fix(flags): optimise defending against invalid cohorts (#20065) #4710
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Build and push PostHog and PostHog Cloud container images | |
# | |
# - posthog_build: build and push the PostHog container image to DockerHub | |
# | |
# - posthog_cloud_build: build the PostHog Cloud container image using | |
# as base image the container image from the previous step. The image is | |
# then pushed to AWS ECR. | |
# | |
name: Container Images CD | |
on: | |
push: | |
branches: | |
- master | |
workflow_dispatch: | |
concurrency: ${{ github.workflow }} # ensure only one of this runs at a time | |
jobs: | |
posthog_build: | |
name: Build and push PostHog | |
if: github.repository == 'PostHog/posthog' | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write # allow issuing OIDC tokens for this workflow run | |
contents: read # allow at least reading the repo contents, add other permissions if necessary | |
packages: write # allow push to ghcr.io | |
steps: | |
- name: Check out | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 2 | |
- name: Override git.py | |
run: > | |
echo "def get_git_commit(): return '${GITHUB_SHA}'" > posthog/git.py | |
echo "def get_git_branch(): return '${GITHUB_REF_NAME}'" >> posthog/git.py | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Depot CLI | |
uses: depot/setup-action@v1 | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-east-1 | |
- name: Login to Amazon ECR | |
id: aws-ecr | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: Build and push container image | |
id: build | |
uses: depot/build-push-action@v1 | |
with: | |
buildx-fallback: false # the fallback is so slow it's better to just fail | |
push: true | |
tags: posthog/posthog:${{ github.sha }},posthog/posthog:latest,${{ steps.aws-ecr.outputs.registry }}/posthog-cloud:master | |
platforms: linux/arm64,linux/amd64 | |
build-args: COMMIT_HASH=${{ github.sha }} | |
- name: get deployer token | |
id: deployer | |
uses: getsentry/action-github-app-token@v2 | |
with: | |
app_id: ${{ secrets.DEPLOYER_APP_ID }} | |
private_key: ${{ secrets.DEPLOYER_APP_PRIVATE_KEY }} | |
- name: Trigger PostHog Cloud deployment | |
# TODO: switch to https://github.com/marketplace/actions/repository-dispatch | |
# as this action is now deprecated. | |
uses: mvasigh/dispatch-action@main | |
with: | |
token: ${{ steps.deployer.outputs.token }} | |
repo: posthog-cloud-infra | |
owner: PostHog | |
event_type: posthog_cloud_build | |
message: | | |
{ | |
"image_tag": "${{ steps.build.outputs.digest }}", | |
"image_tag_unit": "${{ steps.build.outputs.digest }}", | |
"context": ${{ toJson(github) }} | |
} | |
- name: Check for changes in plugins directory | |
id: check_changes_plugins | |
run: | | |
echo "changed=$((git diff --name-only HEAD^ HEAD | grep -q '^plugin-server/' && echo true) || echo false)" >> $GITHUB_OUTPUT | |
- name: Trigger Ingestion Cloud deployment | |
if: steps.check_changes_plugins.outputs.changed == 'true' | |
uses: mvasigh/dispatch-action@main | |
with: | |
token: ${{ steps.deployer.outputs.token }} | |
repo: charts | |
owner: PostHog | |
event_type: ingestion_deploy | |
message: | | |
{ | |
"image_tag": "${{ steps.build.outputs.digest }}" | |
} | |
- name: Check for changes that affect batch exports temporal worker | |
id: check_changes_batch_exports_temporal_worker | |
run: | | |
echo "changed=$((git diff --name-only HEAD^ HEAD | grep -qE '^posthog/temporal/common|^posthog/temporal/batch_exports|^posthog/batch_exports/|^posthog/management/commands/start_temporal_worker.py$' && echo true) || echo false)" >> $GITHUB_OUTPUT | |
- name: Trigger Batch Exports Temporal Worker Cloud deployment | |
if: steps.check_changes_batch_exports_temporal_worker.outputs.changed == 'true' | |
uses: mvasigh/dispatch-action@main | |
with: | |
token: ${{ steps.deployer.outputs.token }} | |
repo: charts | |
owner: PostHog | |
event_type: temporal_worker_deploy | |
message: | | |
{ | |
"image_tag": "${{ steps.build.outputs.digest }}", | |
"worker_name": "temporal-worker" | |
} | |
- name: Check for changes that affect data warehouse temporal worker | |
id: check_changes_data_warehouse_temporal_worker | |
run: | | |
echo "changed=$((git diff --name-only HEAD^ HEAD | grep -qE '^posthog/temporal/common|^posthog/temporal/data_imports|^posthog/warehouse/|^posthog/management/commands/start_temporal_worker.py$' && echo true) || echo false)" >> $GITHUB_OUTPUT | |
- name: Trigger Data Warehouse Temporal Worker Cloud deployment | |
if: steps.check_changes_data_warehouse_temporal_worker.outputs.changed == 'true' | |
uses: mvasigh/dispatch-action@main | |
with: | |
token: ${{ steps.deployer.outputs.token }} | |
repo: charts | |
owner: PostHog | |
event_type: temporal_worker_deploy | |
message: | | |
{ | |
"image_tag": "${{ steps.build.outputs.digest }}", | |
"worker_name": "temporal-worker-data-warehouse" | |
} |