Merge pull request #60 from CodeForPhilly/docs/spec-kustomize-deploy #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy (staging) | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| concurrency: | |
| # Cancel an in-flight deploy if a newer commit lands — only the latest gets | |
| # rolled out to staging. | |
| group: deploy-staging | |
| cancel-in-progress: false | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| jobs: | |
| # Build + push the image. Tag with both the commit sha and `staging-latest`. | |
| build: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image-tag: ${{ steps.meta.outputs.image-tag }} | |
| image-digest: ${{ steps.push.outputs.digest }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Compute image tag | |
| id: meta | |
| run: | | |
| tag="sha-${GITHUB_SHA::12}" | |
| echo "image-tag=$tag" >> "$GITHUB_OUTPUT" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| id: push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| push: true | |
| platforms: linux/amd64 | |
| provenance: false | |
| tags: | | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.image-tag }} | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:staging-latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| labels: | | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| # Deploy via `helm upgrade --install` against the staging cluster. Gated by | |
| # the `staging` environment so first-time runs require an approval and so | |
| # secrets are scoped per-environment. | |
| deploy: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: staging | |
| url: https://codeforphilly-rewrite-staging.k8s.phl.io | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install kubectl | |
| uses: azure/setup-kubectl@v4 | |
| with: | |
| version: v1.31.0 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.16.2 | |
| - name: Configure kubeconfig | |
| # KUBECONFIG_STAGING is a base64-encoded kubeconfig stored as a repo | |
| # secret. The cluster service account it points to should have rights | |
| # only in the codeforphilly-staging namespace. | |
| run: | | |
| mkdir -p "$HOME/.kube" | |
| echo "${{ secrets.KUBECONFIG_STAGING }}" | base64 -d > "$HOME/.kube/config" | |
| chmod 600 "$HOME/.kube/config" | |
| kubectl version --client | |
| - name: Helm upgrade | |
| run: | | |
| helm upgrade --install codeforphilly-staging \ | |
| deploy/charts/codeforphilly \ | |
| --namespace codeforphilly-staging \ | |
| --create-namespace \ | |
| -f deploy/charts/codeforphilly/values.staging.yaml \ | |
| --set image.tag=${{ needs.build.outputs.image-tag }} \ | |
| --atomic \ | |
| --timeout 5m \ | |
| --wait | |
| - name: Smoke check | |
| run: | | |
| # The --wait above only waits for k8s to report ready; hit the | |
| # public ingress to confirm end-to-end. Retries because cert-manager | |
| # may still be re-checking TLS for a fresh cert. | |
| for i in 1 2 3 4 5 6; do | |
| if curl -fsS https://codeforphilly-rewrite-staging.k8s.phl.io/api/health >/dev/null; then | |
| echo "OK" | |
| exit 0 | |
| fi | |
| echo "Try $i: not ready, sleeping 10s" | |
| sleep 10 | |
| done | |
| echo "Staging health check failed" | |
| exit 1 |