Add deployment workflow (#9)

Author: cleot

.dockerignore

@@ -0,0 +1,2 @@
+target/
+.git/

.github/workflows/build-push.yml

@@ -0,0 +1,71 @@
+name: build and push tagged image
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+    GAR_LOCATION: "europe-west1"
+    GAR_PATH: "europe-west1-docker.pkg.dev/cs-host-c9f0ca592f814d028135fa/bitcr-devs-repo"
+    IMAGE: "bcr-relay"
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Docker login (GAR) with JSON key
+      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+      with:
+        registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
+        username: _json_key
+        password: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+
+    - name: Set up Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      with:
+        driver: docker
+
+    - id: meta
+      name: Metadata for ${{ env.IMAGE }}
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+      with:
+        images: ${{ env.GAR_PATH }}/${{ env.IMAGE }}
+        tags: |
+          type=semver,pattern={{version}}
+
+    - id: push
+      name: Build & push ${{ env.IMAGE }}
+      uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
+      with:
+        context: .
+        file: Dockerfile
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        # Uncomment for per-service cache
+        # cache-from: type=registry,ref=${{ env.GAR_PATH }}/${{ env.IMAGE }}:buildcache
+        # cache-to:   type=registry,ref=${{ env.GAR_PATH }}/${{ env.IMAGE }}:buildcache,mode=max
+
+    - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
+      with:
+        subject-name: ${{ env.GAR_PATH }}/${{ env.IMAGE }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true

.github/workflows/deploy.yml

@@ -0,0 +1,121 @@
+name: 'Deploy to Cloud Run'
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'deploy tag to environment'
+        required: true
+        default: 'dev'
+        type: choice
+        options:
+          - dev
+          - prod
+
+jobs:
+
+######################################################################
+# env:  prod (bcr-relay)
+  deploy:
+    name: deploy to prod
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'prod'
+
+    permissions:
+      contents: read
+      deployments: write
+      id-token: write
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.inputs.environment || github.event_name }}
+      cancel-in-progress: true
+
+    runs-on: ubuntu-latest
+    environment: prod
+
+    env:
+      GCR_SERVICE: ${{ vars.GCR_SERVICE }}
+      GCR_REGION: ${{ vars.GCR_REGION }}
+      GAR_PATH: ${{ vars.GAR_PATH }}
+      IMAGE_NAME: ${{ vars.IMAGE_NAME }}
+
+    steps:
+      - name: Validate tag on dispatch
+        run: |
+          if [[ "${{ github.ref_type }}" != 'tag' ]]; then
+            echo "::error::Manual deployments must be triggered from a tag."
+            echo "::error::Please select a tag from the 'Use workflow from' dropdown, not a branch."
+            exit 1
+          fi
+          echo "Validation successful: Running from tag '${{ github.ref_name }}'."
+
+      - name: Authenticate to GCP
+        id: auth
+        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        with:
+          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+
+      - name: 'Set image tag to ${{ github.ref_name }}'
+        id: tag
+        run: |
+          TAG=${{ github.ref_name }}
+          SEMVER_TAG="${TAG#v}"
+          echo "IMAGE_TAG=$SEMVER_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Deploy to Cloud Run
+        uses: google-github-actions/deploy-cloudrun@2028e2d7d30a78c6910e0632e48dd561b064884d # v3
+        with:
+          service:  ${{ env.GCR_SERVICE }}
+          region:   ${{ env.GCR_REGION }}
+          image:    ${{ env.GAR_PATH }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.IMAGE_TAG }}
+
+######################################################################
+# env:  dev (bcr-relay-dev)
+  deploy-dev:
+    name: deploy to dev
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'dev'
+
+    permissions:
+      contents: read
+      deployments: write
+      id-token: write
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.inputs.environment || github.event_name }}
+      cancel-in-progress: true
+
+    runs-on: ubuntu-latest
+    environment: dev
+
+    env:
+      GCR_SERVICE: ${{ vars.GCR_SERVICE }}
+      GCR_REGION: ${{ vars.GCR_REGION }}
+      GAR_PATH: ${{ vars.GAR_PATH }}
+      IMAGE_NAME: ${{ vars.IMAGE_NAME }}
+
+    steps:
+      - name: Validate tag on dispatch
+        run: |
+          if [[ "${{ github.ref_type }}" != 'tag' ]]; then
+            echo "::error::Manual deployments must be triggered from a tag."
+            echo "::error::Please select a tag from the 'Use workflow from' dropdown, not a branch."
+            exit 1
+          fi
+          echo "Validation successful: Running from tag '${{ github.ref_name }}'."
+
+      - name: Authenticate to GCP
+        id: auth
+        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        with:
+          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+
+      - name: 'Set image tag to ${{ github.ref_name }}'
+        id: tag
+        run: |
+          TAG=${{ github.ref_name }}
+          SEMVER_TAG="${TAG#v}"
+          echo "IMAGE_TAG=$SEMVER_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Deploy to Cloud Run
+        uses: google-github-actions/deploy-cloudrun@2028e2d7d30a78c6910e0632e48dd561b064884d # v3
+        with:
+          service:  ${{ env.GCR_SERVICE }}
+          region:   ${{ env.GCR_REGION }}
+          image:    ${{ env.GAR_PATH }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.IMAGE_TAG }}

Dockerfile

@@ -0,0 +1,32 @@
+##############################
+## Build bcr-relay
+##############################
+FROM rust:latest AS rust-builder
+
+WORKDIR /bcr-relay
+RUN update-ca-certificates
+COPY . .
+
+RUN cargo build --release
+
+##############################
+## Create image for docker compose
+##############################
+FROM ubuntu:22.04
+
+RUN apt-get update && \
+  apt-get install -y ca-certificates libpq5 && \
+  apt-get clean
+
+WORKDIR /relay
+
+# Copy binary release
+COPY --from=rust-builder /bcr-relay/target/release/bcr-relay ./bcr-relay
+COPY --from=rust-builder /bcr-relay/static/ ./static/
+
+RUN chmod +x /relay/bcr-relay
+
+# Expose server port
+EXPOSE 8080
+
+CMD ["/relay/bcr-relay", "--listen-address=0.0.0.0:8080"]