-
Notifications
You must be signed in to change notification settings - Fork 0
157 lines (147 loc) · 7.02 KB
/
gcp-build-gke-dev.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on a Google Kubernetes Instance when a commit is pushed to the "develop" branch
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled in the project:
#
# Cloud Build cloudbuild.googleapis.com
# Artifact Registry artifactregistry.googleapis.com
#
# 2. Create a service account (if you don't have one) with the following fields:
#
# Service Account Name <PROJECT-NAME>-github-actions
# Service Account ID <PROJECT-NAME>-github-actions
#
# 3. Ensure the service account have the required IAM permissions granted:
#
# Cloud Build
# roles/cloudbuild.builds.editor (cloud build editor)
# roles/cloudbuild.builds.builder (cloud build service account)
#
# Artifact Registry
# roles/artifactregistry.repoAdmin (artifact registry repository administrator)
# roles/artifactregistry.admin (artifact registry administrator)
#
# Service Account
# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account)
#
# Basic Roles
# roles/viewer (viewer)
#
# NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Ensure you have the following GitHub Secrets and Variables:
#
# GitHub Secrets
# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets
#
# GitHub Variables
# GCP_PROJECT_ID (Google Cloud Project ID)
# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name)
# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location)
#
# 5. Ensure you have the following GitHub Variables for each environment that you will set up:
#
# GitHub Variables
# GCP_IMAGE_NAME (Docker Image Name)
# GKE_APP_NAME (Kubernetes Application Name)
# GKE_APP_RELEASE (Kubernetes Application Release Version)
# GKE_APP_NAMESPACE (Kubernetes Application Namespace)
# GKE_CLUSTER (Kubernetes Cluster Name)
# GKE_ZONE (Kubernetes Cluster Location)
#
# Further reading:
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
name: "[DEV] Build and Deploy to GKE using Helm"
on:
push:
branches:
- nextjs-test-actions
env:
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }}
GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }}
GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }}
GKE_APP_NAME: ${{ vars.GKE_APP_NAME }}
GKE_APP_RELEASE: ${{ github.ref_name }}
GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }}
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }}
GKE_ZONE: ${{ vars.GKE_ZONE }}
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
jobs:
build:
runs-on: ubuntu-latest
# runs-on:
# group: datawheel-self-runners
environment: development
steps:
- name: Checkout
uses: actions/checkout@v4
# Authentication via credentials json
- name: Google Auth
id: auth
uses: google-github-actions/auth@v2
with:
project_id: ${{ env.GCP_PROJECT_ID }}
credentials_json: ${{ secrets.GCP_SA_KEY }}
# Install Cloud SDK
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1
with:
install_components: "beta"
# Build image on Google Cloud Artifact Registry
- name: Build Docker Image
run: |-
gcloud builds submit \
--quiet \
--timeout=40m \
--config=cloudbuild.yml \
--substitutions=_GCP_ARTIFACT_REGISTRY_LOCATION=${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_PROJECT_ID=${{ vars.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ vars.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_IMAGE_NAME=${{ vars.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ vars.GKE_APP_NAMESPACE }},_PANTHEON_PGURI=${{ secrets.PANTHEON_PGURI }},_REACT_APP_TRIVIA_GAME=${{ secrets.REACT_APP_TRIVIA_GAME }}
# deploys the recently created docker image via google cloude build
deploy:
needs: build
name: Deploy Docker Image to Cloud Run
runs-on: ubuntu-latest
# runs-on:
# group: datawheel-self-runners
environment: development
steps:
- name: Checkout
uses: actions/checkout@v4
# Authentication via credentials json
- name: Google Auth
id: auth
uses: google-github-actions/auth@v2
with:
project_id: ${{ env.GCP_PROJECT_ID }}
credentials_json: ${{ secrets.GCP_SA_KEY }}
# Install Cloud SDK
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1
with:
install_components: "beta"
# Deploy to CloudRun
- name: Deploy Image to Cloud Run
run: |-
gcloud run deploy ${{ env.GCP_IMAGE_NAME }} \
--image=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ github.sha }} \
--region=${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} \
--port=3000 \
--set-env-vars=URL=${{ vars.URL }} \
--set-env-vars=CANON_API=${{ vars.CANON_API }} \
--set-env-vars=CANON_GOOGLE_ANALYTICS=${{ vars.CANON_GOOGLE_ANALYTICS }} \
--set-env-vars=NEWS_API_KEY=${{ secrets.NEWS_API_KEY }} \
--set-env-vars=PANTHEON_PGURI=${{ secrets.PANTHEON_PGURI }} \
--set-env-vars=REACT_APP_GAME_CSV_URL=${{ secrets.REACT_APP_GAME_CSV_URL }} \
--set-env-vars=REACT_APP_GAME_RECAPTCHA_SECRET_KEY_V3=${{ secrets.REACT_APP_GAME_RECAPTCHA_SECRET_KEY_V3 }} \
--set-env-vars=REACT_APP_GAME_RECAPTCHA_SITE_KEY_V3=${{ secrets.REACT_APP_GAME_RECAPTCHA_SITE_KEY_V3 }} \
--set-env-vars=REACT_APP_GAME_SECRET_KEY=${{ secrets.REACT_APP_GAME_SECRET_KEY }} \
--set-env-vars=REACT_APP_TRIVIA_GAME=${{ secrets.REACT_APP_TRIVIA_GAME }} \
--set-env-vars=TMDB_API_KEY=${{ secrets.TMDB_API_KEY }} \
--set-env-vars=TW_API_KEY=${{ secrets.TW_API_KEY }} \
--set-env-vars=TW_API_SECRET=${{ secrets.TW_API_SECRET }} \
--set-env-vars=YOUTUBE_API_KEY=${{ secrets.YOUTUBE_API_KEY }} \
--allow-unauthenticated