feat: migrate deploy to GitOps pattern — stop kubectl set image #22
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy Hanzo SQL | |
| on: | |
| push: | |
| branches: [main, master] | |
| tags: ['v*'] | |
| paths: | |
| - 'Dockerfile' | |
| - 'conf/**' | |
| - 'docker-entrypoint-initdb.d/**' | |
| - '.github/workflows/deploy.yml' | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| outputs: | |
| short-sha: ${{ steps.sha.outputs.short }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Compute short SHA | |
| id: sha | |
| run: echo "short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT" | |
| - name: Fetch CI secrets from Hanzo KMS | |
| id: kms | |
| env: | |
| KMS_CLIENT_ID: ${{ secrets.KMS_CLIENT_ID }} | |
| KMS_CLIENT_SECRET: ${{ secrets.KMS_CLIENT_SECRET }} | |
| run: | | |
| set -euo pipefail | |
| KMS_URL="${KMS_URL:-https://kms.hanzo.ai}" | |
| ACCESS_TOKEN="$( | |
| curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$(jq -nc --arg cid "$KMS_CLIENT_ID" --arg cs "$KMS_CLIENT_SECRET" \ | |
| '{clientId: $cid, clientSecret: $cs}')" \ | |
| | jq -r '.accessToken' | |
| )" | |
| [ -n "${ACCESS_TOKEN}" ] && [ "${ACCESS_TOKEN}" != "null" ] || { | |
| echo "::error::Failed to authenticate to Hanzo KMS"; exit 1; } | |
| fetch_secret() { | |
| curl -fsS "${KMS_URL}/api/v3/secrets/raw/${1}?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \ | |
| -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | |
| | jq -r '.secret.secretValue' | |
| } | |
| for name in DOCKERHUB_USERNAME DOCKERHUB_TOKEN; do | |
| val="$(fetch_secret "$name")" | |
| [ -n "$val" ] && [ "$val" != "null" ] || { echo "::error::Missing KMS secret $name"; exit 1; } | |
| echo "::add-mask::${val}" | |
| echo "${name}=${val}" >> "$GITHUB_OUTPUT" | |
| done | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GH_PAT }} | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| continue-on-error: true | |
| with: | |
| registry: docker.io | |
| username: ${{ steps.kms.outputs.DOCKERHUB_USERNAME }} | |
| password: ${{ steps.kms.outputs.DOCKERHUB_TOKEN }} | |
| - name: Image metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/hanzoai/sql | |
| hanzoai/sql | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=raw,value=18,enable={{is_default_branch}} | |
| type=sha,prefix= | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| build-args: PG_MAJOR=18 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha,scope=sql | |
| cache-to: type=gha,mode=max,scope=sql | |
| deploy-hanzo: | |
| needs: build | |
| if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout universe repo | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: hanzoai/universe | |
| token: ${{ secrets.GH_PAT }} | |
| path: universe | |
| sparse-checkout: | | |
| infra/k8s/hanzo-operator/crs/sql.yaml | |
| - name: Install yq | |
| run: | | |
| sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 | |
| sudo chmod +x /usr/local/bin/yq | |
| - name: Update SQL CR image tag | |
| working-directory: universe | |
| run: | | |
| TAG="${{ needs.build.outputs.short-sha }}" | |
| CR="infra/k8s/hanzo-operator/crs/sql.yaml" | |
| echo "Updating ${CR} image tag to ${TAG}" | |
| yq -i '.spec.image.tag = "'"${TAG}"'"' "${CR}" | |
| yq -i '.spec.image.pullPolicy = "IfNotPresent"' "${CR}" | |
| echo "--- Updated CR ---" | |
| cat "${CR}" | |
| - name: Commit and push to universe | |
| working-directory: universe | |
| run: | | |
| TAG="${{ needs.build.outputs.short-sha }}" | |
| git config user.name "hanzo-bot" | |
| git config user.email "bot@hanzo.ai" | |
| git add infra/k8s/hanzo-operator/crs/sql.yaml | |
| git diff --cached --quiet && { echo "No changes to commit"; exit 0; } | |
| git commit -m "deploy(sql): update image tag to ${TAG}" | |
| git push origin main |