Build & Deploy to DEV from Release Branch #145
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build & Deploy to DEV from Release Branch | |
env: | |
# 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. | |
# See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. | |
# To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions | |
OPENSHIFT_SERVER: ${{ vars.OPENSHIFT_SERVER }} | |
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} | |
OPENSHIFT_NAMESPACE: ${{ vars.GRAD_NAMESPACE }}-dev | |
COMMON_NAMESPACE: ${{ vars.COMMON_NAMESPACE }} | |
GRAD_NAMESPACE: ${{ vars.GRAD_NAMESPACE }} | |
BUSINESS_NAMESPACE: ${{ vars.GRAD_BUSINESS_NAMESPACE }} | |
# 🖊️ EDIT to change the image registry settings. | |
# Registries such as GHCR, Quay.io, and Docker Hub are supported. | |
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
IMAGE_REGISTRY_USER: ${{ github.actor }} | |
IMAGE_REGISTRY_PASSWORD: ${{ github.token }} | |
SPRING_BOOT_IMAGE_NAME: educ-grad-graduation-report-api-dc | |
REPO_NAME: "educ-grad-graduation-report-api" | |
APP_DOMAIN: ${{ vars.APP_DOMAIN }} | |
BRANCH: "grad-release" | |
TAG: "latest" | |
MIN_CPU: "20m" | |
MAX_CPU: "120m" | |
MIN_MEM: "256Mi" | |
MAX_MEM: "1024Mi" | |
MIN_REPLICAS: "3" | |
MAX_REPLICAS: "5" | |
on: | |
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows | |
workflow_dispatch: | |
push: | |
branches: | |
- grad-release | |
paths: | |
- 'api/**' | |
- 'tools/**' | |
jobs: | |
openshift-ci-cd: | |
name: Build and deploy to OpenShift DEV from release branch | |
runs-on: ubuntu-22.04 | |
environment: dev | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v3 | |
with: | |
ref: grad-release | |
- name: Determine image tags | |
if: env.TAG == '' | |
run: | | |
echo "TAG=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ vars.DOCKER_ARTIFACTORY_REPO }} | |
username: ${{ vars.DOCKER_ARTIFACTORY_USERNAME }} | |
password: ${{ secrets.DOCKER_ARTIFACTORY_ACCESS_TOKEN }} | |
# https://github.com/redhat-actions/buildah-build#readme | |
- name: Build from Dockerfile | |
id: build-image | |
uses: redhat-actions/buildah-build@v2 | |
with: | |
image: ${{ env.REPO_NAME }} | |
tags: ${{ env.TAG }} | |
# If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs | |
# Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build | |
# Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. | |
dockerfiles: | | |
./Dockerfile | |
# https://github.com/redhat-actions/push-to-registry#readme | |
- name: Push to registry | |
id: push-image | |
uses: redhat-actions/push-to-registry@v2 | |
with: | |
image: ${{ steps.build-image.outputs.image }} | |
tags: ${{ steps.build-image.outputs.tags }} | |
registry: ${{ env.IMAGE_REGISTRY }} | |
username: ${{ env.IMAGE_REGISTRY_USER }} | |
password: ${{ env.IMAGE_REGISTRY_PASSWORD }} | |
# The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }} | |
- name: Install oc | |
uses: redhat-actions/openshift-tools-installer@v1 | |
with: | |
oc: 4 | |
# https://github.com/redhat-actions/oc-login#readme | |
- name: Deploy | |
run: | | |
set -eux | |
# Login to OpenShift and select project | |
oc login --token=${{ env.OPENSHIFT_TOKEN }} --server=${{ env.OPENSHIFT_SERVER }} | |
oc project ${{ env.OPENSHIFT_NAMESPACE }} | |
# Cancel any rollouts in progress | |
oc rollout cancel dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ | |
|| true && echo "No rollout in progress" | |
# tag image stream | |
oc -n ${{ env.OPENSHIFT_NAMESPACE }} tag ${{ steps.push-image.outputs.registry-path }} ${{ env.REPO_NAME }}:${{ env.TAG }} | |
# Process and apply deployment template | |
oc process -f tools/openshift/api.dc.yaml -p IS_NAMESPACE=${{ env.OPENSHIFT_NAMESPACE }} -p REPO_NAME=${{ env.REPO_NAME }} \ | |
-p TAG_NAME=${{ env.TAG }} -p HOST_ROUTE=${{ env.REPO_NAME }}-${{ env.OPENSHIFT_NAMESPACE }}.${{ env.APP_DOMAIN }} \ | |
-p MIN_REPLICAS=${{ env.MIN_REPLICAS }} -p MAX_REPLICAS=${{ env.MAX_REPLICAS }} -p MIN_CPU=${{ env.MIN_CPU }} \ | |
-p MAX_CPU=${{ env.MAX_CPU }} -p MIN_MEM=${{ env.MIN_MEM }} -p MAX_MEM=${{ env.MAX_MEM }} | oc apply -f - | |
# UPDATE Configmaps | |
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/update-configmap.sh \ | |
| bash /dev/stdin \ | |
dev \ | |
${{ env.REPO_NAME }} \ | |
${{ env.GRAD_NAMESPACE }} \ | |
${{ env.COMMON_NAMESPACE }} \ | |
${{ env.BUSINESS_NAMESPACE }} \ | |
${{ secrets.SPLUNK_TOKEN }} \ | |
${{ vars.APP_LOG_LEVEL }} | |
# OVERRIDE Configmaps | |
curl -s https://raw.githubusercontent.com/bcgov/${{ env.REPO_NAME }}/${{ env.BRANCH }}/tools/config/override-configmap-dev.sh \ | |
| bash /dev/stdin \ | |
dev \ | |
${{ env.REPO_NAME }} \ | |
${{ env.GRAD_NAMESPACE }} \ | |
${{ env.COMMON_NAMESPACE }} \ | |
${{ env.BUSINESS_NAMESPACE }} \ | |
${{ secrets.SPLUNK_TOKEN }} \ | |
${{ vars.APP_LOG_LEVEL }} | |
# Start rollout (if necessary) and follow it | |
oc rollout latest dc/${{ env.SPRING_BOOT_IMAGE_NAME }} 2> /dev/null \ | |
|| true && echo "Rollout in progress" | |
oc logs -f dc/${{ env.SPRING_BOOT_IMAGE_NAME }} | |
# Get status, returns 0 if rollout is successful | |
oc rollout status dc/${{ env.SPRING_BOOT_IMAGE_NAME }} | |
# now hit it with a zap scan | |
- name: ZAP Scan | |
uses: zaproxy/action-api-scan@v0.7.0 | |
with: | |
target: 'https://${{ env.REPO_NAME }}-${{ env.OPENSHIFT_NAMESPACE }}.apps.silver.devops.gov.bc.ca/api/v1/api-docs' |