chore: deploy testnet GA workflow (#15887)

alexghr · web-flow · commit 58fff55cb1bf · 2025-07-22T16:50:28.000Z
diff --git a/.github/workflows/testnet-deploy.yml b/.github/workflows/testnet-deploy.yml
@@ -0,0 +1,115 @@
+name: Aztec Testnet Deployment
+
+on:
+  workflow_call:
+    inputs:
+      respect_tf_lock:
+        description: Whether to respect the Terraform lock
+        required: false
+        type: string
+        default: "true"
+      run_terraform_destroy:
+        description: Whether to run terraform destroy before deploying
+        required: false
+        type: string
+        default: "false"
+      aztec_docker_image:
+        description: The Aztec Docker image to use, e.g. aztecprotocol/aztec:latest
+        required: false
+        type: string
+    secrets:
+      GCP_SA_KEY:
+        required: true
+  workflow_dispatch:
+    inputs:
+      respect_tf_lock:
+        description: Whether to respect the Terraform lock
+        required: false
+        type: string
+        default: "true"
+      run_terraform_destroy:
+        description: Whether to run terraform destroy before deploying
+        required: false
+        type: string
+        default: "false"
+      aztec_docker_image:
+        description: The Aztec Docker image to use, e.g. aztecprotocol/aztec:latest
+        required: false
+        type: string
+
+jobs:
+  testnet_deployment:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: deploy-testnet # Only one job globally
+      cancel-in-progress: false # Allow previous deployment to complete to avoid corruption
+
+    env:
+      AZTEC_DOCKER_IMAGE: ${{ inputs.aztec_docker_image }}
+      CLUSTER_NAME: aztec-gke-public
+      REGION: us-west1-a
+      TF_STATE_BUCKET: aztec-terraform
+      GKE_CLUSTER_CONTEXT: "gke_testnet-440309_us-west1-a_aztec-gke-public"
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a
+
+      - name: Install GKE Auth Plugin
+        run: |
+          gcloud components install gke-gcloud-auth-plugin --quiet
+
+      - name: Configure kubectl with GKE cluster
+        run: |
+          gcloud container clusters get-credentials ${{ env.CLUSTER_NAME }} --region ${{ env.REGION }}
+
+      - name: Ensure Terraform state bucket exists
+        run: |
+          if ! gsutil ls gs://${{ env.TF_STATE_BUCKET }} >/dev/null 2>&1; then
+            echo "Creating GCS bucket for Terraform state..."
+            gsutil mb -l us-east4 gs://${{ env.TF_STATE_BUCKET }}
+            gsutil versioning set on gs://${{ env.TF_STATE_BUCKET }}
+          else
+            echo "Terraform state bucket already exists"
+          fi
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1
+        with:
+          terraform_version: "1.5.0" 
+
+      - name: Terraform Init
+        working-directory: ./spartan/terraform/deploy-testnet
+        run: |
+          terraform init
+
+      - name: Terraform Destroy
+        working-directory: ./spartan/terraform/deploy-testnet
+        if: ${{ inputs.run_terraform_destroy == 'true' }}
+        # Destroy fails if the resources are already destroyed, so we continue on error
+        continue-on-error: true
+        run: |
+          terraform destroy -auto-approve \
+            -lock=${{ inputs.respect_tf_lock }}
+
+      - name: Terraform Plan
+        working-directory: ./spartan/terraform/deploy-testnet
+        run: |
+          terraform plan \
+            -out=tfplan \
+            -var="AZTEC_DOCKER_IMAGE=${AZTEC_DOCKER_IMAGE:-aztecprotocol/aztec:latest}" \
+            -lock=${{ inputs.respect_tf_lock }}
+
+      - name: Terraform Apply
+        working-directory: ./spartan/terraform/deploy-testnet
+        run: terraform apply -lock=${{ inputs.respect_tf_lock }} -auto-approve tfplan
diff --git a/spartan/terraform/deploy-telemetry/main.tf b/spartan/terraform/deploy-telemetry/main.tf
@@ -93,7 +93,7 @@ resource "kubernetes_manifest" "otel_ingress_backend" {
 
 locals {
   prefixes   = jsondecode(file("../../../yarn-project/aztec/public_include_metric_prefixes.json"))
-  registries = ["0x4d2cc1d5fb6be65240e0bfc8154243e69c0fb19e", "0xec4156431d0f3df66d4e24ba3d30dcb4c85fa309"]
+  registries = ["0xec4156431d0f3df66d4e24ba3d30dcb4c85fa309"]
   roles      = ["sequencer"]
 
   otel_metric_allowlist   = join(" or ", formatlist("HasPrefix(name, %q)", local.prefixes))
