Skip to content

Commit

Permalink
ref(workflows): align workflows with zfnd standards (#42)
Browse files Browse the repository at this point in the history 
* ref(workflows): align workflows with `zfnd` standards

* imp(workflows): just build and push images if a PR is ready for review
  • Loading branch information
@gustavovalverde
gustavovalverde authored Jul 29, 2024
1 parent 2dbab2b commit 548a624
Show file tree
Hide file tree
Showing 8 changed files with 98 additions and 42 deletions.
23 changes: 20 additions & 3 deletions .github/workflows/cd-deploy-to-dev.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ name: Deploy to dev

on:
pull_request:
types: [opened, synchronize, reopened, labeled]
types: [ready_for_review, synchronize]
paths:
- coredns/Corefile
- docker/Dockerfile
- '**/Corefile'
- '**/Dockerfile'
- .github/workflows/cd-deploy-to-dev.yml
- .github/workflows/sub-cloudrun-deploy.yml

Expand All @@ -16,13 +16,30 @@ concurrency:
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

permissions:
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read

jobs:
# TODO: Add a job to run unit tests
# test:
# uses: ./.github/workflows/sub-unit-tests.yml

build:
uses: ./.github/workflows/sub-build-docker-image.yml
if: ${{ !github.event.pull_request.draft }}
with:
environment: dev
dockerfile_path: ./docker/Dockerfile
Expand Down
23 changes: 17 additions & 6 deletions .github/workflows/cd-deploy-to-prod.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,23 @@ concurrency:
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:
# TODO: Add a job to run unit tests
# test:
# uses: ./.github/workflows/sub-unit-tests.yml

permissions:
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read

jobs:
build:
# needs: [test]
uses: ./.github/workflows/sub-build-docker-image.yml
Expand All @@ -40,7 +51,7 @@ jobs:
registry: ${{ vars.GAR_BASE }}
image_digest: ${{ needs.build.outputs.image_digest }}
min_instances: '1'
max_instances: '100'
max_instances: '10'
cpu: '1'
memory: 1Gi
secrets: inherit
22 changes: 19 additions & 3 deletions .github/workflows/cd-deploy-to-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ name: Deploy to test
on:
push:
branches:
- master
- main
paths:
- coredns/Corefile
- docker/Dockerfile
- '**/Corefile'
- '**/Dockerfile'
- .github/workflows/cd-deploy-to-test.yml
- .github/workflows/sub-cloudrun-deploy.yml

Expand All @@ -17,6 +17,22 @@ concurrency:
group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

permissions:
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: read
statuses: read

jobs:
# TODO: Add a job to run unit tests
# test:
Expand Down
16 changes: 9 additions & 7 deletions .github/workflows/chore-clean-dev.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,32 @@ on:
delete:
pull_request:
branches:
- master
- main
types:
- closed

permissions: read-all

jobs:
delete:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
contents: 'read'
id-token: 'write'
steps:
- name: Inject slug/short variables
uses: rlespinasse/[email protected]

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/[email protected].2
uses: google-github-actions/[email protected].3
with:
workload_identity_provider: '${{ vars.GCP_WIF }}'
service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
project_id: '${{ vars.GCP_PROJECT }}'

- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1.1.1
uses: google-github-actions/setup-gcloud@v2.1.0

- name: Removing CR service
run: |
gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GOOGLE_CLOUD_REGION }} --quiet
gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GCP_REGION }} --quiet
6 changes: 4 additions & 2 deletions .github/workflows/ci-lint-codebase.patch.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@ on:
pull_request:
branches: [main]
paths-ignore:
- coredns/Corefile
- docker/Dockerfile
- '**/Corefile'
- '**/Dockerfile'
- .github/workflows/ci-lint-codebase.yml

permissions: read-all

jobs:
linter:
runs-on: ubuntu-latest
Expand Down
19 changes: 9 additions & 10 deletions .github/workflows/ci-lint-codebase.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,15 @@ on:
pull_request:
branches: [main]
paths:
- '**.js*'
- '**.ts*'
- Dockerfile
- package.json
- pnpm-lock.yaml
- '**/Corefile'
- '**/Dockerfile'
- .github/workflows/ci-lint-codebase.yml

push:
branches: [main]
paths:
- coredns/Corefile
- docker/Dockerfile
- '**/Corefile'
- '**/Dockerfile'
- .github/workflows/ci-lint-codebase.yml

concurrency:
Expand All @@ -25,6 +22,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

permissions: read-all

jobs:
linter:
runs-on: ubuntu-latest
Expand All @@ -37,7 +36,7 @@ jobs:
fetch-depth: 0

- name: Lint Code Base
uses: super-linter/super-linter/slim@v5.2.1
uses: super-linter/super-linter/slim@v6.7.0
env:
LOG_LEVEL: ERROR
VALIDATE_ALL_CODEBASE: false
Expand All @@ -46,9 +45,9 @@ jobs:
VALIDATE_CSS: false
VALIDATE_EDITORCONFIG: false
VALIDATE_MARKDOWN: false
VALIDATE_JAVASCRIPT_ES: false
VALIDATE_JAVASCRIPT_STANDARD: false
VALIDATE_DOCKERFILE_HADOLINT: false
LINTER_RULES_PATH: /
JAVASCRIPT_DEFAULT_STYLE: prettier
TYPESCRIPT_DEFAULT_STYLE: prettier
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
12 changes: 7 additions & 5 deletions .github/workflows/sub-build-docker-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ on:
description: The image digest to be used on a caller workflow
value: ${{ jobs.build.outputs.image_digest }}

permissions: read-all

jobs:
build:
name: Build images
Expand All @@ -46,7 +48,7 @@ jobs:
# Automatic tag management and OCI Image Format Specification for labels
- name: Docker meta
id: meta
uses: docker/[email protected].0
uses: docker/[email protected].1
with:
# list of Docker images to use as base name for tags
images: |
Expand All @@ -68,11 +70,11 @@ jobs:
# Setup Docker Buildx to allow use of docker cache layers from GH
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3.0.0
uses: docker/setup-buildx-action@v3.4.0

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/[email protected].2
uses: google-github-actions/[email protected].3
with:
workload_identity_provider: '${{ vars.GCP_WIF }}'
service_account: '${{ vars.GCP_ARTIFACTS_SA }}'
Expand All @@ -83,7 +85,7 @@ jobs:
access_token_lifetime: 10800s

- name: Login to Google Artifact Registry
uses: docker/login-action@v3.0.0
uses: docker/login-action@v3.2.0
with:
registry: us-docker.pkg.dev
username: oauth2accesstoken
Expand All @@ -92,7 +94,7 @@ jobs:
# Build and push image to Google Artifact Registry, and possibly DockerHub
- name: Build & push
id: docker_build
uses: docker/build-push-action@v5.1.0
uses: docker/build-push-action@v6.3.0
with:
target: ${{ inputs.dockerfile_target }}
context: .
Expand Down
19 changes: 13 additions & 6 deletions .github/workflows/sub-cloudrun-deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ on:
type: string
description: The image digest to deploy
project_id:
required: true
required: false
type: string
description: The project to deploy to
region:
Expand Down Expand Up @@ -42,6 +42,8 @@ on:
type: string
description: The amount of memory to use for the service

permissions: read-all

jobs:
versioning:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -75,19 +77,23 @@ jobs:
- name: Inject slug/short variables
uses: rlespinasse/[email protected]

- uses: actions/[email protected]
with:
persist-credentials: false

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/[email protected].2
uses: google-github-actions/[email protected].3
with:
workload_identity_provider: '${{ vars.GCP_WIF }}'
service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}'
project_id: '${{ vars.GCP_PROJECT }}'

- name: Set up Cloud SDK
uses: google-github-actions/[email protected]

- name: Deploy to cloud run
id: deploy
uses: google-github-actions/deploy-cloudrun@v2.2.0
uses: google-github-actions/deploy-cloudrun@v2.6.0
with:
service: ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }}
image: ${{ inputs.registry }}/${{ inputs.app_name }}@${{ inputs.image_digest }}
Expand All @@ -101,10 +107,11 @@ jobs:
--cpu=${{ inputs.cpu }}
--memory=${{ inputs.memory }}
--port=53
--network=projects/zfnd-dev-net-spoke-0/global/networks/dev-spoke-0
--subnet=projects/zfnd-dev-net-spoke-0/regions/us-east1/subnetworks/dev-default-ue1
--network=${{ vars.GCP_NETWORK }}
--subnet=${{ vars.GCP_SUBNETWORK }}
- name: Allow unauthenticated calls to the service
if: ${{ inputs.environment != 'prod' }}
run: |
gcloud run services add-iam-policy-binding ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} \
--region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet
Expand Down

0 comments on commit 548a624

Please sign in to comment.