Skip to content

build(deps): bump google-github-actions/auth from 1 to 2 #195

build(deps): bump google-github-actions/auth from 1 to 2

build(deps): bump google-github-actions/auth from 1 to 2 #195

Workflow file for this run

name: GCP Cloud Run CI Dev
on:
pull_request:
types: [ opened, synchronize, reopened ]
env:
PROJECT_ID: fpi-sms-api
REGISTRY: asia-east1-docker.pkg.dev
GHUB_REPO_NAME: fpi-sms-api
SERVICE: fpi-sms-api-dev
REGION: asia-east1
SONAR_PROJECT_KEY: vincejv_fpi-sms-api
SERVICE_CPU: 1000m
SERVICE_MEMORY: 512Mi
SERVICE_ENV: dev
jobs:
pre_job:
name: Duplicate checks
runs-on: ubuntu-latest
if: ${{ !contains(github.event.head_commit.message, 'docs-update(') }} # skip for commits containing 'docs-update('
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
paths_result: ${{ steps.skip_check.outputs.paths_result }}
steps:
- name: Skip duplicate actions
id: skip_check
uses: fkirc/skip-duplicate-actions@v5
with:
concurrent_skipping: outdated_runs
cancel_others: true
code_quality_checks:
name: Code quality checks
runs-on: ubuntu-latest
needs: pre_job
if: needs.pre_job.outputs.should_skip != 'true'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: temurin
java-version: 17
cache: maven
- name: Cache SonarCloud packages
uses: actions/cache@v3
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Build and analyze
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=${{ env.SONAR_PROJECT_KEY }} -Dsonar.qualitygate.wait=true -Pallow-snapshots
deploy_to_cloud:
name: Deploy to Cloud Run
runs-on: ubuntu-latest
needs: code_quality_checks
outputs:
artifact_version: ${{ steps.gen_ver.outputs.artifact_version }}
service_image_path: ${{ steps.image_version.outputs.service_image_path }}
permissions:
contents: read
packages: write
id-token: write
environment: Development
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # for jgitver to generate the version
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v2
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: temurin
java-version: 17
cache: maven
- name: Prepare artifact version
id: gen_ver
run: |
echo "artifact_version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
- name: Prepare Docker image tag
id: image_version
run: |
echo "service_image_path=${{ env.REGISTRY }}/${{ env.PROJECT_ID }}/${{ env.GHUB_REPO_NAME }}/${{ env.SERVICE }}:${{ steps.gen_ver.outputs.artifact_version }}" >> $GITHUB_OUTPUT
- name: Create JVM package
run: mvn -B package -Pallow-snapshots
- name: Google Auth
id: gcp-auth
uses: google-github-actions/auth@v2
with:
token_format: 'access_token'
workload_identity_provider: '${{ secrets.WIF_PROVIDER }}'
service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}'
- name: Login to Google Docker Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: 'oauth2accesstoken'
password: ${{ steps.gcp-auth.outputs.access_token }}
- name: Check Docker repository
id: repository_check
continue-on-error: true # will throw an error if repository does not exist
run: |
gcloud artifacts repositories describe ${{ env.GHUB_REPO_NAME }} --location ${{ env.REGION }}
- name: Create Docker repository
if: ${{ steps.repository_check.outcome == 'failure' }} # only create if previous step does not exist
run: |
gcloud artifacts repositories create ${{ env.GHUB_REPO_NAME }} --repository-format=docker --location ${{ env.REGION }}
# - name: Extract metadata (tags, labels) for Docker
# id: meta
# uses: docker/metadata-action@v4
# with:
# images: ${{ steps.image_version.outputs.service_image_path }}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile.dev
push: true
tags: | # ${{ steps.meta.outputs.tags }} - (For public repositories like docker hub)
${{ steps.image_version.outputs.service_image_path }}
labels: ${{ steps.meta.outputs.labels }}
- name: Deploy to cloud run
id: deploy
uses: google-github-actions/deploy-cloudrun@v1
with:
service: ${{ env.SERVICE }}
region: ${{ env.REGION }}
image: ${{ steps.image_version.outputs.service_image_path }}
project_id: ${{ env.PROJECT_ID }}
flags: |
--set-env-vars ^##^MONGO_CONN_STRING=${{ secrets.MONGO_CONN_STRING }}
--set-env-vars OIDC_CLIENT_ID=${{ secrets.OIDC_CLIENT_ID }}
--set-env-vars OIDC_AUTH_URL=${{ secrets.OIDC_AUTH_URL }}
--set-env-vars OIDC_SECRET=${{ secrets.OIDC_SECRET }}
--set-env-vars SMS_API_KEY=${{ secrets.SMS_API_KEY }}
--set-env-vars SMS_SID=${{ secrets.SMS_SID }}
--set-env-vars M360_BROADCAST_URL=${{ secrets.M360_BROADCAST_URL }}
--set-env-vars USER_BASE_URI=${{ secrets.USER_BASE_URI }}
--set-env-vars FPI_APP_TO_APP_USERN=${{ secrets.FPI_APP_TO_APP_USERN }}
--set-env-vars LOGIN_BASE_URI=${{ secrets.LOGIN_BASE_URI }}
--set-env-vars SMS_SECRET=${{ secrets.SMS_SECRET }}
--set-env-vars FPI_MO_WEBHOOK_KEY=${{ secrets.FPI_MO_WEBHOOK_KEY }}
--set-env-vars FPI_DLR_WEBHOOK_KEY=${{ secrets.FPI_DLR_WEBHOOK_KEY }}
--set-env-vars FPI_GEN_WEBHOOK_KEY=${{ secrets.FPI_GEN_WEBHOOK_KEY }}
--set-env-vars FPI_APP_TO_APP_PASSW=${{ secrets.FPI_APP_TO_APP_PASSW }}
--set-env-vars M360_API_URL=${{ secrets.M360_API_URL }}
--set-env-vars DB_NAME=sms-api-dev
--cpu ${{ env.SERVICE_CPU }}
--memory ${{ env.SERVICE_MEMORY }}
--timeout 900
--no-cpu-throttling
labels: |
env=${{ env.SERVICE_ENV }}
- name: Configure cloud run
run: |-
gcloud run services add-iam-policy-binding ${{ env.SERVICE }} --member=allUsers --role=roles/run.invoker --region=${{ env.REGION }}
- name: Show Output
run: echo ${{ steps.deploy.outputs.url }}
deploy_to_central:
name: Release artifact to central
runs-on: ubuntu-latest
needs: deploy_to_cloud # only deploy to central if successfully deployed to cloud run environment
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: temurin
java-version: 17
cache: maven
server-id: ossrh
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
gpg-passphrase: MAVEN_GPG_PASSPHRASE
- name: Build and release to central repo
env:
MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
run: mvn -B deploy -Dlib-only -Prelease-for-oss,allow-snapshots
pr_update:
name: Pull request update
if: always()
needs: [ pre_job, deploy_to_cloud ]
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # allows job to decorate PRs with analysis results
steps:
- name: Update PR (Skip message)
uses: marocchino/sticky-pull-request-comment@v2
if: ${{ always() && needs.pre_job.outputs.should_skip == 'true' }}
with:
message: |
⚪ Skipped CI/CD as deployment was done in a previous job
- name: Update PR (Success message)
uses: marocchino/sticky-pull-request-comment@v2
if: ${{ always() && needs.pre_job.outputs.should_skip != 'true' && needs.deploy_to_cloud.outputs.artifact_version != '' }}
with:
message: |
✅ Deployed to DEV environment: `${{ needs.deploy_to_cloud.outputs.artifact_version }}`
#### Add to your POM
```xml
<dependency>
<groupId>com.abavilla</groupId>
<artifactId>${{ env.GHUB_REPO_NAME }}-lib</artifactId>
<version>${{ needs.deploy_to_cloud.outputs.artifact_version }}</version>
</dependency>
```
- name: Update PR (Failure message)
uses: marocchino/sticky-pull-request-comment@v2
if: ${{ always() && needs.pre_job.outputs.should_skip != 'true' && needs.deploy_to_cloud.outputs.artifact_version == '' }}
with:
message: |
❌ CI Build & Deployment failed, please check the [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details
gcr-cleaner:
name: Clean-up old artifact registry images
needs: deploy_to_cloud
runs-on: 'ubuntu-latest'
permissions:
contents: read
id-token: write
steps:
- name: Google Auth
id: gcp-auth
uses: google-github-actions/auth@v2
with:
token_format: 'access_token'
workload_identity_provider: '${{ secrets.WIF_PROVIDER }}'
service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}'
- name: Login to Google Docker Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: 'oauth2accesstoken'
password: ${{ steps.gcp-auth.outputs.access_token }}
- name: Run GCR Cleaner
uses: docker://us-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner-cli
with:
args: >-
-repo=${{ env.REGISTRY }}/${{ env.PROJECT_ID }}/${{ env.GHUB_REPO_NAME }}/${{ env.SERVICE }}
-tag-filter-any "."
-keep=1
-recursive=true