Deployment pipeline #22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deployment pipeline | |
on: [workflow_dispatch] | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
infisical-tests: | |
name: Integration tests | |
# https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview | |
uses: ./.github/workflows/run-backend-tests.yml | |
infisical-image: | |
name: Build | |
runs-on: ubuntu-latest | |
needs: [infisical-tests] | |
steps: | |
- name: ☁️ Checkout source | |
uses: actions/checkout@v3 | |
- name: 📦 Install dependencies to test all dependencies | |
run: npm ci --only-production | |
working-directory: backend | |
- name: Save commit hashes for tag | |
id: commit | |
uses: pr-mpt/actions-commit-hash@v2 | |
- name: 🔧 Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: 🐋 Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Set up Depot CLI | |
uses: depot/setup-action@v1 | |
- name: 🏗️ Build backend and push to docker hub | |
uses: depot/build-push-action@v1 | |
with: | |
project: 64mmf0n610 | |
token: ${{ secrets.DEPOT_PROJECT_TOKEN }} | |
push: true | |
context: . | |
file: Dockerfile.standalone-infisical | |
tags: | | |
infisical/staging_infisical:${{ steps.commit.outputs.short }} | |
infisical/staging_infisical:latest | |
platforms: linux/amd64,linux/arm64 | |
build-args: | | |
POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }} | |
INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }} | |
gamma-deployment: | |
name: Deploy to gamma | |
runs-on: ubuntu-latest | |
needs: [infisical-image] | |
environment: | |
name: Gamma | |
steps: | |
- uses: twingate/github-action@v1 | |
with: | |
# The Twingate Service Key used to connect Twingate to the proper service | |
# Learn more about [Twingate Services](https://docs.twingate.com/docs/services) | |
# | |
# Required | |
service-key: ${{ secrets.TWINGATE_SERVICE_KEY }} | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v2 | |
with: | |
node-version: "20" | |
- name: Change directory to backend and install dependencies | |
env: | |
DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }} | |
run: | | |
cd backend | |
npm install | |
npm run migration:latest | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
audience: sts.amazonaws.com | |
aws-region: us-east-1 | |
role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img | |
- name: Save commit hashes for tag | |
id: commit | |
uses: pr-mpt/actions-commit-hash@v2 | |
- name: Download task definition | |
run: | | |
aws ecs describe-task-definition --task-definition infisical-core-gamma-stage --query taskDefinition > task-definition.json | |
- name: Render Amazon ECS task definition | |
id: render-web-container | |
uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
with: | |
task-definition: task-definition.json | |
container-name: infisical-core | |
image: infisical/staging_infisical:${{ steps.commit.outputs.short }} | |
environment-variables: "LOG_LEVEL=info" | |
- name: Deploy to Amazon ECS service | |
uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
with: | |
task-definition: ${{ steps.render-web-container.outputs.task-definition }} | |
service: infisical-core-gamma-stage | |
cluster: infisical-gamma-stage | |
wait-for-service-stability: true | |
production-us: | |
name: US production deploy | |
runs-on: ubuntu-latest | |
needs: [gamma-deployment] | |
environment: | |
name: Production | |
steps: | |
- uses: twingate/github-action@v1 | |
with: | |
# The Twingate Service Key used to connect Twingate to the proper service | |
# Learn more about [Twingate Services](https://docs.twingate.com/docs/services) | |
# | |
# Required | |
service-key: ${{ secrets.TWINGATE_SERVICE_KEY }} | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v2 | |
with: | |
node-version: "20" | |
- name: Change directory to backend and install dependencies | |
env: | |
DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }} | |
AUDIT_LOGS_DB_CONNECTION_URI: ${{ secrets.AUDIT_LOGS_DB_CONNECTION_URI }} | |
run: | | |
cd backend | |
npm install | |
npm run migration:latest | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
audience: sts.amazonaws.com | |
aws-region: us-east-1 | |
role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment | |
- name: Save commit hashes for tag | |
id: commit | |
uses: pr-mpt/actions-commit-hash@v2 | |
- name: Download task definition | |
run: | | |
aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json | |
- name: Render Amazon ECS task definition | |
id: render-web-container | |
uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
with: | |
task-definition: task-definition.json | |
container-name: infisical-core-platform | |
image: infisical/staging_infisical:${{ steps.commit.outputs.short }} | |
environment-variables: "LOG_LEVEL=info" | |
- name: Deploy to Amazon ECS service | |
uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
with: | |
task-definition: ${{ steps.render-web-container.outputs.task-definition }} | |
service: infisical-core-platform | |
cluster: infisical-core-platform | |
wait-for-service-stability: true | |
production-eu: | |
name: EU production deploy | |
runs-on: ubuntu-latest | |
needs: [production-us] | |
environment: | |
name: production-eu | |
steps: | |
- uses: twingate/github-action@v1 | |
with: | |
service-key: ${{ secrets.TWINGATE_SERVICE_KEY }} | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
audience: sts.amazonaws.com | |
aws-region: eu-central-1 | |
role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v2 | |
with: | |
node-version: "20" | |
- name: Change directory to backend and install dependencies | |
env: | |
DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }} | |
run: | | |
cd backend | |
npm install | |
npm run migration:latest | |
- name: Save commit hashes for tag | |
id: commit | |
uses: pr-mpt/actions-commit-hash@v2 | |
- name: Download task definition | |
run: | | |
aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json | |
- name: Render Amazon ECS task definition | |
id: render-web-container | |
uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
with: | |
task-definition: task-definition.json | |
container-name: infisical-core-platform | |
image: infisical/staging_infisical:${{ steps.commit.outputs.short }} | |
environment-variables: "LOG_LEVEL=info" | |
- name: Deploy to Amazon ECS service | |
uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
with: | |
task-definition: ${{ steps.render-web-container.outputs.task-definition }} | |
service: infisical-core-platform | |
cluster: infisical-core-platform | |
wait-for-service-stability: true |