alpen-dashboards/.github/workflows/cd.yml at 2129a592cc22aaf4445e95f3d0b24d3bf7d773e4 · alpenlabs/alpen-dashboards · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Kubernetes CI/CD

on:
  push:
    branches:
      - main
  # pull_request:
  #   branches:
  #     - main
  #   types:
  #     - closed
  workflow_dispatch:
    inputs:
      environment:
        description: 'Select environment'
        default: 'staging'
        type: choice
        options:
          - staging
          # currently we do not support cd to production, its only for future reference
          - production
env:
  CI: false
  COMMIT: ${{ github.sha }}

permissions: {}

jobs:
  build-and-push:
    permissions:
      id-token: write
    name: Build and Push Docker Images
    runs-on: ubuntu-latest
    environment: ${{ inputs.environment || (github.ref == 'refs/heads/main' && 'staging') }}
    strategy:
      matrix:
        service: [frontend, backend]
    outputs:
      service: ${{ matrix.service }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          persist-credentials: false
      - name: Configure AWS ECR Details
        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4
        with:
          role-to-assume: ${{ secrets.AWS_ECR_ROLE }}
          aws-region: us-east-1
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
        with:
          mask-password: "true"
      - name: Build and push Docker image
        id: build-and-push
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY_PREFIX: ${{ vars.ECR_REPOSITORY_PREFIX }}
        run: |
          IMAGE_TAG=${COMMIT::7}
          SERVICE="${{ matrix.service }}"
          echo "Building and pushing $SERVICE image with tag $IMAGE_TAG and latest"

          DOCKERFILE_PATH="$SERVICE.Dockerfile"
          CONTEXT_DIR="."
          ECR_REPOSITORY="$ECR_REPOSITORY_PREFIX/${SERVICE}"

          # Build with both the commit tag and latest
          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG \
                      -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
                      -f $DOCKERFILE_PATH $CONTEXT_DIR

          # Push both tags
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
  update-helm-values:
    name: Update Helm Values
    needs: [build-and-push]
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    environment: ${{ inputs.environment || (github.ref == 'refs/heads/main' && 'staging') }}
    steps:
      - name: Set up SSH for private repo access
        uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # 0.9.1
        with:
          ssh-private-key: ${{ secrets.DEPLOYMENTS_REPO_WRITE }}
      - name: Clone deployments repo (specific branch)
        env:
          BRANCH_OF_DEPLOYMENT_REPO: ${{ vars.BRANCH_OF_DEPLOYMENT_REPO }}
        run: |
          git clone --depth=1 --branch "$BRANCH_OF_DEPLOYMENT_REPO" [email protected]:alpenlabs/deployments.git deployments
          cd deployments || exit 1
          git checkout "$BRANCH_OF_DEPLOYMENT_REPO"

      - name: Install yq
        run: |
          sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq
          sudo chmod +x /usr/local/bin/yq
      - name: Debug yq Version
        run: |
          yq --version
          which yq
      - name: Update Docker image tag in Helm values # Sanitized SHORT_TAG and safe yq usage
        env:
          CLUSTER_NAME: ${{ vars.CLUSTER_NAME }}
        run: |
          # Sanitize and truncate SHORT_TAG
          SHORT_TAG="${COMMIT//[^a-zA-Z0-9._-]/}"
          SHORT_TAG="${SHORT_TAG:0:7}"

          VALUES_FILE="deployments/clusters/$CLUSTER_NAME/values/strata-apps-values.yaml"


          echo "Updating frontend tag in $VALUES_FILE"
          yq eval -i ".strataStatus.frontend.image.tag = \"$SHORT_TAG\"" "$VALUES_FILE"

          echo "Updating backend tag in $VALUES_FILE"
          yq eval -i ".strataStatus.backend.image.tag = \"$SHORT_TAG\"" "$VALUES_FILE"


      - name: Commit and push changes
        env:
          GH_ACTIONS_USER_NAME: ${{ vars.GH_ACTIONS_USER_NAME }}
          CLUSTER_NAME: ${{ vars.CLUSTER_NAME }}
          BRANCH_OF_DEPLOYMENT_REPO: ${{ vars.BRANCH_OF_DEPLOYMENT_REPO }}
        run: |
          SHORT_TAG="${COMMIT//[^a-zA-Z0-9._-]/}"
          SHORT_TAG="${SHORT_TAG:0:7}"

          cd deployments
          git config user.name "$GH_ACTIONS_USER_NAME"
          git config user.email "[email protected]"

          if git diff --quiet; then
            echo "No changes to commit."
          else
            git add clusters/$CLUSTER_NAME/values
            git commit -m "Update image tags to $SHORT_TAG for updated services"
            git pull --rebase origin $BRANCH_OF_DEPLOYMENT_REPO
            git push origin $BRANCH_OF_DEPLOYMENT_REPO
          fi