Deploy Bridge Develop/Staging (GCP) #52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Bridge Develop/Staging (GCP) | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: 'Select the deployment environment' | |
| required: true | |
| default: 'develop' | |
| type: choice | |
| options: | |
| - staging | |
| - develop | |
| env: | |
| GCP_PROJECT: gnosischain-staging | |
| GCP_REGION: europe-west1 | |
| GKE_CLUSTER: gnosischain-staging | |
| NAMESPACE: gc-tools | |
| # Permission can be added at job level or workflow level | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: write # This is required for actions/checkout | |
| jobs: | |
| security-audit: | |
| name: Dependency Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Enable Corepack | |
| run: | | |
| npm install -g corepack@0.34.6 | |
| corepack enable | |
| - name: Setup Node | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version-file: '.nvmrc' | |
| cache: 'pnpm' | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Run security audit | |
| run: pnpm audit --audit-level=high | |
| build-and-push: | |
| name: Build and Push to Artifact Registry | |
| needs: security-audit | |
| runs-on: ubuntu-latest | |
| outputs: | |
| environment: ${{ steps.set-env.outputs.environment }} | |
| deployment_name: ${{ steps.set-env.outputs.deployment_name }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Set environment variables | |
| id: set-env | |
| run: | | |
| if [ "${{ inputs.environment }}" == "develop" ]; then | |
| echo "environment=dev" >> $GITHUB_OUTPUT | |
| echo "image_tag=develop" >> $GITHUB_OUTPUT | |
| echo "deployment_name=bridge-dev" >> $GITHUB_OUTPUT | |
| echo "domain=dev.bridge.gnosisdev.com" >> $GITHUB_OUTPUT | |
| elif [ "${{ inputs.environment }}" == "staging" ]; then | |
| echo "environment=staging" >> $GITHUB_OUTPUT | |
| echo "image_tag=staging" >> $GITHUB_OUTPUT | |
| echo "deployment_name=bridge-staging" >> $GITHUB_OUTPUT | |
| echo "domain=staging.bridge.gnosisdev.com" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Configure Docker for Artifact Registry | |
| run: | | |
| gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet | |
| - name: Build and push DEVELOP to Artifact Registry | |
| if: inputs.environment == 'develop' | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 | |
| with: | |
| context: . | |
| file: ./app/Dockerfile | |
| push: true | |
| tags: ${{ env.GCP_REGION }}-docker.pkg.dev/${{ env.GCP_PROJECT }}/bridge/bridge:develop | |
| platforms: linux/amd64 | |
| build-args: | | |
| "NEXT_PUBLIC_APP_NAME=GnosisBridge" | |
| "NEXT_PUBLIC_DEFAULT_THEME=dark" | |
| "NEXT_PUBLIC_DEFAULT_CHAIN_ID=1" | |
| "NEXT_PUBLIC_COOKIES_WARNING_ENABLED=true" | |
| "NEXT_PUBLIC_POLLING_INTERVAL=10000" | |
| "NEXT_PUBLIC_RPC_MAINNET=${{ secrets.DEV_RPC_MAINNET }}" | |
| "NEXT_PUBLIC_RPC_GNOSIS=${{ secrets.DEV_RPC_GNOSIS }}" | |
| "NEXT_PUBLIC_WALLET_CONNECT_DAPP_URL=${{ secrets.WALLET_CONNECT_URL }}" | |
| "NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID=${{ secrets.WALLET_CONNECT_PROJECT_ID }}" | |
| "NEXT_PUBLIC_ALCHEMY_API_KEY=${{ secrets.DEV_NEXT_PUBLIC_ALCHEMY_API_KEY }}" | |
| "NEXT_PUBLIC_ENVIO_INDEXER_URL=${{ secrets.DEV_ENVIO_INDEXER_URL }}" | |
| "NEXT_PUBLIC_INDEXER_BACKEND=${{ secrets.DEV_INDEXER_BACKEND }}" | |
| - name: Build and push STAGING to Artifact Registry | |
| if: inputs.environment == 'staging' | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 | |
| with: | |
| context: . | |
| file: ./app/Dockerfile | |
| push: true | |
| tags: ${{ env.GCP_REGION }}-docker.pkg.dev/${{ env.GCP_PROJECT }}/bridge/bridge:staging | |
| platforms: linux/amd64 | |
| build-args: | | |
| "NEXT_PUBLIC_APP_NAME=GnosisBridge" | |
| "NEXT_PUBLIC_DEFAULT_THEME=dark" | |
| "NEXT_PUBLIC_DEFAULT_CHAIN_ID=1" | |
| "NEXT_PUBLIC_COOKIES_WARNING_ENABLED=true" | |
| "NEXT_PUBLIC_POLLING_INTERVAL=10000" | |
| "NEXT_PUBLIC_RPC_MAINNET=${{ secrets.PROD_RPC_MAINNET }}" | |
| "NEXT_PUBLIC_RPC_GNOSIS=${{ secrets.PROD_RPC_GNOSIS }}" | |
| "NEXT_PUBLIC_WALLET_CONNECT_DAPP_URL=${{ secrets.WALLET_CONNECT_URL }}" | |
| "NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID=${{ secrets.WALLET_CONNECT_PROJECT_ID }}" | |
| "NEXT_PUBLIC_ALCHEMY_API_KEY=${{ secrets.PROD_NEXT_PUBLIC_ALCHEMY_API_KEY }}" | |
| "NEXT_PUBLIC_ENVIO_INDEXER_URL=${{ secrets.PROD_ENVIO_INDEXER_URL }}" | |
| "NEXT_PUBLIC_INDEXER_BACKEND=${{ secrets.PROD_INDEXER_BACKEND }}" | |
| deploy-to-gke: | |
| name: Deploy to GKE ${{ needs.build-and-push.outputs.environment }} | |
| needs: build-and-push | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2 | |
| - name: Install gke-gcloud-auth-plugin | |
| run: | | |
| gcloud components install gke-gcloud-auth-plugin | |
| # Connect to Twingate to reach the GKE API server (MANs restricted) | |
| - name: Connect to Twingate | |
| uses: twingate/github-action@v1 | |
| with: | |
| service-key: ${{ secrets.TWINGATE_SERVICE_KEY_STAGING }} | |
| - name: Configure kubectl | |
| run: | | |
| gcloud container clusters get-credentials ${{ env.GKE_CLUSTER }} \ | |
| --region ${{ env.GCP_REGION }} \ | |
| --project ${{ env.GCP_PROJECT }} \ | |
| --internal-ip | |
| - name: Verify deployment exists | |
| run: | | |
| if ! kubectl get deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ env.NAMESPACE }} &> /dev/null; then | |
| echo "Deployment ${{ needs.build-and-push.outputs.deployment_name }} does not exist in namespace ${{ env.NAMESPACE }}" | |
| echo "Please ensure Terraform has been applied first to create the deployment" | |
| exit 1 | |
| fi | |
| - name: Restart deployment | |
| run: | | |
| kubectl rollout restart deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ env.NAMESPACE }} | |
| - name: Wait for rollout to complete | |
| run: | | |
| kubectl rollout status deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ env.NAMESPACE }} --timeout=5m | |
| - name: Get deployment status | |
| if: always() | |
| run: | | |
| echo "=== Deployment Status ===" | |
| kubectl get deployment/${{ needs.build-and-push.outputs.deployment_name }} -n ${{ env.NAMESPACE }} | |
| echo "" | |
| echo "=== Pod Status ===" | |
| kubectl get pods -n ${{ env.NAMESPACE }} -l app=${{ needs.build-and-push.outputs.deployment_name }} | |
| echo "" | |
| echo "=== Recent Events ===" | |
| kubectl get events -n ${{ env.NAMESPACE }} --sort-by='.lastTimestamp' | tail -20 |