-
Notifications
You must be signed in to change notification settings - Fork 3
199 lines (171 loc) · 7.92 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# GitHub recommends pinning actions to a commit SHA.
# To get a newer version, you will need to update the SHA.
# You can also reference a tag or branch, but the action may change without warning.
name: Build, Release and Deploy to GKE
on:
push:
branches:
- master
- latest
- develop-*
env:
PROJECT_ID: ${{ secrets.GKE_PROJECT }}
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} # Add your cluster name here.
GKE_REGION: ${{ vars.GKE_REGION }} # Add your cluster zone here.
DEPLOYMENT_NAME: ${{ secrets.DEPLOYMENT_NAME }} # Add your deployment name here.
SLACK_NOTIFICACTION_URL: ${{ secrets.SLACK_NOTIFICACTION_URL }}
SLACK_NOTIFICACTION_CHANNEL: ${{ secrets.SLACK_NOTIFICACTION_CHANNEL }}
AR_LOCATION: ${{ vars.AR_LOCATION }}
AR_REPOSITORY: ${{ vars.AR_REPOSITORY }}
IMAGE_NAME: ${{vars.AR_LOCATION}}-docker.pkg.dev/${{secrets.GKE_PROJECT}}/${{vars.AR_REPOSITORY}}/${{github.ref_name}}
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
if: github.event_name == 'push'
environment:
name: ${{ github.ref_name }}
permissions:
contents: write
checks: write
# required for all workflows
security-events: write
steps:
- uses: actions/checkout@v4
# fetch Tag from package.json version
- name: Get Tag from package.json
id: version
run: echo "TAG=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
# echo Tag
- name: Echo Tag
run: echo ${{ steps.version.outputs.TAG }}
# parse the changelog to get the release description
- name: Parse Changelog Entries
uses: actions/github-script@v7
id: changelog
with:
script: |
const { open } = require('fs/promises');
const version ='${{ steps.version.outputs.TAG }}';
const delimiter = '### ';
const file = await open('./changes.md');
let description = [];
let found = false;
for await (let line of file.readLines()) {
line = line.trim();
if ( line.startsWith(`${delimiter}${version}`) ) {
found = true;
continue;
}
if (!found) continue;
if ( line.startsWith(delimiter) ) break;
description.push(line);
}
if ( !description.length ) core.setFailed(`Release ${version} not found in the changelog!`);
core.setOutput('description', description.join('\n') );
# Setup gcloud CLI
- id: 'auth'
uses: 'google-github-actions/auth@v2'
with:
credentials_json: '${{ secrets.GKE_SA_KEY }}'
# Set up Cloud SDK
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
with:
project_id: ${{ secrets.GKE_PROJECT }}
# Configure Docker to use the gcloud command-line tool as a credential
# helper for authentication
- run: |-
gcloud --quiet auth configure-docker $AR_LOCATION-docker.pkg.dev
# Build the Docker image
- name: Build
run: |-
docker build \
--tag "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}" \
--build-arg GITHUB_SHA="$GITHUB_SHA" \
--build-arg GITHUB_REF="$GITHUB_REF" \
.
# Push the Docker image to Google Container Registry
- name: Publish
run: |-
docker push "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
# Scan Docker image for vulnerabilities
- name: Scan Docker Image using Trivy
if: github.ref_name == 'master'
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
exit-code: '0'
timeout: '60m0s'
format: 'sarif'
output: 'trivy-results.sarif'
# Upload Trivy scan results to GitHub Security tab
- name: Upload Trivy scan results to GitHub Security tab
if: github.ref_name == 'master'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
# Generate SPDX SBOM
- name: Generate SBOM with Anchore Action
if: github.ref_name == 'master'
id: sbom
uses: anchore/sbom-action@v0
with:
image: "${{env.IMAGE_NAME}}:${{ steps.version.outputs.TAG }}"
output-file: sbom.spdx.json
format: spdx-json
# Create a release with the version changelog as a description and attach the sbom
- name: Create GitHub Release
if: github.ref_name == 'master'
id: create_github_release
uses: softprops/action-gh-release@v2
with:
name: "Release ${{ steps.version.outputs.TAG }}"
body: "${{ steps.changelog.outputs.description }}"
tag_name: ${{ steps.version.outputs.TAG }}
prerelease: false
files: |
./sbom.spdx.json
# Get the GKE credentials so we can deploy to the cluster
- uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: ${{ env.GKE_CLUSTER }}
location: ${{ env.GKE_REGION }}
project_id: ${{ secrets.GKE_PROJECT }}
# Set up kustomize
- name: Set up Kustomize
run: |-
curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.3.0/kustomize_v5.3.0_linux_amd64.tar.gz
chmod u+x ./kustomize
# Deploy secret variables
- run: |
sed -i.bak "s|CLUSTER_NAME_VALUE|${{ vars.GKE_CLUSTER }}|g" ci/deployment-v2.yml
sed -i.bak "s|CLUSTER_ENDPOINT_VALUE|${{ secrets.KUBERNETES_CLUSTER_ENDPOINT }}|g" ci/deployment-v2.yml
sed -i.bak "s|CLUSTER_NAMESPACE_VALUE|${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }}|g" ci/deployment-v2.yml
sed -i.bak "s|CLUSTER_NAMESPACE_VALUE|${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }}|g" ci/deployment-restart-cronjob.yml
sed -i.bak "s|CLUSTER_USER_TOKEN_VALUE|${{ secrets.KUBERNETES_CLUSTER_USER_TOKEN }}|g" ci/deployment-v2.yml
sed -i.bak "s|CLUSTER_SERVICEACCOUNT_VALUE|${{ secrets.KUBERNETES_CLUSTER_SERVICEACCOUNT }}|g" ci/deployment-v2.yml
sed -i.bak "s|CLUSTER_CERTIFICATE_VALUE|${{ secrets.KUBERNETES_CLUSTER_CERTIFICATE }}|g" ci/deployment-v2.yml
sed -i.bak "s|CLUSTER_USER_SECRET_VALUE|${{ secrets.KUBERNETES_CLUSTER_USER_SECRET }}|g" ci/deployment-v2.yml
sed -i.bak "s|CLUSTER_CONTEXT_VALUE|${{ secrets.KUBERNETES_CLUSTER_CONTEXT }}|g" ci/deployment-v2.yml
sed -i.bak "s|ACCESS_TOKEN_VALUE|${{ secrets.ACCESS_TOKEN }}|g" ci/deployment-v2.yml
sed -i.bak "s|SLACK_NOTIFICACTION_URL_VALUE|${{ secrets.SLACK_NOTIFICACTION_URL }}|g" ci/deployment-v2.yml
sed -i.bak "s|SLACK_NOTIFICACTION_CHANNEL_VALUE|${{ secrets.SLACK_NOTIFICACTION_CHANNEL }}|g" ci/deployment-v2.yml
sed -i.bak "s|IMAGE_VERSION|${{ steps.version.outputs.TAG }}|g" ci/deployment-v2.yml
sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" ci/service.yml
sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" ci/deployment-v2.yml
sed -i.bak "s|GITHUB_ORG|$GITHUB_REPOSITORY_OWNER|g" ci/deployment-restart-cronjob.yml
sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" ci/service.yml
sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" ci/deployment-v2.yml
sed -i.bak "s|GITHUB_BRANCH|$GITHUB_REF_NAME|g" ci/deployment-restart-cronjob.yml
sed -i.bak "s|PROJECT_ID|$PROJECT_ID|g" ci/deployment-v2.yml
sed -i.bak "s|AR_LOCATION|$AR_LOCATION|g" ci/deployment-v2.yml
# Deploy the Docker image to the GKE cluster
- run: |
kubectl apply -n ${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }} -f ci/service.yml && \
kubectl apply -n ${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }} -f ci/deployment-v2.yml && \
kubectl apply -n ${{ secrets.KUBERNETES_CLUSTER_NAMESPACE }} -f ci/deployment-restart-cronjob.yml