Rebrand postgres → sql: pin PG16, deploy to statefulset/sql #14
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy Hanzo SQL | |
| on: | |
| push: | |
| branches: [master, main] | |
| tags: ['v*'] | |
| paths: | |
| - 'hanzo/**' | |
| - 'Dockerfile' | |
| - '.github/workflows/deploy.yml' | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Fetch CI secrets from Hanzo KMS | |
| id: kms | |
| env: | |
| KMS_CLIENT_ID: ${{ secrets.KMS_CLIENT_ID }} | |
| KMS_CLIENT_SECRET: ${{ secrets.KMS_CLIENT_SECRET }} | |
| run: | | |
| set -euo pipefail | |
| KMS_URL="${KMS_URL:-https://kms.hanzo.ai}" | |
| retry() { | |
| local n=0 | |
| until [ $n -ge 5 ]; do | |
| "$@" && return 0 | |
| n=$((n+1)); echo "::warning::Retry $n/5..." >&2; sleep $((n*5)) | |
| done | |
| return 1 | |
| } | |
| kms_login() { | |
| curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$(jq -nc --arg cid "$KMS_CLIENT_ID" --arg cs "$KMS_CLIENT_SECRET" \ | |
| '{clientId: $cid, clientSecret: $cs}')" \ | |
| | jq -re '.accessToken' | |
| } | |
| ACCESS_TOKEN="$(retry kms_login)" | |
| [ -n "${ACCESS_TOKEN}" ] && [ "${ACCESS_TOKEN}" != "null" ] || { | |
| echo "::error::Failed to authenticate to Hanzo KMS"; exit 1; } | |
| fetch_secret() { | |
| curl -fsS "${KMS_URL}/api/v3/secrets/raw/${1}?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \ | |
| -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | |
| | jq -re '.secret.secretValue' | |
| } | |
| for name in DOCKERHUB_USERNAME DOCKERHUB_TOKEN DIGITALOCEAN_ACCESS_TOKEN; do | |
| val="$(retry fetch_secret "$name")" | |
| [ -n "$val" ] && [ "$val" != "null" ] || { echo "::error::Missing KMS secret $name"; exit 1; } | |
| echo "::add-mask::${val}" | |
| echo "${name}=${val}" >> "$GITHUB_OUTPUT" | |
| done | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GH_PAT }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| continue-on-error: true | |
| with: | |
| registry: docker.io | |
| username: ${{ steps.kms.outputs.DOCKERHUB_USERNAME }} | |
| password: ${{ steps.kms.outputs.DOCKERHUB_TOKEN }} | |
| - name: Image metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/hanzoai/sql | |
| hanzoai/sql | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=raw,value=16,enable={{is_default_branch}} | |
| type=sha,prefix= | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha,scope=sql | |
| cache-to: type=gha,mode=max,scope=sql | |
| deploy-hanzo: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Fetch secrets from Hanzo KMS | |
| id: kms | |
| env: | |
| KMS_CLIENT_ID: ${{ secrets.KMS_CLIENT_ID }} | |
| KMS_CLIENT_SECRET: ${{ secrets.KMS_CLIENT_SECRET }} | |
| run: | | |
| set -euo pipefail | |
| KMS_URL="${KMS_URL:-https://kms.hanzo.ai}" | |
| retry() { | |
| local n=0 | |
| until [ $n -ge 5 ]; do | |
| "$@" && return 0 | |
| n=$((n+1)); echo "::warning::Retry $n/5..." >&2; sleep $((n*5)) | |
| done | |
| return 1 | |
| } | |
| kms_login() { | |
| curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$(jq -nc --arg cid "$KMS_CLIENT_ID" --arg cs "$KMS_CLIENT_SECRET" \ | |
| '{clientId: $cid, clientSecret: $cs}')" \ | |
| | jq -re '.accessToken' | |
| } | |
| ACCESS_TOKEN="$(retry kms_login)" | |
| [ -n "${ACCESS_TOKEN}" ] && [ "${ACCESS_TOKEN}" != "null" ] || { | |
| echo "::error::Failed to authenticate to Hanzo KMS"; exit 1; } | |
| fetch_do_token() { | |
| curl -fsS "${KMS_URL}/api/v3/secrets/raw/DIGITALOCEAN_ACCESS_TOKEN?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \ | |
| -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | |
| | jq -re '.secret.secretValue' | |
| } | |
| val="$(retry fetch_do_token)" | |
| [ -n "$val" ] && [ "$val" != "null" ] || { echo "::error::Missing KMS secret DIGITALOCEAN_ACCESS_TOKEN"; exit 1; } | |
| echo "::add-mask::${val}" | |
| echo "DIGITALOCEAN_ACCESS_TOKEN=${val}" >> "$GITHUB_OUTPUT" | |
| - name: Install doctl | |
| uses: digitalocean/action-doctl@v2 | |
| with: | |
| token: ${{ steps.kms.outputs.DIGITALOCEAN_ACCESS_TOKEN }} | |
| - name: Configure kubectl (hanzo-k8s) | |
| run: doctl kubernetes cluster kubeconfig save hanzo-k8s | |
| - name: Rolling update sql | |
| run: | | |
| kubectl -n hanzo set image statefulset/sql \ | |
| sql=ghcr.io/hanzoai/sql:${GITHUB_SHA::7} | |
| kubectl -n hanzo rollout status statefulset/sql --timeout=120s |