Merge pull request #1942 from vdice/ci/check-prerelease #295
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Spin Docs Website | |
| on: | |
| push: | |
| paths: | |
| - docs/** | |
| branches: | |
| - 'main' | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: 'Git ref to deploy from (refs/tags/v* for tag)' | |
| default: 'refs/heads/main' | |
| commit: | |
| description: 'Commit SHA to deploy from (optional)' | |
| environment: | |
| type: choice | |
| description: 'Environment to deploy to (Default: canary)' | |
| options: | |
| - canary | |
| - prod | |
| # Construct a concurrency group to be shared across workflow runs. | |
| # The default behavior ensures that only one is running at a time, with | |
| # all others queuing and thus not interrupting runs that are in-flight. | |
| concurrency: ${{ github.workflow }} | |
| permissions: | |
| contents: read | |
| id-token: write # Allow the workflow to create a JWT for AWS auth | |
| env: | |
| JOB: spin-docs | |
| jobs: | |
| echo-inputs: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| steps: | |
| - name: Echo Inputs | |
| run: | | |
| echo ref: ${{ github.event.inputs.ref }} | |
| echo commit: ${{ github.event.inputs.commit }} | |
| echo environment: ${{ github.event.inputs.environment }} | |
| deploy: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.repository_owner == 'fermyon' }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Install Nomad | |
| env: | |
| NOMAD_VERSION: "1.4.3" | |
| run: | | |
| curl -Os https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_$(dpkg --print-architecture).zip | |
| unzip nomad_${NOMAD_VERSION}_linux_$(dpkg --print-architecture).zip -d /usr/local/bin | |
| chmod +x /usr/local/bin/nomad | |
| # This action currently generates a warning due to using deprecated features. | |
| # https://github.com/aws-actions/configure-aws-credentials/issues/521 tracks the new behaviour. | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.INFRA_NAMESPACE }}-${{ secrets.AWS_REGION }}-gha-certs | |
| role-session-name: fermyon-developer-deploy | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Fetch Nomad Certs from S3 | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| for cert in infra_ca \ | |
| api_client_cert_private_key \ | |
| api_client_cert_public_key; do | |
| aws s3api get-object \ | |
| --bucket "infra-certs-${{ secrets.INFRA_NAMESPACE }}-${{ secrets.AWS_REGION }}" \ | |
| --key "${cert}" \ | |
| "/tmp/${cert}" | |
| done | |
| - name: Configure Nomad | |
| shell: bash | |
| run: | | |
| echo "NOMAD_CACERT=/tmp/infra_ca" >> $GITHUB_ENV | |
| echo "NOMAD_CLIENT_CERT=/tmp/api_client_cert_public_key" >> $GITHUB_ENV | |
| echo "NOMAD_CLIENT_KEY=/tmp/api_client_cert_private_key" >> $GITHUB_ENV | |
| echo "NOMAD_ADDR=https://nomad.${{ secrets.INFRA_NAMESPACE }}.${{ secrets.AWS_REGION }}.fermyon.link:4646" >> $GITHUB_ENV | |
| - name: Configure manual deploy | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| shell: bash | |
| run: | | |
| echo "GIT_REF=${{ github.event.inputs.ref }}" >> $GITHUB_ENV | |
| echo "GIT_SHA=${{ github.event.inputs.commit }}" >> $GITHUB_ENV | |
| if [[ "${{ github.event.inputs.environment }}" == "prod" ]]; then | |
| echo "PRODUCTION=true" >> $GITHUB_ENV | |
| echo "NOMAD_NAMESPACE=prod" >> $GITHUB_ENV | |
| else | |
| echo "PRODUCTION=false" >> $GITHUB_ENV | |
| echo "NOMAD_NAMESPACE=staging" >> $GITHUB_ENV | |
| fi | |
| - name: Configure auto-deploy | |
| if: ${{ github.event_name == 'push' }} | |
| shell: bash | |
| run: | | |
| echo "GIT_REF=${{ github.ref }}" >> $GITHUB_ENV | |
| echo "GIT_SHA=${{ github.sha }}" >> $GITHUB_ENV | |
| echo "PRODUCTION=true" >> $GITHUB_ENV | |
| echo "NOMAD_NAMESPACE=prod" >> $GITHUB_ENV | |
| - name: Deploy | |
| shell: bash | |
| run: | | |
| set -euox pipefail | |
| # purge any lingering/completed publish jobs | |
| nomad job inspect publish-${{ env.JOB }} &>/dev/null && \ | |
| nomad stop -purge -yes publish-${{ env.JOB }} | |
| # run the publish job | |
| nomad run \ | |
| -var "region=${{ secrets.AWS_REGION }}" \ | |
| -var "git_ref=${{ env.GIT_REF }}" \ | |
| -var "commit_sha=${{ env.GIT_SHA }}" \ | |
| deploy/publish-${{ env.JOB }}.nomad | |
| # wait for publish job to complete | |
| timeout 300s bash -c 'until [[ "$(nomad job inspect publish-${{ env.JOB }} | jq -j '.Job.Status')" == "dead" ]]; do sleep 2; done' | |
| readonly bindle_id="$(nomad logs -job publish-${{ env.JOB }} | sed -n 's/pushed: //p')" | |
| # run/update the website job | |
| nomad run \ | |
| -var "region=${{ secrets.AWS_REGION }}" \ | |
| -var "production=${{ env.PRODUCTION }}" \ | |
| -var "bindle_id=${bindle_id}" \ | |
| deploy/${{ env.JOB }}.nomad |