Merge pull request #185 from Datawheel/nextjs-test #18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on a Google Kubernetes Instance when a commit is pushed to the "develop" branch | |
# | |
# To configure this workflow: | |
# | |
# 1. Ensure the required Google Cloud APIs are enabled in the project: | |
# | |
# Cloud Build cloudbuild.googleapis.com | |
# Artifact Registry artifactregistry.googleapis.com | |
# | |
# 2. Create a service account (if you don't have one) with the following fields: | |
# | |
# Service Account Name <PROJECT-NAME>-github-actions | |
# Service Account ID <PROJECT-NAME>-github-actions | |
# | |
# 3. Ensure the service account have the required IAM permissions granted: | |
# | |
# Cloud Build | |
# roles/cloudbuild.builds.editor (cloud build editor) | |
# roles/cloudbuild.builds.builder (cloud build service account) | |
# | |
# Artifact Registry | |
# roles/artifactregistry.repoAdmin (artifact registry repository administrator) | |
# roles/artifactregistry.admin (artifact registry administrator) | |
# | |
# Service Account | |
# roles/iam.serviceAccountUser (act as the Cloud Run runtime service account) | |
# | |
# Basic Roles | |
# roles/viewer (viewer) | |
# | |
# NOTE: You should always follow the principle of least privilege when assigning IAM roles | |
# | |
# 4. Ensure you have the following GitHub Secrets and Variables: | |
# | |
# GitHub Secrets | |
# GCP_SA_KEY (Google Cloud Project Service Account Key) ref visit https://github.com/Datawheel/company/wiki/Setting-Up-a-Service-Account-for-Workflows#use-the-service-account-on-github-secrets | |
# | |
# GitHub Variables | |
# GCP_PROJECT_ID (Google Cloud Project ID) | |
# GCP_ARTIFACT_REGISTRY_NAME (Google Cloud Articaft Registry Repository Name) | |
# GCP_ARTIFACT_REGISTRY_LOCATION (Google Cloud Artifact Registry Reposotiry Location) | |
# | |
# 5. Ensure you have the following GitHub Variables for each environment that you will set up: | |
# | |
# GitHub Variables | |
# GCP_IMAGE_NAME (Docker Image Name) | |
# GKE_APP_NAME (Kubernetes Application Name) | |
# GKE_APP_RELEASE (Kubernetes Application Release Version) | |
# GKE_APP_NAMESPACE (Kubernetes Application Namespace) | |
# GKE_CLUSTER (Kubernetes Cluster Name) | |
# GKE_ZONE (Kubernetes Cluster Location) | |
# | |
# Further reading: | |
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying | |
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles | |
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry | |
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege | |
name: "[DEV] Build and Deploy to GKE using Helm" | |
on: | |
push: | |
branches: | |
- nextjs-test-actions | |
env: | |
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }} | |
GCP_ARTIFACT_REGISTRY_NAME: ${{ vars.GCP_ARTIFACT_REGISTRY_NAME }} | |
GCP_ARTIFACT_REGISTRY_LOCATION: ${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} | |
GCP_IMAGE_NAME: ${{ vars.GCP_IMAGE_NAME }} | |
GKE_APP_NAME: ${{ vars.GKE_APP_NAME }} | |
GKE_APP_RELEASE: ${{ github.ref_name }} | |
GKE_APP_NAMESPACE: ${{ vars.GKE_APP_NAMESPACE }} | |
GKE_CLUSTER: ${{ vars.GKE_CLUSTER }} | |
GKE_ZONE: ${{ vars.GKE_ZONE }} | |
ACTIONS_ALLOW_UNSECURE_COMMANDS: true | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
# runs-on: | |
# group: datawheel-self-runners | |
environment: development | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# Authentication via credentials json | |
- name: Google Auth | |
id: auth | |
uses: google-github-actions/auth@v2 | |
with: | |
project_id: ${{ env.GCP_PROJECT_ID }} | |
credentials_json: ${{ secrets.GCP_SA_KEY }} | |
# Install Cloud SDK | |
- name: Set up Cloud SDK | |
uses: google-github-actions/setup-gcloud@v1 | |
with: | |
install_components: "beta" | |
# Build image on Google Cloud Artifact Registry | |
- name: Build Docker Image | |
run: |- | |
gcloud builds submit \ | |
--quiet \ | |
--timeout=40m \ | |
--config=cloudbuild.yml \ | |
--substitutions=_GCP_ARTIFACT_REGISTRY_LOCATION=${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }},_GCP_PROJECT_ID=${{ vars.GCP_PROJECT_ID }},_GCP_ARTIFACT_REGISTRY_NAME=${{ vars.GCP_ARTIFACT_REGISTRY_NAME }},_GCP_IMAGE_NAME=${{ vars.GCP_IMAGE_NAME }},_GCP_IMAGE_TAG=${{ github.sha }},_GCP_IMAGE_ENVIRONMENT=${{ vars.GKE_APP_NAMESPACE }},_PANTHEON_PGURI=${{ secrets.PANTHEON_PGURI }},_REACT_APP_TRIVIA_GAME=${{ secrets.REACT_APP_TRIVIA_GAME }} | |
# deploys the recently created docker image via google cloude build | |
deploy: | |
needs: build | |
name: Deploy Docker Image to Cloud Run | |
runs-on: ubuntu-latest | |
# runs-on: | |
# group: datawheel-self-runners | |
environment: development | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# Authentication via credentials json | |
- name: Google Auth | |
id: auth | |
uses: google-github-actions/auth@v2 | |
with: | |
project_id: ${{ env.GCP_PROJECT_ID }} | |
credentials_json: ${{ secrets.GCP_SA_KEY }} | |
# Install Cloud SDK | |
- name: Set up Cloud SDK | |
uses: google-github-actions/setup-gcloud@v1 | |
with: | |
install_components: "beta" | |
# Deploy to CloudRun | |
- name: Deploy Image to Cloud Run | |
run: |- | |
gcloud run deploy ${{ env.GCP_IMAGE_NAME }} \ | |
--image=${{ env.GCP_ARTIFACT_REGISTRY_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GCP_ARTIFACT_REGISTRY_NAME }}/${{ env.GCP_IMAGE_NAME }}:${{ github.sha }} \ | |
--region=${{ vars.GCP_ARTIFACT_REGISTRY_LOCATION }} \ | |
--port=3000 \ | |
--set-env-vars=URL=${{ vars.URL }} \ | |
--set-env-vars=CANON_API=${{ vars.CANON_API }} \ | |
--set-env-vars=CANON_GOOGLE_ANALYTICS=${{ vars.CANON_GOOGLE_ANALYTICS }} \ | |
--set-env-vars=NEWS_API_KEY=${{ secrets.NEWS_API_KEY }} \ | |
--set-env-vars=PANTHEON_PGURI=${{ secrets.PANTHEON_PGURI }} \ | |
--set-env-vars=REACT_APP_GAME_CSV_URL=${{ secrets.REACT_APP_GAME_CSV_URL }} \ | |
--set-env-vars=REACT_APP_GAME_RECAPTCHA_SECRET_KEY_V3=${{ secrets.REACT_APP_GAME_RECAPTCHA_SECRET_KEY_V3 }} \ | |
--set-env-vars=REACT_APP_GAME_RECAPTCHA_SITE_KEY_V3=${{ secrets.REACT_APP_GAME_RECAPTCHA_SITE_KEY_V3 }} \ | |
--set-env-vars=REACT_APP_GAME_SECRET_KEY=${{ secrets.REACT_APP_GAME_SECRET_KEY }} \ | |
--set-env-vars=REACT_APP_TRIVIA_GAME=${{ secrets.REACT_APP_TRIVIA_GAME }} \ | |
--set-env-vars=TMDB_API_KEY=${{ secrets.TMDB_API_KEY }} \ | |
--set-env-vars=TW_API_KEY=${{ secrets.TW_API_KEY }} \ | |
--set-env-vars=TW_API_SECRET=${{ secrets.TW_API_SECRET }} \ | |
--set-env-vars=YOUTUBE_API_KEY=${{ secrets.YOUTUBE_API_KEY }} \ | |
--allow-unauthenticated |