diff --git a/.github/workflows/_deployment.yaml b/.github/workflows/_deployment.yaml new file mode 100644 index 0000000..d5e291e --- /dev/null +++ b/.github/workflows/_deployment.yaml @@ -0,0 +1,71 @@ +# ref1: https://cloud.google.com/blog/ja/products/devops-sre/deploy-to-cloud-run-with-github-actions +# ref2: https://github.com/google-github-actions/example-workflows/blob/24274f78e13a0df73f176af798a36b54163d1e72/workflows/deploy-cloudrun/cloudrun-docker.yml + +# Set secrets below in your GitHub repository settings: +# - PROJECT_ID # Google Cloud project id +# - GAR_LOCATION # Artifact Registry location +# - REPOSITORY # Artifact Registry repository name +# - SERVICE # Cloud Run service name +# - REGION # Cloud Run service region +# - WIF_PROVIDER # Workload Identity Federation provider (e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider) +# - WIF_SERVICE_ACCOUNT # Workload Identity Federation service account (e.g. - my-service-account@my-project.iam.gserviceaccount.com) + +name: Build and Deploy to Cloud Run +on: + workflow_call: + inputs: + environment: + type: string + required: true + description: Name of the target environment. + ref: + type: string + required: true + description: The tag or SHA to checkout. + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + # See: apps/api/scripts/google-cloud/setup-workload-identity.sh + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v0' + with: + token_format: 'access_token' + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' + + - name: Docker Auth + id: docker-auth + uses: 'docker/login-action@v1' + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.access_token }}' + registry: '${{ secrets.GAR_LOCATION }}-docker.pkg.dev' + + - name: Build and Push Container + run: |- + docker build -t "${{ secrets.GAR_LOCATION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.REPOSITORY }}/${{ secrets.SERVICE }}:${{ inputs.ref }}" ./ + docker push "${{ secrets.GAR_LOCATION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.REPOSITORY }}/${{ secrets.SERVICE }}:${{ inputs.ref }}" + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v0 + with: + service: ${{ secrets.SERVICE }} + region: ${{ secrets.REGION }} + image: ${{ secrets.GAR_LOCATION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.REPOSITORY }}/${{ secrets.SERVICE }}:${{ inputs.ref }} + env_vars: | + NODE_ENV=${{ inputs.environment }} + + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..26a2e55 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,36 @@ +on: + push: + branches: [develop, stage, main] + +jobs: + dev: + name: deploy cloudrun to dev environment + if: ${{ github.ref == 'refs/heads/develop' || github.base_ref == 'develop' }} + uses: ./_deployment.yaml + permissions: + id-token: write + contents: read + with: + environment: development + ref: ${{ github.sha }} + secrets: inherit + staging: + if: ${{ github.ref == 'refs/heads/staging' || github.base_ref == 'staging' }} + uses: ./_deployment.yaml + permissions: + id-token: write + contents: read + with: + environment: staging + ref: ${{ github.sha }} + secrets: inherit + prod: + if: ${{ github.ref == 'refs/heads/main' || github.base_ref == 'main' }} + uses: ./_deployment.yaml + permissions: + id-token: write + contents: read + with: + environment: production + ref: ${{ github.sha }} + secrets: inherit