ci: set up deploy cloudrun composite action

Author: stdavis

.github/actions/deploy-cloudrun/action.yml

@@ -0,0 +1,116 @@
+name: Deploy
+description: Deploy to GCP
+inputs:
+  project_id:
+    description: 'The GCP project ID'
+    required: true
+  identity_provider:
+    description: 'The identity provider for the workload identity'
+    required: true
+  service_account_email:
+    description: 'The service account email'
+    required: true
+  pause_schedule_job:
+    description: 'Pause the scheduler job'
+    required: false
+    default: 'no'
+  github_token:
+    description: 'The GitHub token'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Set globals
+      id: globals
+      shell: bash
+      run: |
+        echo "TOPIC_NAME=backup-topic" >> "${GITHUB_OUTPUT}"
+        echo "CRON=0 4 * * *" >> "${GITHUB_OUTPUT}"
+        echo "JOB_NAME=nightly" >> "${GITHUB_OUTPUT}"
+        echo "JOB_DESCRIPTION=Trigger the backup job every evening at 10 PM MDT" >> "${GITHUB_OUTPUT}"
+
+    - name: 🗝️ Authenticate to Google Cloud
+      id: auth
+      uses: google-github-actions/auth@v2
+      with:
+        token_format: access_token
+        workload_identity_provider: ${{ inputs.identity_provider }}
+        service_account: ${{ inputs.service_account_email }}
+
+    - name: 🐳 Set up Docker Buildx
+      id: builder
+      uses: docker/setup-buildx-action@v3
+
+    - name: 🗝️ Authenticate Docker to Google Cloud
+      uses: docker/login-action@v3
+      with:
+        registry: us-central1-docker.pkg.dev
+        username: oauth2accesstoken
+        password: ${{ steps.auth.outputs.access_token }}
+
+    - name: 🏷️ Extract tags from GitHub
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        github-token: ${{ inputs.github_token }}
+        images: us-central1-docker.pkg.dev/${{ inputs.project_id }}/images/job
+        tags: |
+          type=ref,suffix=-{{sha}},event=branch
+          type=ref,prefix=pr-,suffix=-{{sha}},event=pr
+          type=semver,pattern={{version}}
+          latest
+
+    - name: 📦 Build and push image
+      uses: docker/build-push-action@v6
+      with:
+        builder: ${{ steps.builder.outputs.name }}
+        tags: ${{ steps.meta.outputs.tags }}
+        context: ./jobs
+        file: ./Dockerfile
+        push: true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        provenance: false
+
+    - name: 🚀 Deploy Main Cloud Run Job
+      id: deploy
+      uses: google-github-actions/deploy-cloudrun@v2
+      with:
+        job: ${{ steps.globals.outputs.JOB_NAME }}
+        image: us-central1-docker.pkg.dev/${{ inputs.project_id }}/images/job:latest
+        timeout: 60m
+        secrets: |
+          /secrets/app/secrets.json=secrets:latest
+        flags: |
+          --memory=512Mi
+          --service-account=cloud-run-sa@${{ inputs.project_id }}.iam.gserviceaccount.com
+
+    - name: 🕰️ Create Main Cloud Scheduler
+      shell: bash
+      run: |
+        if [ ! "$(gcloud scheduler jobs list --location=us-central1 | grep ${{ steps.globals.outputs.JOB_NAME }})" ]; then
+          gcloud scheduler jobs create http "${{ steps.globals.outputs.JOB_NAME }}" \
+            --description="${{ steps.globals.outputs.JOB_DESCRIPTION }}" \
+            --schedule="${{ steps.globals.outputs.CRON }}" \
+            --time-zone=America/Denver \
+            --location=us-central1 \
+            --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ inputs.project_id }}/jobs/${{ steps.globals.outputs.JOB_NAME }}:run" \
+            --oauth-service-account-email=scheduler-sa@${{ inputs.project_id }}.iam.gserviceaccount.com \
+            --quiet
+        else
+          gcloud scheduler jobs update http "${{ steps.globals.outputs.JOB_NAME }}" \
+            --description="${{ steps.globals.outputs.JOB_DESCRIPTION }}" \
+            --schedule="${{ steps.globals.outputs.CRON }}" \
+            --time-zone=America/Denver \
+            --location=us-central1 \
+            --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ inputs.project_id }}/jobs/${{ steps.globals.outputs.JOB_NAME }}:run" \
+            --oauth-service-account-email=scheduler-sa@${{ inputs.project_id }}.iam.gserviceaccount.com \
+            --quiet
+        fi
+
+    - name: 🙅 Pause Scheduler Job
+      shell: bash
+      if: inputs.pause_schedule_job != 'no'
+      run: |
+        gcloud scheduler jobs pause "${{ steps.globals.outputs.JOB_NAME }}" --location=us-central1 --quiet

.github/workflows/push.yml

@@ -119,37 +119,35 @@ jobs:
       - name: 🚀 Deploy to Cloud Run Job
         uses: google-github-actions/deploy-cloudrun@v2
         with:
-          project_id: secrets.PROJECT_ID
-          region: us-central1
-          image: us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job:latest
-          job: default
-          secrets: /secrets/app/secrets.json=skid-secrets:latest
-          timeout: 3h
-          flags: >
-            '--cpu=1
-            --memory=3Gi
-            --service-account=cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
-            --timeout=3h
-            --max-instances=1
-            --max-retries=0
-            --parallelism=0'
-
-      - name: 🕰️ Create Cloud Scheduler
-        run: |
-          if [ ! "$(gcloud scheduler jobs list --location=us-central1 | grep saturday-evening)" ]; then
-            gcloud scheduler jobs create http saturday-evening \
-              --description="Trigger the nfhl-skid bot once a week on saturday evening" \
-              --schedule="0 3 * * 6" \
-              --time-zone=America/Denver \
-              --location=us-central1 \
-              --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
-              --oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
-          else
-            gcloud scheduler jobs update http saturday-evening \
-              --description="Trigger the nfhl-skid bot once a week on saturday evening" \
-              --schedule="0 3 * * 6" \
-              --time-zone=America/Denver \
-              --location=us-central1 \
-              --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
-              --oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
-          fi
+          identity-provider: ${{ secrets.IDENTITY_PROVIDER }}
+          service-account-email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          project-id: ${{ secrets.PROJECT_ID }}
+          build-command: npm run build -- --mode dev
+        env:
+          VITE_FIREBASE_CONFIG: ${{ secrets.FIREBASE_CONFIG }}
+
+  deploy-cloudrun-dev:
+    name: Deploy Cloud Run to dev
+    runs-on: ubuntu-latest
+    if: github.ref_name == 'dev'
+    environment:
+      name: dev
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: ⬇️ Set up code
+        uses: actions/checkout@v4
+        with:
+          show-progress: false
+
+      - name: 🚀 Deploy
+        uses: ./.github/actions/deploy-cloudrun
+        timeout-minutes: 15
+        with:
+          project_id: ${{ secrets.PROJECT_ID }}
+          identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
+          service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          pause_schedule_job: 'yes'
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -9,113 +9,30 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  deploy-python-prod:
+  deploy-cloudrun-prod:
     name: Deploy python production
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
+    if: github.ref_name == 'main'
     environment:
       name: prod
     permissions:
       id-token: write
       contents: read
 
     steps:
-      - name: ⬇️ Checkout code
+      - name: ⬇️ Set up code
         uses: actions/checkout@v4
         with:
           show-progress: false
 
-      - name: 🗝️ Authenticate to Google Cloud
-        id: auth
-        uses: google-github-actions/auth@v2
-        with:
-          workload_identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
-          token_format: 'access_token'
-
-      - name: 🐳 Set up Docker Buildx
-        id: builder
-        uses: docker/setup-buildx-action@v3
-
-      - name: 🗝️ Authenticate Docker to Google Cloud
-        uses: docker/login-action@v3
-        with:
-          registry: us-central1-docker.pkg.dev
-          username: oauth2accesstoken
-          password: ${{ steps.auth.outputs.access_token }}
-
-      - name: 🏷️ Extract tags from GitHub
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          images: us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job
-          tags: |
-            type=ref,suffix=-{{sha}},event=branch
-            type=ref,prefix=pr-,suffix=-{{sha}},event=pr
-            type=semver,pattern={{version}}
-            latest
-
-      - name: 📦 Build and push image
-        uses: docker/build-push-action@v6
+      - name: 🚀 Deploy
+        uses: ./.github/actions/deploy-cloudrun
+        timeout-minutes: 15
         with:
-          builder: ${{ steps.builder.outputs.name }}
-          tags: ${{ steps.meta.outputs.tags }}
-          context: .
-          file: ./Dockerfile
-          push: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          provenance: false
-
-      - name: ☁️ Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@v2
-
-      - name: 🚀 Deploy to Cloud Run Job
-        run: |
-          if [ ! "$(gcloud run jobs list | grep default)" ]; then
-            gcloud run jobs create default \
-              --region us-central1 \
-              --image us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job:latest \
-              --service-account cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com \
-              --memory=3Gi \
-              --cpu=1 \
-              --max-retries 0 \
-              --parallelism 0 \
-              --set-secrets=/secrets/app/secrets.json=skid-secrets:latest \
-              --task-timeout 3h
-          else
-            gcloud run jobs update default \
-              --region us-central1 \
-              --image us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job:latest \
-              --service-account cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com \
-              --memory=3Gi \
-              --cpu=1 \
-              --max-retries 0 \
-              --parallelism 0 \
-              --set-secrets=/secrets/app/secrets.json=skid-secrets:latest \
-              --task-timeout 3h
-          fi
-
-      - name: 🕰️ Create Cloud Scheduler
-        run: |
-          if [ ! "$(gcloud scheduler jobs list --location=us-central1 | grep saturday-evening)" ]; then
-          gcloud scheduler jobs create http saturday-evening \
-            --description="Trigger the nfhl-skid bot once a week on saturday evening" \
-            --schedule="0 3 * * 6" \
-            --time-zone=America/Denver \
-            --location=us-central1 \
-            --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
-            --oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
-          else
-            gcloud scheduler jobs update http saturday-evening \
-              --description="Trigger the nfhl-skid bot once a week on saturday evening" \
-              --schedule="0 3 * * 6" \
-              --time-zone=America/Denver \
-              --location=us-central1 \
-              --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
-              --oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
-          fi
+          project_id: ${{ secrets.PROJECT_ID }}
+          identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
+          service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
   deploy-firebase-prod:
     name: Deploy Firebase project to production

.vscode/settings.json

@@ -1,9 +1,13 @@
 {
   "cSpell.words": [
+    "accesstoken",
     "appspot",
+    "Buildx",
+    "cloudrun",
     "dotenv",
     "firestore",
     "fromitem",
+    "gserviceaccount",
     "instafail",
     "orgid",
     "prebuild",