ask-a-question/.github/workflows/deploy_gcp_admin_app.yaml at main · IDinsight/ask-a-question · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Deploy admin_app to GCP

on:
  push:
    branches:
      - main
      - testing
      - production
    paths:
      - "admin_app/**"
      - ".github/workflows/deploy_gcp_admin_app.yaml"
  release:
    types: [released]
  workflow_dispatch:
    inputs:
      environment:
        description: "Deployment environment name"
        required: true
        type: choice
        options:
          - testing
          - production

jobs:
  set-env:
    runs-on: ubuntu-latest
    outputs:
      env_name: ${{ steps.set-env.outputs.env_name }}
    steps:
      - name: Resolve deployment environment name
        id: set-env
        run: |
          if [ "${{ github.event_name }}" == "release" ] && [ "${{ github.event.action }}" == "released" ]; then
            echo "env_name=production" >> "$GITHUB_OUTPUT"
          elif [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
            echo "env_name=${{ github.event.inputs.environment }}" >> "$GITHUB_OUTPUT"
          elif [ "${{ github.ref_name }}" == "main" ]; then
            echo "env_name=testing" >> "$GITHUB_OUTPUT"
          else
            echo "env_name=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
          fi

  DeployAdminAppToGCP:
    needs: [set-env]

    runs-on: ubuntu-latest

    permissions:
      contents: "read"
      id-token: "write"

    environment: gcp-${{ needs.set-env.outputs.env_name }}

    env:
      RESOURCE_PREFIX: ${{ secrets.PROJECT_NAME }}-${{ needs.set-env.outputs.env_name }}
      REPO: ${{ secrets.DOCKER_REGISTRY_DOMAIN }}/${{ secrets.GCP_PROJECT_ID }}/${{ secrets.PROJECT_NAME }}-${{ needs.set-env.outputs.env_name }}
      TAG: ${{ (needs.set-env.outputs.env_name == 'production' && github.ref_name) || github.sha }}

    steps:
      - uses: "actions/checkout@v4"

      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@v2"
        with:
          project_id: ${{ secrets.GCP_PROJECT_ID }}
          workload_identity_provider: projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ vars.POOL_ID }}/providers/${{ vars.PROVIDER_ID }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}

      - name: Retrieve secrets from Secret Manager
        id: "secrets"
        uses: "google-github-actions/get-secretmanager-secrets@v2"
        with:
          min_mask_length: 4
          secrets: |-
            domain:${{ secrets.GCP_PROJECT_ID }}/${{ env.RESOURCE_PREFIX }}-domain
            google_login_client_id:${{ secrets.GCP_PROJECT_ID }}/${{ env.RESOURCE_PREFIX }}-google-login-client-id

      - name: Configure Docker to use gcloud as a credential helper
        run: |
          gcloud auth configure-docker ${{ secrets.DOCKER_REGISTRY_DOMAIN}}

      - name: Build and push admin_app image
        working-directory: admin_app
        run: |
          docker build \
            -t ${{ env.REPO }}/admin_app:latest \
            -t ${{ env.REPO }}/admin_app:${{ env.TAG }} \
            .
          docker image push --all-tags ${{ env.REPO }}/admin_app

      - name: Deploy admin_app container
        id: "compute-ssh"
        uses: "google-github-actions/ssh-compute@v1"
        env:
          REPO: ${{ secrets.DOCKER_REGISTRY_DOMAIN }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.RESOURCE_PREFIX }}
        with:
          instance_name: "${{ secrets.DEPLOYMENT_INSTANCE_NAME }}"
          zone: "${{ secrets.DEPLOYMENT_ZONE }}"
          ssh_private_key: "${{ secrets.GCP_SSH_PRIVATE_KEY }}"
          command: |
            docker-credential-gcr configure-docker \
              --registries ${{ secrets.DOCKER_REGISTRY_DOMAIN }}
            docker pull \
              ${{ env.REPO }}/admin_app:latest
            docker stop admin_app
            docker rm admin_app
            docker run -d \
              --log-driver=gcplogs \
              --restart always \
              --network aaq-network \
              --name admin_app \
              -e NEXT_PUBLIC_BACKEND_URL="https://${{ steps.secrets.outputs.domain }}/api" \
              -e NEXT_PUBLIC_GOOGLE_LOGIN_CLIENT_ID="${{ steps.secrets.outputs.google_login_client_id }}" \
              ${{ env.REPO }}/admin_app:latest
            docker system prune -f || true

      - name: Show deployment command output
        run: |-
          echo '${{ steps.compute-ssh.outputs.stdout }}'
          echo '${{ steps.compute-ssh.outputs.stderr }}'

      - name: Wait for Application to start
        id: wait-for-app
        run: sleep 1m
        shell: bash

      - name: Check if deployment was successful
        id: check-deployment
        run: |
          curl -f -X 'GET' \
            'https://${{ steps.secrets.outputs.domain }}/api/healthcheck' \
            -H 'accept: application/json'