_TAG#" ./k8s/yesdk/kustomization.yaml
        working-directory: ./gitops
        env:
          IMAGE_TAG: "${{ inputs.image-tag }}"

      - name: Set up commit signing
        run: .github/scripts/configure-git-pgp.sh
        env:
          PGP_KEY: ${{ secrets.DOCS_GITOPS_PGP_KEY }}
        working-directory: ./self

      - name: Push changes to GitOps repo
        run: ${{ github.workspace }}/self/.github/scripts/commit-and-push.sh
        working-directory: ./gitops
        env:
          GITOPS_BRANCH: ${{ inputs.gitops-branch }}
          IMAGE_TAG: "${{ inputs.image-tag }}"

  verify:
    name: Verify deployment completion
    runs-on: ubuntu-latest
    needs: deploy

    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
      with:
        egress-policy: audit

    - name: Checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      with:
        persist-credentials: false

    - name: Authenticate to Google Cloud to read commit status
      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093  # v3.0.0
      with:
        workload_identity_provider: ${{ vars.GLOBAL_GCP_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: github-commit-status-reader@prod-docs-403900.iam.gserviceaccount.com

    - name: Generate GitHub App token
      id: generate_token
      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3  # v3.1.1
      with:
        app-id: 260767 # Yubico Commit Status Reader
        owner: Yubico
        repositories: docs-gitops
        private-key: ${{ secrets.GH_APP_YUBICO_COMMIT_STATUS_READER_PRIVATE_KEY }}

    - name: Wait for deployment to complete
      run: ./.github/scripts/wait-for-commit-status.sh
      env:
        GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
        ORG: yubico
        REPO: docs-gitops
        REF: ${{ inputs.gitops-branch }}
        KUSTOMIZATION_NAME: docs

    - name: Purge Fastly cache
      run: >-
        curl
        -X POST
        -H "Accept: application/json"
        -H "Fastly-Key: ${{ secrets.FASTLY_API_KEY }}"
        "https://api.fastly.com/service/${{ secrets.FASTLY_SERVICE_ID }}/purge_all"

    - name: Wait 30 seconds for Fastly cache to purge
      run: sleep 30