Merge pull request #603 from freelawproject/dependabot/pip/cryptograp… #316
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and deploy | |
on: | |
push: | |
branches: [ "main" ] | |
env: | |
AWS_REGION: us-west-2 | |
EKS_CLUSTER_NAME: courtlistener | |
EKS_NAMESPACE: court-listener | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Build and Push | |
run: | | |
make push --file docker/django/Makefile -e VERSION=$(git rev-parse --short HEAD) | |
deploy: | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set shortcode | |
id: vars | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Create Kubeconfig with AWS CLI | |
run: aws eks update-kubeconfig --region ${{ env.AWS_REGION }} --name ${{ env.EKS_CLUSTER_NAME }} | |
- name: Update Environment Variables | |
env: | |
BOTS_ENV: bots-env | |
run: kubectl annotate es $BOTS_ENV force-sync=$(date +%s) --overwrite -n ${{ env.EKS_NAMESPACE }} && kubectl wait es -n ${{ env.EKS_NAMESPACE }} --for=jsonpath="{.status.conditions[?(@.reason=='SecretSynced')].status}"=True --timeout=30s $BOTS_ENV | |
- name: Collect static assets and check unapplied migration exit code | |
id: checkMigration | |
# Do big complicated thing to get secrets into the image. | |
# See: https://stackoverflow.com/a/52488906/64911 | |
run: | | |
kubectl run ${{ steps.vars.outputs.sha_short }} -it --rm -n ${{ env.EKS_NAMESPACE }} --image freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod --restart Never --overrides=' | |
{ | |
"spec": { | |
"containers": [ | |
{ | |
"name": "${{ steps.vars.outputs.sha_short }}", | |
"image": "freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod", | |
"command": [ | |
"/bin/sh", | |
"-c", | |
"./manage.py tailwind install --no-input && ./manage.py tailwind build --no-input && ./manage.py collectstatic --noinput && ./manage.py migrate --check" | |
], | |
"envFrom": [ | |
{ | |
"secretRef": { | |
"name": "bots-env" | |
} | |
} | |
] | |
} | |
] | |
} | |
} | |
' | |
# If the previous step had an error, start a pod to do maintenance, and | |
# quit with an error message. | |
- name: Check migration exit code from previous step | |
if: failure() | |
run: | | |
echo "Found unapplied migrations. A pod named bots-deploy-${{ steps.vars.outputs.sha_short }} has been created for you." | |
echo "Shell into that pod, do a manual migration, delete the pod, and re-run this Github Action job." | |
kubectl run bots-deploy-${{ steps.vars.outputs.sha_short }} -n ${{ env.EKS_NAMESPACE }} --image freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod --restart Never --overrides=' | |
{ | |
"spec": { | |
"containers": [ | |
{ | |
"name": "bots-deploy-${{ steps.vars.outputs.sha_short }}", | |
"image": "freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod", | |
"command": [ | |
"/bin/sh", | |
"-c", | |
"trap : TERM INT; sleep infinity & wait" | |
], | |
"envFrom": [ | |
{ | |
"secretRef": { | |
"name": "bots-env" | |
} | |
} | |
] | |
} | |
] | |
} | |
} | |
' | |
exit 1 | |
# Rollout new versions one by one (watch "deployments" in k9s) | |
- name: Rollout bots-python | |
run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/bots-python web=freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-web-prod | |
- name: Watch bots-python rollout status | |
run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/bots-python | |
- name: Rollout bots-rq | |
run: kubectl set image -n ${{ env.EKS_NAMESPACE }} deployment/bots-rq bots-rq=freelawproject/bigcases2:${{ steps.vars.outputs.sha_short }}-rq | |
- name: Watch bots-rq rollout status | |
run: kubectl rollout status -n ${{ env.EKS_NAMESPACE }} deployment/bots-rq | |
# Bust the CloudFront cache site-wide | |
- name: Invalidate CDN | |
run: aws cloudfront create-invalidation --distribution-id=E1ENXLZB55ZLXE --paths '/*' |