-
-
Notifications
You must be signed in to change notification settings - Fork 10
142 lines (135 loc) · 5.92 KB
/
Copy pathdeploy_qa.yml
File metadata and controls
142 lines (135 loc) · 5.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: "Deploy Update to QA Server"
on:
workflow_dispatch:
inputs:
confirm_qa_deploy:
description: "Type QA to confirm QA deployment"
required: true
default: ""
push:
branches: [master]
concurrency:
cancel-in-progress: true
group: ${{ github.workflow }}-${{ github.ref }}
permissions:
contents: read
jobs:
build:
strategy:
matrix:
component: [frontend, backend, maintenance, database]
runs-on: ubuntu-latest
outputs:
image_tag: ${{ steps.build_combine.outputs.image_tag }}
steps:
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
# configuring harden-runner and identifying allowed endpoints.
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.actions.githubusercontent.com:443
*.cloudfront.net:443
*.data.mcr.microsoft.com:443
${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com
api.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
api.github.com:443
api.nuget.org:443
archive.ubuntu.com:80
auth.docker.io:443
dc.services.visualstudio.com:443
deb.debian.org:80
docker.io:443
files.pythonhosted.org:443
github.com:443
mcr.microsoft.com:443
production.cloudflare.docker.com:443
production.cloudfront.docker.com:443
public.ecr.aws:443
pypi.org:443
registry-1.docker.io:443
registry.npmjs.org:443
security.debian.org:80
security.ubuntu.com:80
storage.googleapis.com:443
sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
- name: Build The Combine
id: build_combine
uses: ./.github/actions/combine-build
with:
image_registry: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws_default_region: ${{ secrets.AWS_DEFAULT_REGION }}
build_component: ${{ matrix.component }}
clean_ecr_repo:
needs: build
runs-on: ubuntu-latest
steps:
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
# configuring harden-runner and identifying allowed endpoints.
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.actions.githubusercontent.com:443
api.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
github.com:443
sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@254c19bd240aabef8777f48595e9d2d7b972184b # v6.2.1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: Remove old AWS ECR images
# Remove all images for previous version numbers.
# Example: for tag beginning with v1.2.5-, remove all images with tag v1.2.4-*
# Example: for tag beginning with v2.4.0-, remove all images with tag v2.3.*
run: |
TAG=${{ needs.build.outputs.image_tag }}
if [[ $TAG =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)-.* ]]; then
VA=${BASH_REMATCH[1]}; VB=${BASH_REMATCH[2]}; VC=${BASH_REMATCH[3]}
if [[ $VC > 0 ]]; then REM="v${VA}\.${VB}\.$((VC - 1))-.*"
elif [[ $VB > 0 ]]; then REM="v${VA}\.$((VB - 1))\..*"
else REM="v$((VA - 1))\..*"; fi
scripts/clean_aws_repo.py combine_frontend combine_backend combine_maint combine_database --remove "${REM}" --verbose
fi
deploy_update:
needs: build
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.confirm_qa_deploy == 'QA')
runs-on: [self-hosted, thecombine]
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Deploy The Combine Update
uses: ./.github/actions/combine-deploy-update
with:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_account: ${{ secrets.AWS_ACCOUNT }}
aws_default_region: ${{ secrets.AWS_DEFAULT_REGION }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
combine_captcha_secret_key: ${{ secrets.COMBINE_CAPTCHA_SECRET_KEY }}
combine_jwt_secret_key: ${{ secrets.COMBINE_JWT_SECRET_KEY }}
combine_smtp_password: ${{ secrets.COMBINE_SMTP_PASSWORD }}
combine_smtp_username: ${{ secrets.COMBINE_SMTP_USERNAME }}
helm_version: ${{ vars.HELM_VERSION }}
image_registry: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com
image_tag: ${{ needs.build.outputs.image_tag }}
kube_context: ${{ secrets.LTOPS_K8S_STAGING_CONTEXT }}
kubectl_version: ${{ vars.KUBECTL_VERSION }}
target: qa