Use secrets from 1Password in Kubernetes #211
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker | |
| on: | |
| push: | |
| # Publish `develop` as Docker `latest` image. | |
| branches: | |
| - develop | |
| # Publish `v1.2.3` tags as releases. | |
| tags: | |
| - v* | |
| # Run tests for any PRs. | |
| pull_request: | |
| env: | |
| # TODO: Change variable to your image's name. | |
| IMAGE_NAME: baby-botto | |
| jobs: | |
| # Run tests. | |
| # See also https://docs.docker.com/docker-hub/builds/automated-testing/ | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Load docker image from cache | |
| id: cache-docker | |
| uses: actions/cache@v3 | |
| with: | |
| path: /tmp/docker-save | |
| key: docker-save-motto-${{ hashFiles('Dockerfile') }} | |
| - name: Load cached image into Docker | |
| run: docker load -i /tmp/docker-save/snapshot.tar || true | |
| if: steps.cache-docker.outputs.cache-hit == 'true' | |
| - name: Run tests | |
| run: | | |
| if [ -f docker-compose.test.yml ]; then | |
| docker-compose --file docker-compose.test.yml build | |
| docker-compose --file docker-compose.test.yml run sut | |
| else | |
| docker build . -t $IMAGE_NAME --cache-from=baby-botto-cache | |
| fi | |
| - name: Save cache of Docker image | |
| run: > | |
| docker tag baby-botto baby-botto-cache && | |
| mkdir -p /tmp/docker-save && | |
| docker save baby-botto-cache -o /tmp/docker-save/snapshot.tar && | |
| ls -lh /tmp/docker-save || true | |
| if: always() && steps.cache-docker.outputs.cache-hit != 'true' | |
| # Push image to GitHub Packages. | |
| # See also https://docs.docker.com/docker-hub/builds/ | |
| push: | |
| # Ensure test job passes before pushing image. | |
| needs: test | |
| concurrency: Baby | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' || github.event_name == 'workflow_run' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Load docker image from cache | |
| id: cache-docker | |
| uses: actions/cache@v3 | |
| with: | |
| path: /tmp/docker-save | |
| key: docker-save-motto-${{ hashFiles('Dockerfile') }} | |
| - name: Load cached image into Docker | |
| run: docker load -i /tmp/docker-save/snapshot.tar || true | |
| if: steps.cache-docker.outputs.cache-hit == 'true' | |
| - name: Build image | |
| run: docker build . --file Dockerfile --tag $IMAGE_NAME --cache-from=baby-botto-cache | |
| - name: Log into registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| - name: Push image | |
| run: | | |
| IMAGE_ID=ghcr.io/Lovely-Development-Team/$IMAGE_NAME | |
| # Change all uppercase to lowercase | |
| IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') | |
| # Strip git ref prefix from version | |
| VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
| # Strip "v" prefix from tag name | |
| [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
| # Use Docker `latest` tag convention | |
| [ "$VERSION" == "develop" ] && VERSION=latest | |
| echo IMAGE_ID=$IMAGE_ID | |
| echo VERSION=$VERSION | |
| docker tag $IMAGE_NAME $IMAGE_ID:$VERSION | |
| docker push $IMAGE_ID:$VERSION | |
| deploy: | |
| # Ensure test job passes before pushing image. | |
| needs: push | |
| environment: Baby | |
| concurrency: Baby | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' || github.event_name == 'workflow_run' | |
| permissions: | |
| contents: read | |
| packages: read | |
| steps: | |
| - name: Set the Kubernetes context | |
| uses: azure/k8s-set-context@v3 | |
| with: | |
| method: service-account | |
| k8s-url: https://ef264a96-6984-4745-9cd8-dba4192ae195.us-east-1.linodelke.net:443 | |
| k8s-secret: ${{ secrets.DISCORD_BOTS_KUBERNETES_SECRET }} | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set env | |
| run: echo "RELEASE_VERSION=`git describe --tags`" >> $GITHUB_ENV | |
| continue-on-error: true | |
| - name: Substitute env into templates | |
| run: | | |
| cat kubernetes/babybotto-config.tpl.yaml | envsubst > kubernetes/babybotto-config.yaml && | |
| cat kubernetes/deployment.tpl.yaml | envsubst > kubernetes/deployment.yaml | |
| env: | |
| MOTTOBOTTO_CHANNELS: ${{ secrets.CHANNELS }} | |
| MOTTOBOTTO_TRIGGERS: ${{ vars.TRIGGERS }} | |
| MOTTOBOTTO_ALLOW_RANDOM_IN_SERVER: ${{ vars.ALLOW_RANDOM_IN_SERVER }} | |
| MOTTOBOTTO_MINIMUM_RANDOM_INTERVAL_MINUTES: ${{ vars.MINIMUM_RANDOM_INTERVAL_MINUTES }} | |
| MOTTOBOTTO_MINIMUM_RANDOM_INTERVAL_MINUTES_PER_USER: ${{ vars.MINIMUM_RANDOM_INTERVAL_MINUTES_PER_USER }} | |
| MOTTOBOTTO_WAVE_ON_TAG: ${{ vars.WAVE_ON_TAG }} | |
| MOTTOBOTTO_RANDOM_MOTTO_SOURCE_VIEW: ${{ vars.RANDOM_MOTTO_SOURCE_VIEW }} | |
| MOTTOBOTTO_MAINTAINER_IDS: ${{ vars.MAINTAINER_IDS }} | |
| AIRTABLE_BASE: ${{ vars.AIRTABLE_BASE }} | |
| MOTTOBOTTO_VERSION: ${{ env.RELEASE_VERSION }} | |
| IMAGE_NAME: ${{ env.IMAGE_NAME }} | |
| - name: Deploy to the Kubernetes cluster | |
| uses: azure/k8s-deploy@v4 | |
| with: | |
| namespace: discord-bots | |
| manifests: | | |
| kubernetes/babybotto-config.yaml | |
| kubernetes/deployment.yaml | |
| images: | | |
| ghcr.io/lovely-development-team/${{ env.IMAGE_NAME }}:latest |