(PC-33758) fix pr env deployments #9324
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "1 [on_pull_request] Initiate workflow" | |
on: | |
pull_request: | |
branches-ignore: | |
- docs | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number }} | |
cancel-in-progress: true | |
permissions: write-all | |
env: | |
docker_registry: "europe-west1-docker.pkg.dev/passculture-infra-prod/pass-culture-artifact-registry" | |
jobs: | |
pcapi-init-job: | |
name: "Init job" | |
runs-on: ubuntu-22.04 | |
outputs: | |
api-changed: ${{ steps.check-api-changes.outputs.any_modified }} | |
api-documentation-changed: ${{ steps.check-api-documentation-changes.outputs.any_modified }} | |
pro-changed: ${{ steps.check-pro-changes.outputs.any_modified }} | |
dependencies-changed: ${{ steps.check-dependencies-changes.outputs.any_modified }} | |
push-tags: ${{ steps.pcapi-tags.outputs.push-tags }} | |
checksum-tag: ${{ steps.pcapi-tags.outputs.checksum-tag }} | |
checksum-tag-exists: ${{ steps.check-checksum-tag.outputs.tag-exists }} | |
checksum-console-tag-exists: ${{ steps.check-console-checksum-tag.outputs.tag-exists }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: false | |
- name: "Check api folder changes" | |
id: check-api-changes | |
uses: tj-actions/changed-files@v45 | |
with: | |
files: | | |
api/** | |
!api/documentation/** | |
!api/src/pcapi/scripts/**/main.py | |
!api/src/pcapi/scripts/**/main.sql | |
- name: "Check api documentation folder changes" | |
id: check-api-documentation-changes | |
uses: tj-actions/changed-files@v45 | |
with: | |
files: api/documentation/** | |
- name: "Check pro folder changes" | |
id: check-pro-changes | |
uses: tj-actions/changed-files@v45 | |
with: | |
files: pro/** | |
- name: "Check changes in dependencies (frontend + backend)" | |
id: check-dependencies-changes | |
uses: tj-actions/changed-files@v45 | |
with: | |
files: | | |
api/poetry.lock | |
pro/yarn.lock | |
# checkout source branch of the pull request | |
- uses: actions/[email protected] | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
fetch-depth: 0 | |
fetch-tags: false | |
- name: "Define pcapi image tags." | |
id: pcapi-tags | |
run: | | |
DOCKER_IMAGE="${{ env.docker_registry }}/pcapi" | |
API_CHECKSUM=`tar --sort=name --owner=0 --group=0 --mtime='UTC 2019-01-01' -cf - api | sha1sum | awk '{ print $1 }'` | |
PUSH_TAGS="push-tags=$DOCKER_IMAGE:${{ github.event.pull_request.head.sha }},$DOCKER_IMAGE:$API_CHECKSUM" | |
API_TAG="checksum-tag=$API_CHECKSUM" | |
echo "PUSH_TAGS=$PUSH_TAGS" | |
echo "API_TAG=$API_TAG" | |
echo $PUSH_TAGS >> "$GITHUB_OUTPUT" | |
echo $API_TAG >> "$GITHUB_OUTPUT" | |
- name: "Authentification to Google" | |
uses: "google-github-actions/auth@v2" | |
with: | |
workload_identity_provider: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
- name: "Get Secret" | |
id: "secrets" | |
uses: "google-github-actions/get-secretmanager-secrets@v2" | |
with: | |
secrets: |- | |
ARTIFACT_REGISTRY_WORKLOAD_IDENTITY_PROVIDER:passculture-metier-ehp/passculture-main-gcp-workload-identity-provider | |
ARTIFACT_REGISTRY_SERVICE_ACCOUNT:passculture-metier-ehp/passculture-main-artifact-registry-service-account | |
- name: "OpenID Connect Authentication" | |
id: "openid-auth" | |
uses: "google-github-actions/auth@v2" | |
with: | |
create_credentials_file: false | |
token_format: "access_token" | |
workload_identity_provider: ${{ steps.secrets.outputs.ARTIFACT_REGISTRY_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: ${{ steps.secrets.outputs.ARTIFACT_REGISTRY_SERVICE_ACCOUNT }} | |
- name: "Docker login" | |
id: "docker-login" | |
uses: "docker/login-action@v3" | |
with: | |
registry: "europe-west1-docker.pkg.dev" | |
username: "oauth2accesstoken" | |
password: "${{ steps.openid-auth.outputs.access_token }}" | |
- name: "pcapi" | |
id: check-checksum-tag | |
run: bash ./.github/workflows/scripts/check-image-tag-exists.sh | |
env: | |
image: pcapi | |
tag: ${{ steps.pcapi-tags.outputs.checksum-tag }} | |
token: ${{ steps.openid-auth.outputs.access_token }} | |
- name: "pcapi-console" | |
id: check-console-checksum-tag | |
run: bash ./.github/workflows/scripts/check-image-tag-exists.sh | |
env: | |
image: pcapi-console | |
tag: ${{ steps.pcapi-tags.outputs.checksum-tag }} | |
token: ${{ steps.openid-auth.outputs.access_token }} | |
- name: "Publish Summary" | |
run: | | |
{ | |
echo "### :rocket: Init Job summary" | |
echo "| Results | Value |" | |
echo "| ------------------------------------ | ----- |" | |
echo "| commit sha | ${{ github.sha }} |" | |
echo "| [api] content changed | ${{ steps.check-api-documentation-changes.outputs.any_modified }} |" | |
echo "| [api-documentation] content changed | ${{ steps.check-api-documentation-changes.outputs.any_modified }} |" | |
echo "| [pro] content changed | ${{ steps.check-pro-changes.outputs.any_modified }} |" | |
echo "| [dependencies] content changed | ${{ steps.check-dependencies-changes.outputs.any_modified }} |" | |
echo "| [pcapi] image tag | ${{ steps.pcapi-tags.outputs.checksum-tag }} |" | |
echo "| [pcapi] image already exists | ${{ steps.check-checksum-tag.outputs.tag-exists }} |" | |
echo "| [pcapi-console] image already exists | ${{ steps.check-console-checksum-tag.outputs.tag-exists }} |" | |
} >> $GITHUB_STEP_SUMMARY | |
build-pcapi: | |
name: "[pcapi] build docker image." | |
needs: [pcapi-init-job] | |
if: needs.pcapi-init-job.outputs.api-changed == 'true' && needs.pcapi-init-job.outputs.checksum-tag-exists == 'false' | |
uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
image: pcapi | |
tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }} | |
secrets: | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
# Always build pcapi-tests image if api changed | |
build-pcapi-tests: | |
name: "[pcapi-tests] build docker image." | |
needs: [pcapi-init-job] | |
if: needs.pcapi-init-job.outputs.api-changed == 'true' && needs.pcapi-init-job.outputs.checksum-tag-exists == 'false' | |
uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
image: pcapi-tests | |
tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }} | |
secrets: | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
build-pcapi-console: | |
name: "[pcapi-console] build docker image." | |
needs: [pcapi-init-job] | |
if: (needs.pcapi-init-job.outputs.api-changed == 'true' || needs.pcapi-init-job.outputs.pro-changed == 'true') && needs.pcapi-init-job.outputs.checksum-console-tag-exists == 'false' | |
uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
image: pcapi-console | |
tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }} | |
secrets: | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
run-mypy-cop: | |
name: "MyPy cop" | |
needs: [pcapi-init-job] | |
if: | | |
github.event_name == 'pull_request' && | |
needs.pcapi-init-job.outputs.api-changed == 'true' | |
uses: ./.github/workflows/dev_on_workflow_mypy_cop.yml | |
update-api-client-template: | |
name: "Update api client template" | |
needs: [pcapi-init-job, build-pcapi] | |
uses: ./.github/workflows/dev_on_workflow_update_api_client_template.yml | |
concurrency: | |
group: update-api-client-template-${{ github.ref }} | |
cancel-in-progress: true | |
with: | |
PCAPI_DOCKER_TAG: ${{ needs.pcapi-init-job.outputs.checksum-tag }} | |
TRIGGER_ONLY_ON_API_CHANGE: true | |
TRIGGER_ONLY_ON_DEPENDENCY_CHANGE: true | |
CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache" | |
api-changed: ${{ needs.pcapi-init-job.outputs.api-changed }} | |
dependencies-changed: ${{ needs.pcapi-init-job.outputs.dependencies-changed }} | |
secrets: | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
test-api: | |
name: "Tests api" | |
needs: [pcapi-init-job, build-pcapi-tests] | |
uses: ./.github/workflows/dev_on_workflow_tests_api.yml | |
with: | |
tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }} | |
secrets: | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
test-api-documentation: | |
name: "Tests API documentation" | |
needs: [pcapi-init-job] | |
if: needs.pcapi-init-job.outputs.api-documentation-changed == 'true' | |
uses: ./.github/workflows/dev_on_workflow_tests_api_documentation.yml | |
secrets: | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
test-pro: | |
name: "Tests pro" | |
needs: [pcapi-init-job] | |
if: needs.pcapi-init-job.outputs.pro-changed == 'true' | |
uses: ./.github/workflows/dev_on_workflow_tests_pro.yml | |
with: | |
CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache" | |
secrets: | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
test-pro-e2e: | |
name: "Tests pro E2E" | |
needs: [pcapi-init-job, build-pcapi] | |
uses: ./.github/workflows/dev_on_workflow_tests_pro_e2e.yml | |
if: always() && | |
!cancelled() && | |
needs.pcapi-init-job.outputs.api-changed == 'true' || | |
needs.pcapi-init-job.outputs.pro-changed == 'true' | |
with: | |
tag: ${{ needs.build-pcapi.result == 'skipped' && 'latest' || needs.pcapi-init-job.outputs.checksum-tag }} | |
CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache" | |
secrets: | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
merge-allure-reports: | |
name: "Merge Allure Reports and Push to Allure Repository" | |
needs: [test-pro, test-pro-e2e] | |
runs-on: ubuntu-22.04 | |
if: | | |
always() && | |
!cancelled() && | |
(needs.test-pro.result == 'success' || needs.test-pro-e2e.result == 'success') | |
steps: | |
- name: "Install Allure CLI via Yarn" | |
run: yarn global add allure-commandline | |
- name: "Download Allure results artifacts for pro" | |
uses: actions/download-artifact@v4 | |
with: | |
name: allure-results-pro-unit | |
path: allure-results/pro-unit | |
# - name: "Download Allure results artifacts for pro E2E" | |
# uses: actions/download-artifact@v4 | |
# with: | |
# name: allure-results-pro-e2e | |
# path: allure-results/pro-e2e | |
- name: "Merge Allure Results" | |
run: | | |
mkdir -p allure-results | |
cp -r allure-results/pro-unit/* allure-results/ | |
- name: "Clone Allure Report Repository to Retrieve History" | |
env: | |
TOKEN: ${{ secrets.PAT_ALLURE_REPORTS_TEMP }} | |
run: | | |
git clone https://x-access-token:${TOKEN}@github.com/fseguin-pass/allure-reports-temp.git allure-report-temp | |
mkdir -p allure-results/history | |
if [ -d "allure-report-temp/history" ]; then | |
cp -r allure-report-temp/history/* allure-results/history/ | |
fi | |
- name: "Generate Allure Report with History" | |
run: allure generate allure-results --single-file --clean -o allure-report | |
- name: "Upload Allure Report as artifact" | |
uses: actions/upload-artifact@v4 | |
with: | |
name: allure-report | |
path: allure-report/index.html | |
dependabot-auto-merge: | |
name: "Dependabot" | |
needs: test-pro | |
if: github.actor == 'dependabot[bot]' | |
uses: ./.github/workflows/dev_on_workflow_dependabot_auto_merge.yml | |
# Deploy on firebase if pro tests are ok OR job was skipped (= no changes in pro folder) | |
deploy-pro-on-firebase-pullrequest: | |
name: "[PRO] Deploy PR version for validation" | |
needs: [pcapi-init-job, test-pro] | |
if: always() && (needs.test-pro.result == 'success' || needs.test-pro.result == 'skipped') | |
uses: ./.github/workflows/dev_on_workflow_deploy_pro_pr_version_generic.yml | |
secrets: | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
with: | |
ENV: "testing" | |
CHANNEL: "" | |
REF: "${{ github.ref }}" | |
CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache" | |
is_pull_request: true | |
# Push docker images to registry | |
push-pcapi: | |
name: "Push pcapi docker image to registry" | |
needs: [pcapi-init-job, test-api, test-pro-e2e] | |
uses: ./.github/workflows/dev_on_workflow_push_docker_image.yml | |
with: | |
image: pcapi | |
commit-hash: ${{ github.event.pull_request.head.sha }} | |
checksum-tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }} | |
secrets: | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
push-pcapi-console: | |
name: "Push pcapi-console docker image to registry" | |
needs: [pcapi-init-job, test-api, test-pro-e2e] | |
uses: ./.github/workflows/dev_on_workflow_push_docker_image.yml | |
with: | |
image: pcapi-console | |
commit-hash: ${{ github.event.pull_request.head.sha }} | |
checksum-tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }} | |
secrets: | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
# Deploy pullrequest to testing environment | |
# If image builds were successfull OR image was already present in registry | |
deploy: | |
name: "Deploy PullRequest to testing environment" | |
needs: | |
[ | |
pcapi-init-job, | |
push-pcapi, | |
push-pcapi-console, | |
deploy-pro-on-firebase-pullrequest, | |
] | |
if: | | |
always() && | |
!cancelled() && | |
github.actor != 'dependabot[bot]' && | |
(needs.push-pcapi.result == 'success' && needs.push-pcapi-console.result == 'success') || | |
(needs.pcapi-init-job.outputs.checksum-console-tag-exists == 'true' && needs.pcapi-init-job.outputs.checksum-console-tag-exists == 'true') | |
uses: ./.github/workflows/dev_on_workflow_deploy_pullrequests.yml | |
with: | |
environment: pullrequest | |
app_version: ${{ needs.pcapi-init-job.outputs.checksum-tag }} | |
pro_url: ${{ needs.deploy-pro-on-firebase-pullrequest.outputs.pro_url }} | |
secrets: | |
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} |