2 [on_schedule] deploy main and pro #2128
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "2 [on_schedule] deploy main and pro" | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # This cron is defined in UTC timezone. It means that it will run: | |
| # - during summer hours between 8:28am - 7:28pm | |
| # - during winter hours between 7:28am - 6:28pm | |
| # we cannot yet specify timezone : | |
| # https://github.com/orgs/community/discussions/13454 | |
| # Why 27? Choosing an exact hour or half-hour is discouraged by GitHub due to high load. | |
| # Cron jobs might be delayed or even completely skipped. | |
| - cron: "27 6-17 * * 1-5" | |
| permissions: write-all | |
| env: | |
| docker_registry: "europe-west1-docker.pkg.dev/passculture-infra-prod/pass-culture-artifact-registry" | |
| GIT_CONFIG_EMAIL: [email protected] | |
| GIT_CONFIG_NAME: scheduled-testing-deployment | |
| jobs: | |
| pcapi-init-job: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| checksum-tag: ${{ steps.pcapi-tags.outputs.checksum-tag }} | |
| pcapi-exists: ${{ steps.check-checksum-tag.outputs.tag-exists }} | |
| pcapi-console-exists: ${{ steps.check-console-checksum-tag.outputs.tag-exists }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-tags: false | |
| ref: "master" | |
| - name: "Define pcapi image tags." | |
| id: pcapi-tags | |
| run: | | |
| DOCKER_IMAGE="${{ env.docker_registry }}/pcapi" | |
| API_CHECKSUM=`tar --sort=name --owner=0 --group=0 --mtime='UTC 2019-01-01' -cf - api | sha1sum | awk '{ print $1 }'` | |
| PUSH_TAGS="push-tags=$DOCKER_IMAGE:${{ github.sha }},$DOCKER_IMAGE:$API_CHECKSUM,$DOCKER_IMAGE:latest" | |
| API_TAG="checksum-tag=$API_CHECKSUM" | |
| echo "PUSH_TAGS=$PUSH_TAGS" | |
| echo "API_TAG=$API_TAG" | |
| echo $PUSH_TAGS >> "$GITHUB_OUTPUT" | |
| echo $API_TAG >> "$GITHUB_OUTPUT" | |
| - name: "Authentification to Google" | |
| uses: "google-github-actions/auth@v3" | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
| - name: "Get Secret" | |
| id: secrets | |
| uses: "google-github-actions/get-secretmanager-secrets@v3" | |
| with: | |
| secrets: |- | |
| SLACK_BOT_TOKEN:passculture-metier-ehp/passculture-ci-slack-bot-token | |
| ARTIFACT_REGISTRY_WORKLOAD_IDENTITY_PROVIDER:passculture-metier-ehp/infra-prod-gcp-workload-identity-provider | |
| ARTIFACT_REGISTRY_SERVICE_ACCOUNT:passculture-metier-ehp/passculture-main-artifact-registry-service-account | |
| - name: "OpenID Connect Authentication" | |
| id: "openid-auth" | |
| uses: "google-github-actions/auth@v3" | |
| with: | |
| create_credentials_file: false | |
| token_format: "access_token" | |
| workload_identity_provider: ${{ steps.secrets.outputs.ARTIFACT_REGISTRY_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ steps.secrets.outputs.ARTIFACT_REGISTRY_SERVICE_ACCOUNT }} | |
| - name: "Docker login" | |
| id: "docker-login" | |
| uses: "docker/login-action@v3" | |
| with: | |
| registry: "europe-west1-docker.pkg.dev" | |
| username: "oauth2accesstoken" | |
| password: "${{ steps.openid-auth.outputs.access_token }}" | |
| - name: "check pcapi-console image exists" | |
| id: check-console-checksum-tag | |
| run: ./.github/workflows/scripts/check-image-tag-exists.sh | |
| env: | |
| image: pcapi-console | |
| tag: ${{ github.sha }} | |
| token: ${{ steps.openid-auth.outputs.access_token }} | |
| - name: "check pcapi image exists" | |
| id: check-checksum-tag | |
| run: ./.github/workflows/scripts/check-image-tag-exists.sh | |
| env: | |
| image: pcapi | |
| tag: ${{ github.sha }} | |
| token: ${{ steps.openid-auth.outputs.access_token }} | |
| - name: "Summary" | |
| run: | | |
| echo "[pcapi] push-tags : ${{ steps.pcapi-tags.outputs.push-tags }}" | |
| echo "[pcapi] checksum-tag : ${{ steps.pcapi-tags.outputs.checksum-tag }}" | |
| echo "[pcapi] image tag ${{ steps.pcapi-tags.outputs.checksum-tag }} exists : ${{ steps.check-checksum-tag.outputs.tag-exists }}" | |
| echo "[pcapi-console] image tag ${{ steps.pcapi-tags.outputs.checksum-tag }} exists : ${{ steps.check-console-checksum-tag.outputs.tag-exists }}" | |
| # Theses steps builds pcapi and pcapi-console image, tags them with the last commit sha then | |
| # pushes them to the registry | |
| build-pcapi: | |
| name: "[pcapi] build docker image." | |
| needs: [pcapi-init-job] | |
| if: needs.pcapi-init-job.outputs.pcapi-exists == 'false' | |
| uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml | |
| with: | |
| image: pcapi | |
| tag: ${{ github.sha }} | |
| build-pcapi-console: | |
| name: "[pcapi-console] build docker image." | |
| needs: [pcapi-init-job] | |
| if: needs.pcapi-init-job.outputs.pcapi-console-exists == 'false' | |
| uses: ./.github/workflows/dev_on_workflow_build_docker_image.yml | |
| with: | |
| image: pcapi-console | |
| tag: ${{ github.sha }} | |
| push-pcapi: | |
| name: Push pcapi docker image to artifact registry | |
| needs: | |
| - build-pcapi | |
| - pcapi-init-job | |
| if: needs.pcapi-init-job.outputs.pcapi-exists == 'false' | |
| uses: ./.github/workflows/dev_on_workflow_push_docker_image.yml | |
| with: | |
| image: pcapi | |
| tag: ${{ github.sha }} | |
| tag_latest: true | |
| secrets: | |
| WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
| SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
| push-pcapi-console: | |
| name: Push pcapi-console docker image to artifact registry | |
| needs: | |
| - build-pcapi-console | |
| - pcapi-init-job | |
| uses: ./.github/workflows/dev_on_workflow_push_docker_image.yml | |
| if: needs.pcapi-init-job.outputs.pcapi-console-exists == 'false' | |
| with: | |
| image: pcapi-console | |
| tag: ${{ github.sha }} | |
| tag_latest: true | |
| secrets: | |
| WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
| SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
| deploy-to-testing: | |
| name: Deploy to testing | |
| needs: | |
| - pcapi-init-job | |
| - push-pcapi | |
| - push-pcapi-console | |
| if: always() && !failure() && !cancelled() | |
| uses: ./.github/workflows/dev_on_workflow_deploy.yml | |
| with: | |
| environment: testing | |
| app_version: ${{ github.sha }} | |
| cluster_scope: metier | |
| cluster_environment: ehp | |
| workload_identity_provider_secret_name: gcp_metier_ehp_workload_identity_provider | |
| apply_algolia_config: true | |
| deploy_api: true | |
| deploy_pro: true | |
| secrets: | |
| GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
| GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
| PASSCULTURE_GITHUB_ACTION_APP_ID: ${{ secrets.PASSCULTURE_GITHUB_ACTION_APP_ID }} | |
| PASSCULTURE_GITHUB_ACTION_APP_PRIVATE_KEY: ${{ secrets.PASSCULTURE_GITHUB_ACTION_APP_PRIVATE_KEY }} | |
| deploy-to-testing-new-infra: | |
| name: Deploy to testing new infra | |
| needs: | |
| - pcapi-init-job | |
| - push-pcapi | |
| - push-pcapi-console | |
| if: always() && !failure() && !cancelled() | |
| uses: ./.github/workflows/dev_on_workflow_deploy.yml | |
| with: | |
| environment: testing | |
| environment_short_name: tst | |
| app_version: ${{ github.sha }} | |
| workflow_cluster_name: gke-infra-prd-eu9 | |
| workflow_project_id: pc-infra-prd | |
| app_cluster_name: gke-backend-tst-eu9 | |
| app_project_id: pc-backend-tst | |
| location: europe-west9 | |
| is_new_infra: true | |
| workload_identity_provider_secret_name: gcp_metier_ehp_workload_identity_provider | |
| apply_algolia_config: true | |
| deploy_api: true | |
| deploy_pro: true | |
| secrets: | |
| GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
| GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
| NEW_INFRA_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PRD }} | |
| NEW_INFRA_PCAPI_DEPLOYER_SERVICE_ACCOUNT: ${{ secrets.PCAPI_CI_SERVICE_ACCOUNT_TST }} | |
| PASSCULTURE_GITHUB_ACTION_APP_ID: ${{ secrets.PASSCULTURE_GITHUB_ACTION_APP_ID }} | |
| PASSCULTURE_GITHUB_ACTION_APP_PRIVATE_KEY: ${{ secrets.PASSCULTURE_GITHUB_ACTION_APP_PRIVATE_KEY }} | |
| deploy-to-ops: | |
| name: "Deploy to ops" | |
| needs: | |
| - pcapi-init-job | |
| - push-pcapi | |
| - push-pcapi-console | |
| - deploy-to-testing | |
| - deploy-to-testing-new-infra | |
| if: always() && !failure() && !cancelled() | |
| uses: ./.github/workflows/dev_on_workflow_deploy.yml | |
| with: | |
| environment: opsv2 | |
| environment_short_name: opsv2 | |
| app_version: ${{ github.sha }} | |
| workload_identity_provider_secret_name: gcp_metier_ops_workload_identity_provider # to delete after migration | |
| workflow_cluster_name: gke-infra-prd-eu9 | |
| workflow_project_id: pc-infra-prd | |
| app_cluster_name: gke-backend-tst-eu9 | |
| app_project_id: pc-backend-tst | |
| location: europe-west9 | |
| is_new_infra: true | |
| deploy_api: true | |
| secrets: | |
| GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
| GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} | |
| NEW_INFRA_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PRD }} | |
| NEW_INFRA_PCAPI_DEPLOYER_SERVICE_ACCOUNT: ${{ secrets.PCAPI_CI_SERVICE_ACCOUNT_OPSV2 }} | |
| PASSCULTURE_GITHUB_ACTION_APP_ID: ${{ secrets.PASSCULTURE_GITHUB_ACTION_APP_ID }} | |
| PASSCULTURE_GITHUB_ACTION_APP_PRIVATE_KEY: ${{ secrets.PASSCULTURE_GITHUB_ACTION_APP_PRIVATE_KEY }} | |
| slack-notify: | |
| name: "Post failure notification on #alertes-deploiement" | |
| needs: | |
| - deploy-to-testing | |
| # TODO : make a second PR to be notified when deploy-to-testing-new-infra fails | |
| # for now we don't want to send false alarms | |
| if: ${{ always() && needs.deploy-to-testing.result == 'failure' }} | |
| uses: ./.github/workflows/dev_on_workflow_post_slack_message.yml | |
| with: | |
| channel: ${{vars.SLACK_ALERTES_DEPLOIEMENT_CHANNEL_ID}} | |
| color: "#A30002" | |
| message: ":github-failure: Le <https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}|déploiement> de `master` sur `testing` a échoué" | |
| secrets: | |
| GCP_EHP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_EHP_WORKLOAD_IDENTITY_PROVIDER }} | |
| GCP_EHP_SERVICE_ACCOUNT: ${{ secrets.GCP_EHP_SERVICE_ACCOUNT }} |