Skip to content

(PC-33758) fix pr env deployments #9324

(PC-33758) fix pr env deployments

(PC-33758) fix pr env deployments #9324

name: "1 [on_pull_request] Initiate workflow"
on:
pull_request:
branches-ignore:
- docs
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions: write-all
env:
docker_registry: "europe-west1-docker.pkg.dev/passculture-infra-prod/pass-culture-artifact-registry"
jobs:
pcapi-init-job:
name: "Init job"
runs-on: ubuntu-22.04
outputs:
api-changed: ${{ steps.check-api-changes.outputs.any_modified }}
api-documentation-changed: ${{ steps.check-api-documentation-changes.outputs.any_modified }}
pro-changed: ${{ steps.check-pro-changes.outputs.any_modified }}
dependencies-changed: ${{ steps.check-dependencies-changes.outputs.any_modified }}
push-tags: ${{ steps.pcapi-tags.outputs.push-tags }}
checksum-tag: ${{ steps.pcapi-tags.outputs.checksum-tag }}
checksum-tag-exists: ${{ steps.check-checksum-tag.outputs.tag-exists }}
checksum-console-tag-exists: ${{ steps.check-console-checksum-tag.outputs.tag-exists }}
steps:
- uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: false
- name: "Check api folder changes"
id: check-api-changes
uses: tj-actions/changed-files@v45
with:
files: |
api/**
!api/documentation/**
!api/src/pcapi/scripts/**/main.py
!api/src/pcapi/scripts/**/main.sql
- name: "Check api documentation folder changes"
id: check-api-documentation-changes
uses: tj-actions/changed-files@v45
with:
files: api/documentation/**
- name: "Check pro folder changes"
id: check-pro-changes
uses: tj-actions/changed-files@v45
with:
files: pro/**
- name: "Check changes in dependencies (frontend + backend)"
id: check-dependencies-changes
uses: tj-actions/changed-files@v45
with:
files: |
api/poetry.lock
pro/yarn.lock
# checkout source branch of the pull request
- uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
fetch-tags: false
- name: "Define pcapi image tags."
id: pcapi-tags
run: |
DOCKER_IMAGE="${{ env.docker_registry }}/pcapi"
API_CHECKSUM=`tar --sort=name --owner=0 --group=0 --mtime='UTC 2019-01-01' -cf - api | sha1sum | awk '{ print $1 }'`
PUSH_TAGS="push-tags=$DOCKER_IMAGE:${{ github.event.pull_request.head.sha }},$DOCKER_IMAGE:$API_CHECKSUM"
API_TAG="checksum-tag=$API_CHECKSUM"
echo "PUSH_TAGS=$PUSH_TAGS"
echo "API_TAG=$API_TAG"
echo $PUSH_TAGS >> "$GITHUB_OUTPUT"
echo $API_TAG >> "$GITHUB_OUTPUT"
- name: "Authentification to Google"
uses: "google-github-actions/auth@v2"
with:
workload_identity_provider: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
- name: "Get Secret"
id: "secrets"
uses: "google-github-actions/get-secretmanager-secrets@v2"
with:
secrets: |-
ARTIFACT_REGISTRY_WORKLOAD_IDENTITY_PROVIDER:passculture-metier-ehp/passculture-main-gcp-workload-identity-provider
ARTIFACT_REGISTRY_SERVICE_ACCOUNT:passculture-metier-ehp/passculture-main-artifact-registry-service-account
- name: "OpenID Connect Authentication"
id: "openid-auth"
uses: "google-github-actions/auth@v2"
with:
create_credentials_file: false
token_format: "access_token"
workload_identity_provider: ${{ steps.secrets.outputs.ARTIFACT_REGISTRY_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ steps.secrets.outputs.ARTIFACT_REGISTRY_SERVICE_ACCOUNT }}
- name: "Docker login"
id: "docker-login"
uses: "docker/login-action@v3"
with:
registry: "europe-west1-docker.pkg.dev"
username: "oauth2accesstoken"
password: "${{ steps.openid-auth.outputs.access_token }}"
- name: "pcapi"
id: check-checksum-tag
run: bash ./.github/workflows/scripts/check-image-tag-exists.sh
env:
image: pcapi
tag: ${{ steps.pcapi-tags.outputs.checksum-tag }}
token: ${{ steps.openid-auth.outputs.access_token }}
- name: "pcapi-console"
id: check-console-checksum-tag
run: bash ./.github/workflows/scripts/check-image-tag-exists.sh
env:
image: pcapi-console
tag: ${{ steps.pcapi-tags.outputs.checksum-tag }}
token: ${{ steps.openid-auth.outputs.access_token }}
- name: "Publish Summary"
run: |
{
echo "### :rocket: Init Job summary"
echo "| Results | Value |"
echo "| ------------------------------------ | ----- |"
echo "| commit sha | ${{ github.sha }} |"
echo "| [api] content changed | ${{ steps.check-api-documentation-changes.outputs.any_modified }} |"
echo "| [api-documentation] content changed | ${{ steps.check-api-documentation-changes.outputs.any_modified }} |"
echo "| [pro] content changed | ${{ steps.check-pro-changes.outputs.any_modified }} |"
echo "| [dependencies] content changed | ${{ steps.check-dependencies-changes.outputs.any_modified }} |"
echo "| [pcapi] image tag | ${{ steps.pcapi-tags.outputs.checksum-tag }} |"
echo "| [pcapi] image already exists | ${{ steps.check-checksum-tag.outputs.tag-exists }} |"
echo "| [pcapi-console] image already exists | ${{ steps.check-console-checksum-tag.outputs.tag-exists }} |"
} >> $GITHUB_STEP_SUMMARY
build-pcapi:
name: "[pcapi] build docker image."
needs: [pcapi-init-job]
if: needs.pcapi-init-job.outputs.api-changed == 'true' && needs.pcapi-init-job.outputs.checksum-tag-exists == 'false'
uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml
with:
ref: ${{ github.event.pull_request.head.sha }}
image: pcapi
tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
secrets:
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
# Always build pcapi-tests image if api changed
build-pcapi-tests:
name: "[pcapi-tests] build docker image."
needs: [pcapi-init-job]
if: needs.pcapi-init-job.outputs.api-changed == 'true' && needs.pcapi-init-job.outputs.checksum-tag-exists == 'false'
uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml
with:
ref: ${{ github.event.pull_request.head.sha }}
image: pcapi-tests
tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
secrets:
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
build-pcapi-console:
name: "[pcapi-console] build docker image."
needs: [pcapi-init-job]
if: (needs.pcapi-init-job.outputs.api-changed == 'true' || needs.pcapi-init-job.outputs.pro-changed == 'true') && needs.pcapi-init-job.outputs.checksum-console-tag-exists == 'false'
uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml
with:
ref: ${{ github.event.pull_request.head.sha }}
image: pcapi-console
tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
secrets:
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
run-mypy-cop:
name: "MyPy cop"
needs: [pcapi-init-job]
if: |
github.event_name == 'pull_request' &&
needs.pcapi-init-job.outputs.api-changed == 'true'
uses: ./.github/workflows/dev_on_workflow_mypy_cop.yml
update-api-client-template:
name: "Update api client template"
needs: [pcapi-init-job, build-pcapi]
uses: ./.github/workflows/dev_on_workflow_update_api_client_template.yml
concurrency:
group: update-api-client-template-${{ github.ref }}
cancel-in-progress: true
with:
PCAPI_DOCKER_TAG: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
TRIGGER_ONLY_ON_API_CHANGE: true
TRIGGER_ONLY_ON_DEPENDENCY_CHANGE: true
CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache"
api-changed: ${{ needs.pcapi-init-job.outputs.api-changed }}
dependencies-changed: ${{ needs.pcapi-init-job.outputs.dependencies-changed }}
secrets:
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
test-api:
name: "Tests api"
needs: [pcapi-init-job, build-pcapi-tests]
uses: ./.github/workflows/dev_on_workflow_tests_api.yml
with:
tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
secrets:
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
test-api-documentation:
name: "Tests API documentation"
needs: [pcapi-init-job]
if: needs.pcapi-init-job.outputs.api-documentation-changed == 'true'
uses: ./.github/workflows/dev_on_workflow_tests_api_documentation.yml
secrets:
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
test-pro:
name: "Tests pro"
needs: [pcapi-init-job]
if: needs.pcapi-init-job.outputs.pro-changed == 'true'
uses: ./.github/workflows/dev_on_workflow_tests_pro.yml
with:
CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache"
secrets:
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
test-pro-e2e:
name: "Tests pro E2E"
needs: [pcapi-init-job, build-pcapi]
uses: ./.github/workflows/dev_on_workflow_tests_pro_e2e.yml
if: always() &&
!cancelled() &&
needs.pcapi-init-job.outputs.api-changed == 'true' ||
needs.pcapi-init-job.outputs.pro-changed == 'true'
with:
tag: ${{ needs.build-pcapi.result == 'skipped' && 'latest' || needs.pcapi-init-job.outputs.checksum-tag }}
CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache"
secrets:
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
merge-allure-reports:
name: "Merge Allure Reports and Push to Allure Repository"
needs: [test-pro, test-pro-e2e]
runs-on: ubuntu-22.04
if: |
always() &&
!cancelled() &&
(needs.test-pro.result == 'success' || needs.test-pro-e2e.result == 'success')
steps:
- name: "Install Allure CLI via Yarn"
run: yarn global add allure-commandline
- name: "Download Allure results artifacts for pro"
uses: actions/download-artifact@v4
with:
name: allure-results-pro-unit
path: allure-results/pro-unit
# - name: "Download Allure results artifacts for pro E2E"
# uses: actions/download-artifact@v4
# with:
# name: allure-results-pro-e2e
# path: allure-results/pro-e2e
- name: "Merge Allure Results"
run: |
mkdir -p allure-results
cp -r allure-results/pro-unit/* allure-results/
- name: "Clone Allure Report Repository to Retrieve History"
env:
TOKEN: ${{ secrets.PAT_ALLURE_REPORTS_TEMP }}
run: |
git clone https://x-access-token:${TOKEN}@github.com/fseguin-pass/allure-reports-temp.git allure-report-temp
mkdir -p allure-results/history
if [ -d "allure-report-temp/history" ]; then
cp -r allure-report-temp/history/* allure-results/history/
fi
- name: "Generate Allure Report with History"
run: allure generate allure-results --single-file --clean -o allure-report
- name: "Upload Allure Report as artifact"
uses: actions/upload-artifact@v4
with:
name: allure-report
path: allure-report/index.html
dependabot-auto-merge:
name: "Dependabot"
needs: test-pro
if: github.actor == 'dependabot[bot]'
uses: ./.github/workflows/dev_on_workflow_dependabot_auto_merge.yml
# Deploy on firebase if pro tests are ok OR job was skipped (= no changes in pro folder)
deploy-pro-on-firebase-pullrequest:
name: "[PRO] Deploy PR version for validation"
needs: [pcapi-init-job, test-pro]
if: always() && (needs.test-pro.result == 'success' || needs.test-pro.result == 'skipped')
uses: ./.github/workflows/dev_on_workflow_deploy_pro_pr_version_generic.yml
secrets:
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
with:
ENV: "testing"
CHANNEL: ""
REF: "${{ github.ref }}"
CACHE_BUCKET_NAME: "passculture-infra-prod-github-runner-cache"
is_pull_request: true
# Push docker images to registry
push-pcapi:
name: "Push pcapi docker image to registry"
needs: [pcapi-init-job, test-api, test-pro-e2e]
uses: ./.github/workflows/dev_on_workflow_push_docker_image.yml
with:
image: pcapi
commit-hash: ${{ github.event.pull_request.head.sha }}
checksum-tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
secrets:
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
push-pcapi-console:
name: "Push pcapi-console docker image to registry"
needs: [pcapi-init-job, test-api, test-pro-e2e]
uses: ./.github/workflows/dev_on_workflow_push_docker_image.yml
with:
image: pcapi-console
commit-hash: ${{ github.event.pull_request.head.sha }}
checksum-tag: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
secrets:
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}
# Deploy pullrequest to testing environment
# If image builds were successfull OR image was already present in registry
deploy:
name: "Deploy PullRequest to testing environment"
needs:
[
pcapi-init-job,
push-pcapi,
push-pcapi-console,
deploy-pro-on-firebase-pullrequest,
]
if: |
always() &&
!cancelled() &&
github.actor != 'dependabot[bot]' &&
(needs.push-pcapi.result == 'success' && needs.push-pcapi-console.result == 'success') ||
(needs.pcapi-init-job.outputs.checksum-console-tag-exists == 'true' && needs.pcapi-init-job.outputs.checksum-console-tag-exists == 'true')
uses: ./.github/workflows/dev_on_workflow_deploy_pullrequests.yml
with:
environment: pullrequest
app_version: ${{ needs.pcapi-init-job.outputs.checksum-tag }}
pro_url: ${{ needs.deploy-pro-on-firebase-pullrequest.outputs.pro_url }}
secrets:
GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }}