Merge pull request #67 from spacelift-io/main #35

Workflow file for this run

.github/workflows/prod-deployment.yml at bd8ffd5

	name: Prod deployment

	on:
	push:
	branches:
	- production

	jobs:
	prod-agent-deployment:
	name: Build and upload agent
	runs-on: ubuntu-latest
	outputs:
	deployment_id: ${{ steps.deployment.outputs.deployment_id }}
	container: golang:1.20
	env:
	BASE_NAME: spacelift-vcs-agent
	BIN_DIR: build
	permissions:
	id-token: write
	contents: read
	deployments: write

	steps:
	- name: Check out repository code
	uses: actions/checkout@v4

	- name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
	run: git config --global --add safe.directory $GITHUB_WORKSPACE

	- uses: chrnorm/deployment-action@releases/v1
	name: Create GitHub deployment
	if: ${{ github.ref == 'refs/heads/production' }}
	id: deployment
	with:
	token: "${{ github.token }}"
	target_url: https://downloads.spacelift.io/spacelift-vcs-agent
	environment: prod/vcs-agent

	- name: parse short SHA
	id: vars
	run: \|
	echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})

	- name: Build Spacelift VCS Agent
	run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
	env:
	BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }}
	CGO_ENABLED: 0
	SHORT_SHA: ${{ steps.vars.outputs.sha }}

	- name: Install dependencies
	run: \|
	apt-get update -y
	apt-get install -y awscli zip

	- name: Import the PGP key
	run: \|
	echo ${GPG_KEY_BASE64} \| base64 -d > spacelift.gpg
	gpg --import \
	--passphrase=$GPG_PASSPHRASE \
	--pinentry-mode=loopback \
	spacelift.gpg
	rm spacelift.gpg
	env:
	GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
	GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

	- name: Sign Spacelift VCS Agent Binary
	run: ./scripts/sign.sh $BIN_DIR $BASE_NAME
	env:
	GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
	GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
	SHORT_SHA: ${{ steps.vars.outputs.sha }}

	- name: Verify Checksum Spacelift VCS Agent Binary
	run: ./scripts/verify.sh $BIN_DIR $BASE_NAME
	env:
	SHORT_SHA: ${{ steps.vars.outputs.sha }}

	- name: Upload the VCS Agent binary
	uses: actions/upload-artifact@v3
	with:
	name: vcs-agent-binary
	path: build/
	retention-days: 1

	- name: Update deployment status (failure)
	uses: chrnorm/deployment-status@releases/v1
	if: failure() && ${{ github.ref == 'refs/heads/production' }}
	with:
	token: "${{ github.token }}"
	target_url: https://downloads.spacelift.io/spacelift-vcs-agent
	state: "failure"
	deployment_id: ${{ steps.deployment.outputs.deployment_id }}

	publish-prod-agent-deployment:
	name: Upload VCS agent binary and container image
	needs: ["prod-agent-deployment"]
	runs-on: ubuntu-latest

	env:
	BIN_DIR: build
	permissions:
	id-token: write
	contents: read
	deployments: write

	steps:
	- name: Check out repository code
	uses: actions/checkout@v4

	- name: Download the VCS Agent binary
	uses: actions/download-artifact@v3
	with:
	name: vcs-agent-binary
	path: ./build

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	if: ${{ github.ref == 'refs/heads/production' }}
	with:
	aws-region: eu-west-1
	role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
	role-duration-seconds: 900

	- name: Upload the VCS Agent binary to downloads.spacelift.io
	if: ${{ github.ref == 'refs/heads/production' }}
	run: >-
	aws s3 sync
	${BIN_DIR} s3://${{ secrets.AWS_S3_BUCKET }}/
	--no-progress

	- name: Invalidate downloads.spacelift.io cache
	if: ${{ github.ref == 'refs/heads/production' }}
	run: >-
	aws cloudfront create-invalidation
	--distribution-id ${{ secrets.DISTRIBUTION }}
	--paths "/*"

	- name: Log in to Amazon public ECR
	if: ${{ github.ref == 'refs/heads/production' }}
	run: aws ecr-public get-login-password --region us-east-1 \| docker login --username AWS --password-stdin public.ecr.aws

	# This will be needed in the future for adding multi architecture build support
	# - name: Set up QEMU
	# uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build and push the image
	uses: docker/build-push-action@v5
	with:
	context: .
	platforms: linux/amd64
	push: ${{ github.ref == 'refs/heads/production' }}
	tags: \|
	${{ secrets.PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest

	- name: Update deployment status (success)
	uses: chrnorm/deployment-status@releases/v1
	if: success() && ${{ github.ref == 'refs/heads/production' }}
	with:
	token: "${{ github.token }}"
	target_url: https://downloads.spacelift.io/spacelift-vcs-agent
	state: "success"
	deployment_id: ${{ needs.prod-agent-deployment.outputs.deployment_id }}

	- name: Update deployment status (failure)
	uses: chrnorm/deployment-status@releases/v1
	if: failure() && ${{ github.ref == 'refs/heads/production' }}
	with:
	token: "${{ github.token }}"
	target_url: https://downloads.spacelift.io/spacelift-vcs-agent
	state: "failure"
	deployment_id: ${{ needs.prod-agent-deployment.outputs.deployment_id }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #67 from spacelift-io/main #35

Workflow file

Merge pull request #67 from spacelift-io/main #35

Jobs

Run details

Workflow file for this run