v1.0.3 #7
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CICD production" | |
| on: | |
| # On release | |
| release: | |
| types: [published] | |
| jobs: | |
| build-makefile: | |
| permissions: | |
| id-token: write | |
| contents: write | |
| runs-on: ubuntu-24.04 | |
| if: github.actor != 'dependabot[bot]' | |
| name: "Build image with Makefile" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| application: [otterscan] | |
| include: | |
| - application: otterscan | |
| image_name: otterscan | |
| path: . | |
| tag_length: 8 | |
| tag_latest: false | |
| env: | |
| REGISTRY: asia-docker.pkg.dev | |
| REPOSITORY_STG: asia-docker.pkg.dev/prj-d-devops-services-4dgwlsse/zilliqa-public | |
| REPOSITORY_PRD: asia-docker.pkg.dev/prj-p-devops-services-tvwmrf63/zilliqa-public | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 | |
| with: | |
| submodules: recursive | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| fetch-depth: 0 | |
| - name: "Authenticate to Google Cloud - staging" | |
| id: google-auth-stg | |
| uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa" | |
| with: | |
| token_format: "access_token" | |
| workload_identity_provider: "${{ secrets.GCP_PRD_GITHUB_WIF }}" | |
| service_account: "${{ secrets.GCP_STG_GITHUB_SA_DOCKER_REGISTRY }}" | |
| create_credentials_file: true | |
| - name: Login to the registry - staging | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: "oauth2accesstoken" | |
| password: "${{ steps.google-auth-stg.outputs.access_token }}" | |
| - name: "Build and push ${{ matrix.application }} - staging" | |
| env: | |
| ENVIRONMENT: prd | |
| IMAGE_TAG: ${{ env.REPOSITORY_STG }}/${{ matrix.image_name }}:${{ github.ref_name }} | |
| run: | | |
| cd ${{ matrix.path }} | |
| make image/build-and-push | |
| - name: "Build and push ${{ matrix.application }} tag latest - staging" | |
| if: ${{ matrix.tag_latest == true }} | |
| env: | |
| ENVIRONMENT: prd | |
| IMAGE_TAG: "${{ env.REPOSITORY_STG }}/${{ matrix.image_name }}:latest" | |
| run: | | |
| cd ${{ matrix.path }} | |
| make image/build-and-push | |
| - name: "Authenticate to Google Cloud - production" | |
| id: google-auth-prd | |
| uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa" | |
| with: | |
| token_format: "access_token" | |
| workload_identity_provider: "${{ secrets.GCP_PRD_GITHUB_WIF }}" | |
| service_account: "${{ secrets.GCP_PRD_GITHUB_SA_DOCKER_REGISTRY }}" | |
| create_credentials_file: true | |
| - name: Login to the registry - production | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: "oauth2accesstoken" | |
| password: "${{ steps.google-auth-prd.outputs.access_token }}" | |
| - name: "Build and push ${{ matrix.application }} - production" | |
| env: | |
| ENVIRONMENT: prd | |
| IMAGE_TAG: ${{ env.REPOSITORY_PRD }}/${{ matrix.image_name }}:${{ github.ref_name }} | |
| run: | | |
| cd ${{ matrix.path }} | |
| make image/build-and-push | |
| - name: "Build and push ${{ matrix.application }} tag latest - production" | |
| if: ${{ matrix.tag_latest == true }} | |
| env: | |
| ENVIRONMENT: prd | |
| IMAGE_TAG: "${{ env.REPOSITORY_PRD }}/${{ matrix.image_name }}:latest" | |
| run: | | |
| cd ${{ matrix.path }} | |
| make image/build-and-push | |
| deploy-to-non-production: | |
| needs: [build-makefile] | |
| permissions: | |
| id-token: write | |
| contents: write | |
| runs-on: ubuntu-22.04 | |
| if: github.event_name == 'release' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| application: | |
| - otterscan-testnet | |
| env: | |
| APP_NAME: ${{ matrix.application }} | |
| Z_ENV: infra/live/gcp/non-production/prj-d-staging/z_ase1.yaml | |
| Z_SERVICE_ACCOUNT: ${{ secrets.GCP_STG_GITHUB_SA_K8S_DEPLOY }} | |
| OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_STG }} | |
| GITHUB_PAT: ${{ secrets.GH_PAT }} | |
| Z_IMAGE: asia-docker.pkg.dev/prj-d-devops-services-4dgwlsse/zilliqa-private/z:latest | |
| REGISTRY: asia-docker.pkg.dev | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 | |
| with: | |
| repository: Zilliqa/devops | |
| token: ${{ env.GITHUB_PAT }} | |
| ref: main | |
| sparse-checkout: | | |
| ${{ env.Z_ENV }} | |
| - name: Authenticate to Google Cloud | |
| id: google-auth | |
| uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa | |
| with: | |
| token_format: "access_token" | |
| workload_identity_provider: "${{ secrets.GCP_PRD_GITHUB_WIF }}" | |
| service_account: ${{ env.Z_SERVICE_ACCOUNT }} | |
| create_credentials_file: true | |
| - name: Deploy application | |
| run: | | |
| gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://${{ env.REGISTRY }} | |
| docker run --rm \ | |
| -e ZQ_USER='${{ env.Z_SERVICE_ACCOUNT }}' \ | |
| -e Z_ENV='/devops/${{ env.Z_ENV }}' \ | |
| -e OP_SERVICE_ACCOUNT_TOKEN='${{ env.OP_SERVICE_ACCOUNT_TOKEN }}' \ | |
| -e GITHUB_PAT='${{ env.GITHUB_PAT }}' \ | |
| -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/google/application_default_credentials.json' \ | |
| -v `pwd`:/devops \ | |
| -v ${{ steps.google-auth.outputs.credentials_file_path }}:/google/application_default_credentials.json \ | |
| --name z_container ${{ env.Z_IMAGE }} \ | |
| bash -c "gcloud config set account ${{ env.Z_SERVICE_ACCOUNT }} && z /app /devops app sync --cache-dir .cache ${{ env.APP_NAME }}" | |
| deploy-to-production: | |
| needs: [build-makefile] | |
| permissions: | |
| id-token: write | |
| contents: write | |
| runs-on: ubuntu-22.04 | |
| if: github.event_name == 'release' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| application: | |
| - otterscan-mainnet | |
| env: | |
| APP_NAME: ${{ matrix.application }} | |
| Z_ENV: infra/live/gcp/production/prj-p-prod-apps/z_ase1.yaml | |
| Z_SERVICE_ACCOUNT: ${{ secrets.GCP_PRD_GITHUB_SA_K8S_DEPLOY }} | |
| OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_PRD }} | |
| GITHUB_PAT: ${{ secrets.GH_PAT }} | |
| Z_IMAGE: asia-docker.pkg.dev/prj-p-devops-services-tvwmrf63/zilliqa-private/z:latest | |
| REGISTRY: asia-docker.pkg.dev | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 | |
| with: | |
| repository: Zilliqa/devops | |
| token: ${{ env.GITHUB_PAT }} | |
| ref: main | |
| sparse-checkout: | | |
| ${{ env.Z_ENV }} | |
| - name: Authenticate to Google Cloud | |
| id: google-auth | |
| uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa | |
| with: | |
| token_format: "access_token" | |
| workload_identity_provider: "${{ secrets.GCP_PRD_GITHUB_WIF }}" | |
| service_account: ${{ env.Z_SERVICE_ACCOUNT }} | |
| create_credentials_file: true | |
| - name: Deploy application | |
| run: | | |
| gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://${{ env.REGISTRY }} | |
| docker run --rm \ | |
| -e ZQ_USER='${{ env.Z_SERVICE_ACCOUNT }}' \ | |
| -e Z_ENV='/devops/${{ env.Z_ENV }}' \ | |
| -e OP_SERVICE_ACCOUNT_TOKEN='${{ env.OP_SERVICE_ACCOUNT_TOKEN }}' \ | |
| -e GITHUB_PAT='${{ env.GITHUB_PAT }}' \ | |
| -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/google/application_default_credentials.json' \ | |
| -v `pwd`:/devops \ | |
| -v ${{ steps.google-auth.outputs.credentials_file_path }}:/google/application_default_credentials.json \ | |
| --name z_container ${{ env.Z_IMAGE }} \ | |
| bash -c "gcloud config set account ${{ env.Z_SERVICE_ACCOUNT }} && z /app /devops app sync --cache-dir .cache ${{ env.APP_NAME }}" |