Skip to content

resolved merge

resolved merge #22

# This workflow build and push a Docker container to Google Artifact Registry and deploy it on a Google Kubernetes Instance when a commit is pushed to the "develop" branch
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled in the project:
#
# Cloud Build cloudbuild.googleapis.com
# Artifact Registry artifactregistry.googleapis.com
#
# 2. Create a service account (if you don't have one) with the following fields:
#
# Service Account Name <PROJECT-NAME>-github-actions
# Service Account ID <PROJECT-NAME>-github-actions
#
# 3. Ensure the service account have the required IAM permissions granted:
#
# Cloud Build
# roles/cloudbuild.builds.editor (cloud build editor)
# roles/cloudbuild.builds.builder (cloud build service account)
#
# Artifact Registry
# roles/artifactregistry.repoAdmin (artifact registry repository administrator)
# roles/artifactregistry.admin (artifact registry administrator)
#
# Service Account
# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account)
#
# Basic Roles
# roles/viewer (viewer)
#
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Ensure you have the following GitHub Secrets and Variables:
#
# GitHub Secrets
# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets
#
# GitHub Variables
# GCP_PROJECT_ID (Google Cloud Project ID)
# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name)
# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location)
#
# 5. Ensure you have the following GitHub Variables for each environment that you will set up:
#
# GitHub Variables
# GCP_IMAGE_NAME (Docker Image Name)
# GKE_APP_NAME (Kubernetes Application Name)
# GKE_APP_RELEASE (Kubernetes Application Release Version)
# GKE_APP_NAMESPACE (Kubernetes Application Namespace)
# GKE_CLUSTER (Kubernetes Cluster Name)
# GKE_ZONE (Kubernetes Cluster Location)
#
# Further reading:
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
name: "[DEV] Build and Deploy to GKE using Helm"
on:
push:
branches:
- nextjs-test-actions
env:
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }}
GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }}
GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }}
GKE_APP_NAME: ${{ vars.GKE_APP_NAME }}
GKE_APP_RELEASE: ${{ github.ref_name }}
GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }}
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }}
GKE_ZONE: ${{ vars.GKE_ZONE }}
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
jobs:
build:
runs-on: ubuntu-latest
# runs-on:
# group: datawheel-self-runners
environment: development
steps:
- name: Checkout
uses: actions/checkout@v4
# Authentication via credentials json
- name: Google Auth
id: auth
uses: google-github-actions/auth@v2
with:
project_id: ${{ env.GCP_PROJECT_ID }}
credentials_json: ${{ secrets.GCP_SA_KEY }}
# Install Cloud SDK
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1
with:
install_components: "beta"
# Build image on Google Cloud Artifact Registry
- name: Build Docker Image
run: |-
gcloud builds submit \
--quiet \
--timeout=40m \
--config=cloudbuild.yml \
--substitutions=_GCP_ARTIFACT_REGISTRY_LOCATION=${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_PROJECT_ID=${{ vars.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ vars.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_IMAGE_NAME=${{ vars.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ vars.GKE_APP_NAMESPACE }},_PANTHEON_PGURI=${{ secrets.PANTHEON_PGURI }},_REACT_APP_TRIVIA_GAME=${{ secrets.REACT_APP_TRIVIA_GAME }}
# deploys the recently created docker image via google cloude build
deploy:
needs: build
name: Deploy Docker Image to Cloud Run
runs-on: ubuntu-latest
# runs-on:
# group: datawheel-self-runners
environment: development
steps:
- name: Checkout
uses: actions/checkout@v4
# Authentication via credentials json
- name: Google Auth
id: auth
uses: google-github-actions/auth@v2
with:
project_id: ${{ env.GCP_PROJECT_ID }}
credentials_json: ${{ secrets.GCP_SA_KEY }}
# Install Cloud SDK
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1
with:
install_components: "beta"
# Deploy to CloudRun
- name: Deploy Image to Cloud Run
run: |-
gcloud run deploy ${{ env.GCP_IMAGE_NAME }} \
--image=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ github.sha }} \
--region=${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} \
--port=3000 \
--set-env-vars=URL=${{ vars.URL }} \
--set-env-vars=CANON_API=${{ vars.CANON_API }} \
--set-env-vars=CANON_GOOGLE_ANALYTICS=${{ vars.CANON_GOOGLE_ANALYTICS }} \
--set-env-vars=NEWS_API_KEY=${{ secrets.NEWS_API_KEY }} \
--set-env-vars=PANTHEON_PGURI=${{ secrets.PANTHEON_PGURI }} \
--set-env-vars=REACT_APP_GAME_CSV_URL=${{ secrets.REACT_APP_GAME_CSV_URL }} \
--set-env-vars=REACT_APP_GAME_RECAPTCHA_SECRET_KEY_V3=${{ secrets.REACT_APP_GAME_RECAPTCHA_SECRET_KEY_V3 }} \
--set-env-vars=REACT_APP_GAME_RECAPTCHA_SITE_KEY_V3=${{ secrets.REACT_APP_GAME_RECAPTCHA_SITE_KEY_V3 }} \
--set-env-vars=REACT_APP_GAME_SECRET_KEY=${{ secrets.REACT_APP_GAME_SECRET_KEY }} \
--set-env-vars=REACT_APP_TRIVIA_GAME=${{ secrets.REACT_APP_TRIVIA_GAME }} \
--set-env-vars=TMDB_API_KEY=${{ secrets.TMDB_API_KEY }} \
--set-env-vars=TW_API_KEY=${{ secrets.TW_API_KEY }} \
--set-env-vars=TW_API_SECRET=${{ secrets.TW_API_SECRET }} \
--set-env-vars=YOUTUBE_API_KEY=${{ secrets.YOUTUBE_API_KEY }} \
--allow-unauthenticated