sql/.github/workflows/deploy.yml at 4fb03ac5c2e905dae7bf9ba2606c6758c7ec2d87 · hanzoai/sql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: Build and Deploy Hanzo SQL

on:
  push:
    branches: [main, master]
    tags: ['v*']
    paths:
      - 'Dockerfile'
      - 'conf/**'
      - 'docker-entrypoint-initdb.d/**'
      - '.github/workflows/deploy.yml'
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    outputs:
      short-sha: ${{ steps.sha.outputs.short }}
    steps:
      - uses: actions/checkout@v4

      - name: Compute short SHA
        id: sha
        run: echo "short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"

      - name: Fetch CI secrets from Hanzo KMS
        id: kms
        env:
          KMS_CLIENT_ID: ${{ secrets.KMS_CLIENT_ID }}
          KMS_CLIENT_SECRET: ${{ secrets.KMS_CLIENT_SECRET }}
        run: |
          set -euo pipefail
          KMS_URL="${KMS_URL:-https://kms.hanzo.ai}"

          ACCESS_TOKEN="$(
            curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \
              -H "Content-Type: application/json" \
              -d "$(jq -nc --arg cid "$KMS_CLIENT_ID" --arg cs "$KMS_CLIENT_SECRET" \
                    '{clientId: $cid, clientSecret: $cs}')" \
            | jq -r '.accessToken'
          )"

          [ -n "${ACCESS_TOKEN}" ] && [ "${ACCESS_TOKEN}" != "null" ] || {
            echo "::error::Failed to authenticate to Hanzo KMS"; exit 1; }

          fetch_secret() {
            curl -fsS "${KMS_URL}/api/v3/secrets/raw/${1}?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \
              -H "Authorization: Bearer ${ACCESS_TOKEN}" \
            | jq -r '.secret.secretValue'
          }

          for name in DOCKERHUB_USERNAME DOCKERHUB_TOKEN; do
            val="$(fetch_secret "$name")"
            [ -n "$val" ] && [ "$val" != "null" ] || { echo "::error::Missing KMS secret $name"; exit 1; }
            echo "::add-mask::${val}"
            echo "${name}=${val}" >> "$GITHUB_OUTPUT"
          done

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GH_PAT }}

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        continue-on-error: true
        with:
          registry: docker.io
          username: ${{ steps.kms.outputs.DOCKERHUB_USERNAME }}
          password: ${{ steps.kms.outputs.DOCKERHUB_TOKEN }}

      - name: Image metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/hanzoai/sql
            hanzoai/sql
          tags: |
            type=raw,value=latest,enable={{is_default_branch}}
            type=raw,value=18,enable={{is_default_branch}}
            type=sha,prefix=
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          build-args: PG_MAJOR=18
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha,scope=sql
          cache-to: type=gha,mode=max,scope=sql

  deploy-hanzo:
    needs: build
    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout universe repo
        uses: actions/checkout@v4
        with:
          repository: hanzoai/universe
          token: ${{ secrets.GH_PAT }}
          path: universe
          sparse-checkout: |
            infra/k8s/hanzo-operator/crs/sql.yaml

      - name: Install yq
        run: |
          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
          sudo chmod +x /usr/local/bin/yq

      - name: Update SQL CR image tag
        working-directory: universe
        run: |
          TAG="${{ needs.build.outputs.short-sha }}"
          CR="infra/k8s/hanzo-operator/crs/sql.yaml"

          echo "Updating ${CR} image tag to ${TAG}"
          yq -i '.spec.image.tag = "'"${TAG}"'"' "${CR}"
          yq -i '.spec.image.pullPolicy = "IfNotPresent"' "${CR}"

          echo "--- Updated CR ---"
          cat "${CR}"

      - name: Commit and push to universe
        working-directory: universe
        run: |
          TAG="${{ needs.build.outputs.short-sha }}"
          git config user.name "hanzo-bot"
          git config user.email "bot@hanzo.ai"
          git add infra/k8s/hanzo-operator/crs/sql.yaml
          git diff --cached --quiet && { echo "No changes to commit"; exit 0; }
          git commit -m "deploy(sql): update image tag to ${TAG}"
          git push origin main