Release r-0437 #70
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: deploy-production | |
| concurrency: | |
| group: deploy-production | |
| cancel-in-progress: true | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| deploy-production: | |
| runs-on: ubuntu-latest | |
| environment: production | |
| env: | |
| IS_CI_AUTOMATION: "yes" | |
| steps: | |
| - name: Download deployment artifact | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: deployment.json | |
| - name: Extract deployment values | |
| id: deployment-data | |
| run: | | |
| echo "ecr-tag=$(jq .ecr_tag < deployment.json)" >> $GITHUB_OUTPUT | |
| echo "semver=$(jq .version < deployment.json)" >> $GITHUB_OUTPUT | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-central-1 | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| mask-password: "true" | |
| - name: Retag docker image | |
| id: retag-image | |
| run: | | |
| # Pull the image we want to deploy; its tag is the git commit hash that caused it to exist | |
| SOURCE_TAG="${{ steps.deployment-data.outputs.ecr-tag }}" | |
| docker pull $SOURCE_TAG | |
| # Get the URL for the image, replacing the tag for the semantic version | |
| IMAGE_BASE=$(echo $SOURCE_TAG | cut -d: -f1) | |
| SEMVER="v${{ steps.deployment-data.outputs.semver }}" | |
| TARGET_TAG="$IMAGE_BASE:$SEMVER" | |
| docker tag $SOURCE_TAG $TARGET_TAG | |
| # Push the new image | |
| docker push $TARGET_TAG | |
| # Output the target tag | |
| echo "target-tag=$TARGET_TAG" >> $GITHUB_OUTPUT | |
| - name: Download Pulumi artifact | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: pulumi.tbz | |
| - name: Decompress Pulumi code | |
| shell: bash | |
| run: | | |
| tar -xvf pulumi.tbz | |
| - name: Set up Python ${{ vars.PYTHON_VERSION}} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ vars.PYTHON_VERSION}} | |
| - name: Install Pulumi | |
| shell: bash | |
| run: | | |
| curl -fsSL https://get.pulumi.com | sh | |
| - name: Deploy version-tagged image to prod | |
| shell: bash | |
| env: | |
| PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} | |
| run: | | |
| # Update the PATH to include the right version of Pulumi; this is non-trivial or impossible | |
| # to do with the GHA workflow "env" settings. | |
| export PATH="/home/runner/.pulumi/bin:$PATH" | |
| # Pull the versioned tag from the previous step | |
| target_tag="${{ steps.retag-image.outputs.target-tag }}" | |
| # Create a YAML config stump containing only the nested tree leading to the image tag update | |
| cd pulumi | |
| cat << EOF > newimage.yaml | |
| .accounts_image: &ACCOUNTS_IMAGE "$target_tag" | |
| EOF | |
| # Use yq to merge the stump into the main config | |
| yq -i '. *= load("newimage.yaml")' config.prod.yaml | |
| export PULUMI_CONFIG_PASSPHRASE='${{ secrets.PULUMI_PASSPHRASE }}' | |
| # Set up the Pulumi environment and update the service | |
| pulumi login | |
| pulumi stack select thunderbird/prod | |
| TBPULUMI_DISABLE_PROTECTION=True \ | |
| pulumi up -y --diff \ | |
| --target 'urn:pulumi:prod::accounts::tb:fargate:FargateClusterWithLogging$aws:ecs/taskDefinition:TaskDefinition::accounts-prod-fargate-accounts-taskdef' \ | |
| --target 'urn:pulumi:prod::accounts::aws:ecs/taskDefinition:TaskDefinition::accounts-prod-afc-accounts-taskdef-celery-prod' \ | |
| --target 'urn:pulumi:prod::accounts::aws:ecs/taskDefinition:TaskDefinition::accounts-prod-afc-accounts-taskdef-flower-prod' \ | |
| --target-dependents |