-
Notifications
You must be signed in to change notification settings - Fork 3
119 lines (99 loc) · 4.16 KB
/
release.yml
File metadata and controls
119 lines (99 loc) · 4.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
---
name: deploy-production
concurrency:
group: deploy-production
cancel-in-progress: true
on:
release:
types:
- published
permissions:
contents: read
jobs:
deploy-production:
runs-on: ubuntu-latest
environment: production
env:
IS_CI_AUTOMATION: "yes"
steps:
- name: Download deployment artifact
uses: dsaltares/fetch-gh-release-asset@master
with:
version: ${{ github.event.release.id }}
file: deployment.json
- name: Extract deployment values
id: deployment-data
run: |
echo "ecr-tag=$(jq .ecr_tag < deployment.json)" >> $GITHUB_OUTPUT
echo "semver=$(jq .version < deployment.json)" >> $GITHUB_OUTPUT
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-central-1
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: "true"
- name: Retag docker image
id: retag-image
run: |
# Pull the image we want to deploy; its tag is the git commit hash that caused it to exist
SOURCE_TAG="${{ steps.deployment-data.outputs.ecr-tag }}"
docker pull $SOURCE_TAG
# Get the URL for the image, replacing the tag for the semantic version
IMAGE_BASE=$(echo $SOURCE_TAG | cut -d: -f1)
SEMVER="v${{ steps.deployment-data.outputs.semver }}"
TARGET_TAG="$IMAGE_BASE:$SEMVER"
docker tag $SOURCE_TAG $TARGET_TAG
# Push the new image
docker push $TARGET_TAG
# Output the target tag
echo "target-tag=$TARGET_TAG" >> $GITHUB_OUTPUT
- name: Download Pulumi artifact
uses: dsaltares/fetch-gh-release-asset@master
with:
version: ${{ github.event.release.id }}
file: pulumi.tbz
- name: Decompress Pulumi code
shell: bash
run: |
tar -xvf pulumi.tbz
- name: Set up Python ${{ vars.PYTHON_VERSION}}
uses: actions/setup-python@v5
with:
python-version: ${{ vars.PYTHON_VERSION}}
- name: Install Pulumi
shell: bash
run: |
curl -fsSL https://get.pulumi.com | sh
- name: Deploy version-tagged image to prod
shell: bash
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
run: |
# Update the PATH to include the right version of Pulumi; this is non-trivial or impossible
# to do with the GHA workflow "env" settings.
export PATH="/home/runner/.pulumi/bin:$PATH"
# Pull the versioned tag from the previous step
target_tag="${{ steps.retag-image.outputs.target-tag }}"
# Create a YAML config stump containing only the nested tree leading to the image tag update
cd pulumi
cat << EOF > newimage.yaml
.accounts_image: &ACCOUNTS_IMAGE "$target_tag"
EOF
# Use yq to merge the stump into the main config
yq -i '. *= load("newimage.yaml")' config.prod.yaml
export PULUMI_CONFIG_PASSPHRASE='${{ secrets.PULUMI_PASSPHRASE }}'
# Set up the Pulumi environment and update the service
pulumi login
pulumi stack select thunderbird/prod
TBPULUMI_DISABLE_PROTECTION=True \
pulumi up -y --diff \
--target 'urn:pulumi:prod::accounts::tb:fargate:FargateClusterWithLogging$aws:ecs/taskDefinition:TaskDefinition::accounts-prod-fargate-accounts-taskdef' \
--target 'urn:pulumi:prod::accounts::tb:fargate:FargateClusterWithLogging$aws:ecs/taskDefinition:TaskDefinition::accounts-prod-fargate-accounts-celery-taskdef' \
--target 'urn:pulumi:prod::accounts::aws:ecs/taskDefinition:TaskDefinition::accounts-prod-afc-accounts-taskdef-celery-prod' \
--target 'urn:pulumi:prod::accounts::aws:ecs/taskDefinition:TaskDefinition::accounts-prod-afc-accounts-taskdef-flower-prod' \
--target-dependents