Skip to content

Merge pull request #603 from freelawproject/dependabot/pip/cryptograp… #316

Merge pull request #603 from freelawproject/dependabot/pip/cryptograp…

Merge pull request #603 from freelawproject/dependabot/pip/cryptograp… #316

name: Build and deploy
on:
push:
branches: [ "main" ]
env:
AWS_REGION: us-west-2
EKS_CLUSTER_NAME: courtlistener
EKS_NAMESPACE: court-listener
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and Push
run: |
make push --file docker/django/Makefile -e VERSION=$(git rev-parse --short HEAD)
deploy:
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set shortcode
id: vars
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Create Kubeconfig with AWS CLI
run: aws eks update-kubeconfig --region ${{ env.AWS_REGION }} --name ${{ env.EKS_CLUSTER_NAME }}
- name: Update Environment Variables
env:
BOTS_ENV: bots-env
run: kubectl annotate es $BOTS_ENV force-sync=$(date +%s) --overwrite -n ${{ env.EKS_NAMESPACE }} && kubectl wait es -n ${{ env.EKS_NAMESPACE }} --for=jsonpath="{.status.conditions[?(@.reason=='SecretSynced')].status}"=True --timeout=30s $BOTS_ENV
- name: Collect static assets and check unapplied migration exit code
id: checkMigration
# Do big complicated thing to get secrets into the image.
# See: https://stackoverflow.com/a/52488906/64911
run: |
kubectl run ${{ steps.vars.outputs.sha_short }} -it --rm -n ${{ env.EKS_NAMESPACE }} --image freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod --restart Never --overrides='
{
"spec": {
"containers": [
{
"name": "${{ steps.vars.outputs.sha_short }}",
"image": "freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod",
"command": [
"/bin/sh",
"-c",
"./manage.py tailwind install --no-input && ./manage.py tailwind build --no-input && ./manage.py collectstatic --noinput && ./manage.py migrate --check"
],
"envFrom": [
{
"secretRef": {
"name": "bots-env"
}
}
]
}
]
}
}
'
# If the previous step had an error, start a pod to do maintenance, and
# quit with an error message.
- name: Check migration exit code from previous step
if: failure()
run: |
echo "Found unapplied migrations. A pod named bots-deploy-${{ steps.vars.outputs.sha_short }} has been created for you."
echo "Shell into that pod, do a manual migration, delete the pod, and re-run this Github Action job."
kubectl run bots-deploy-${{ steps.vars.outputs.sha_short }} -n ${{ env.EKS_NAMESPACE }} --image freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod --restart Never --overrides='
{
"spec": {
"containers": [
{
"name": "bots-deploy-${{ steps.vars.outputs.sha_short }}",
"image": "freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod",
"command": [
"/bin/sh",
"-c",
"trap : TERM INT; sleep infinity & wait"
],
"envFrom": [
{
"secretRef": {
"name": "bots-env"
}
}
]
}
]
}
}
'
exit 1
# Rollout new versions one by one (watch "deployments" in k9s)
- name: Rollout bots-python
run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/bots-python web=freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod
- name: Watch bots-python rollout status
run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/bots-python
- name: Rollout bots-rq
run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/bots-rq bots-rq=freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-rq
- name: Watch bots-rq rollout status
run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/bots-rq
# Bust the CloudFront cache site-wide
- name: Invalidate CDN
run: aws cloudfront create-invalidation --distribution-id=E1ENXLZB55ZLXE --paths '/*'