Main Deployment Run #91 (via @jeffwecan) #91

Workflow file for this run

	name: Main Deployment Workflow
	run-name: "Main Deployment Run #${{ github.run_number }} (via @${{ github.actor }})"

	concurrency:
	group: "deploy"
	cancel-in-progress: false

	on:
	push:
	branches: [main]
	workflow_dispatch: {}

	# jscpd:ignore-start
	jobs:
	build_images:
	name: Build Images
	uses: ./.github/workflows/image_build_and_publish.yml

	deploy-infra-and-services:
	name: Deploy Infrastructure & Services
	runs-on: ubuntu-latest
	needs: [build_images]
	environment:
	name: production
	url: "https://card.losverd.es"
	# TODO: maybe don't have a static URL here? I.e.:
	# url: ${{ steps.build-and-publish.outputs.site_url }}
	permissions:
	contents: "read"
	id-token: "write"
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup just
	uses: taiki-e/install-action@v2
	with:
	tool: just

	- name: Utilize .terraform cache
	uses: actions/cache@v4
	with:
	path: terraform/.terraform
	key: ${{ hashFiles('terraform/.terraform.lock.hcl') }}

	- name: Read .terraform-version
	id: read_tf_version
	run: just set-tf-ver-output

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3
	with:
	terraform_version: ${{ steps.read_tf_version.outputs.terraform_version }}
	terraform_wrapper: false

	- name: Authenticate to Google Cloud
	uses: google-github-actions/auth@v2
	id: auth
	with:
	workload_identity_provider: "projects/567739286055/locations/global/workloadIdentityPools/los-verdes-digital-membership/providers/los-verdes-digital-membership"
	service_account: "github-deployer@lv-digital-membership.iam.gserviceaccount.com"
	access_token_scopes: "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.admin"
	token_format: access_token
	access_token_lifetime: 1800s

	- name: Plan
	run: \|
	just tf init
	just tf plan
	env:
	TF_VAR_website_image: "gcr.io/lv-digital-membership/website:sha-${{ needs.build_images.outputs.short_sha_tag }}"
	TF_VAR_worker_image: "gcr.io/lv-digital-membership/worker:sha-${{ needs.build_images.outputs.short_sha_tag }}"
	TF_VAR_management_sql_user_password: ${{ secrets.management_sql_user_password }}

	- name: Apply
	run: just tf apply -auto-approve
	env:
	TF_VAR_website_image: "gcr.io/lv-digital-membership/website:sha-${{ needs.build_images.outputs.short_sha_tag }}"
	TF_VAR_worker_image: "gcr.io/lv-digital-membership/worker:sha-${{ needs.build_images.outputs.short_sha_tag }}"
	TF_VAR_management_sql_user_password: ${{ secrets.management_sql_user_password }}

	upload-statics-to-gcs:
	name: Upload Statics to GCS
	needs: deploy-infra-and-services
	permissions:
	contents: "read"
	id-token: "write"
	uses: los-verdes/digital-membership/.github/workflows/just_cloudbuild.yml@main
	with:
	# TODO: add a CloudFlare cache purge somewhere 'round here....
	command: cloudbuild-upload-statics

	apply-database-config:
	name: Apply Database Configuration
	runs-on: ubuntu-latest
	needs: deploy-infra-and-services
	permissions:
	contents: "read"
	id-token: "write"
	outputs:
	management_sql_user_name: ${{ steps.just-configure-database.outputs.management_sql_user_name }}
	management_sql_user_password: ${{ steps.just-configure-database.outputs.management_sql_user_password }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup just
	uses: taiki-e/install-action@v2
	with:
	tool: just

	- name: Utilize .terraform cache
	uses: actions/cache@v4
	with:
	path: terraform/.terraform
	key: ${{ hashFiles('terraform/.terraform.lock.hcl') }}

	- name: Read .terraform-version
	id: read_tf_version
	run: just set-tf-ver-output

	- name: Setup Terraform
	uses: hashicorp/setup-terraform@v3
	with:
	terraform_version: ${{ steps.read_tf_version.outputs.terraform_version }}
	terraform_wrapper: false

	- name: Authenticate to Google Cloud
	uses: google-github-actions/auth@v2
	id: auth
	with:
	workload_identity_provider: "projects/567739286055/locations/global/workloadIdentityPools/los-verdes-digital-membership/providers/los-verdes-digital-membership"
	service_account: "github-deployer@lv-digital-membership.iam.gserviceaccount.com"
	access_token_scopes: "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.admin"
	token_format: access_token
	access_token_lifetime: 1800s

	- name: Create Google application creds secret
	id: google-app-creds
	run: \|
	creds="$(cat '${{ env.GOOGLE_APPLICATION_CREDENTIALS }}')"
	echo "::add-mask::$creds"
	echo "creds=$creds" \| tee --append "$GITHUB_OUTPUT"

	- name: Start Google Cloud SQL Proxy
	uses: mattes/gce-cloudsql-proxy-action@v1
	with:
	creds: ${{ steps.google-app-creds.outputs.creds }}
	# TODO: load instance from TF outputs...
	instance: lv-digital-membership:us-central1:lv-digital-membership-6b6a7153

	- name: Configure Database ACLs
	id: just-configure-database
	run: just configure-database

	- name: TMP print sql username
	run: echo ${{ steps.just-configure-database.outputs.management_sql_user_name }}

	apply-database-migrations:
	name: Apple Database Migrations
	needs: apply-database-config
	permissions:
	contents: "read"
	id-token: "write"
	uses: los-verdes/digital-membership/.github/workflows/flask_command.yml@main
	with:
	command: apply-migrations
	flask_env: "remote-sql"
	management_sql_user_name: ${{ needs.apply-database-config.outputs.management_sql_user_name }}
	secrets:
	management_sql_user_password: ${{ secrets.management_sql_user_password }}
	# jscpd:ignore-end

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Main Deployment Run #91 (via @jeffwecan) #91

Workflow file

Main Deployment Run #91 (via @jeffwecan) #91

Jobs

Run details

Workflow file for this run