Skip to content

feat: service deployments #1668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gaspergrom merged 5 commits into from
Feb 12, 2026
+121 −28
Merged

feat: service deployments #1668

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
df0c530
feat: service deployments
gaspergrom Feb 8, 2026
0141d2a
fix: deployment issue
gaspergrom Feb 10, 2026
654715e
fix: build issues
gaspergrom Feb 10, 2026
1baa765
Merge branch 'main' into feat/service-deployments
gaspergrom Feb 12, 2026
a8c2a06
feat: pr comments
gaspergrom Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 14 additions & 4 deletions .github/actions/build-docker-image/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,16 @@ inputs:
description: The APP_ENV to pass as a build argument
required: false
default: production
dockerfile:
description: Path to the Dockerfile
required: true
image-name:
description: Image name (e.g. insights-app, package-downloads-worker)
required: true
build-args:
description: Extra build args (newline-separated KEY=VALUE)
required: false
default: ''

outputs:
image:
Expand All @@ -21,7 +31,7 @@ runs:
run: |
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-6)
IMAGE_VERSION="${SHORT_SHA}.${{ github.run_attempt }}"
IMAGE_TAG="sjc.ocir.io/axbydjxa5zuh/insights-app:${IMAGE_VERSION}"
IMAGE_TAG="sjc.ocir.io/axbydjxa5zuh/${{ inputs.image-name }}:${IMAGE_VERSION}"
echo "IMAGE_VERSION=${IMAGE_VERSION}" >> $GITHUB_OUTPUT
echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_OUTPUT

Expand All @@ -39,11 +49,11 @@ runs:
uses: docker/build-push-action@v6
with:
context: .
file: frontend/Dockerfile
file: ${{ inputs.dockerfile }}
push: true
Comment on lines 49 to 53
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docker/build-push-action is invoked with context: ., which uses the repo-root .dockerignore. That .dockerignore currently excludes workers and submodules, but the worker Dockerfiles copy those paths, so builds for the worker services will fail with missing files. Consider updating the root .dockerignore to include these directories (or make the build context/dockerignore configurable per service) so worker builds have access to required sources.

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@emlimlf emlimlf Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this is a valid comment, but might be worth checking out

tags: ${{ steps.tag-generator.outputs.IMAGE_TAG }}
build-args: |
APP_ENV=${{ inputs.app-env }}
NUXT_REDIS_URL=${{ env.NUXT_REDIS_URL }}
${{ inputs.build-args }}
no-cache: true
provenance: false
provenance: false
50 changes: 45 additions & 5 deletions .github/workflows/production-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@ name: Production Deploy

on:
workflow_dispatch:
inputs:
service:
description: Service to deploy
required: true
type: choice
default: frontend
options:
- frontend
- package-downloads-worker
- search-volume-worker

env:
CLOUD_ENV: lf-oracle-production
Expand All @@ -21,6 +31,32 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: recursive

- name: Set service config
id: config
run: |
case "${{ inputs.service }}" in
frontend)
echo "dockerfile=frontend/Dockerfile" >> $GITHUB_OUTPUT
echo "image_name=insights-app" >> $GITHUB_OUTPUT
echo "k8s_deployment=insights-app-dpl" >> $GITHUB_OUTPUT
Comment on lines +40 to +44
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The case over ${{ inputs.service }} has no default (*) branch. If this workflow is triggered with an unexpected value (e.g., via API), it will continue with empty outputs and fail later in a less obvious way. Consider adding a default branch that prints an error and exits non-zero.

Copilot uses AI. Check for mistakes.
echo "k8s_container=frontend" >> $GITHUB_OUTPUT
;;
package-downloads-worker)
echo "dockerfile=workers/temporal/package_downloads_worker/Dockerfile" >> $GITHUB_OUTPUT
echo "image_name=package-downloads-worker" >> $GITHUB_OUTPUT
echo "k8s_deployment=package-downloads-worker-dpl" >> $GITHUB_OUTPUT
echo "k8s_container=package-downloads-worker" >> $GITHUB_OUTPUT
;;
search-volume-worker)
echo "dockerfile=workers/temporal/search_volume_worker/Dockerfile" >> $GITHUB_OUTPUT
echo "image_name=insights-search-volume-worker" >> $GITHUB_OUTPUT
echo "k8s_deployment=search-volume-worker-dpl" >> $GITHUB_OUTPUT
echo "k8s_container=search-volume-worker" >> $GITHUB_OUTPUT
;;
esac

- name: Setup OCI CLI and Kubectl
run: |
Expand Down Expand Up @@ -64,17 +100,21 @@ jobs:
id: build-docker-image
with:
app-env: production
env:
NUXT_REDIS_URL: ${{ env.NUXT_REDIS_URL }}
dockerfile: ${{ steps.config.outputs.dockerfile }}
image-name: ${{ steps.config.outputs.image_name }}
build-args: ${{ inputs.service == 'frontend' && format('NUXT_REDIS_URL={0}', env.NUXT_REDIS_URL) || '' }}
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NUXT_REDIS_URL is being passed into the Docker build as a build-arg. Since frontend/Dockerfile exports it as an ENV during the build, this value (often including credentials) can be baked into image layers/build output and be recoverable from the image. Prefer injecting Redis configuration at runtime (Kubernetes env/config) rather than at build time, or ensure the build does not persist secrets into the resulting image.

Suggested change
build-args: ${{ inputs.service == 'frontend' && format('NUXT_REDIS_URL={0}', env.NUXT_REDIS_URL) || '' }}
build-args: ''

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@emlimlf emlimlf Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one might be a security issue


- name: Update Deployment Image
run: |
kubectl set image deployment/insights-app-dpl frontend=${{ steps.build-docker-image.outputs.image }} -n insights
kubectl rollout status deployment/insights-app-dpl -n insights --timeout=300s
kubectl set image deployment/${{ steps.config.outputs.k8s_deployment }} \
${{ steps.config.outputs.k8s_container }}=${{ steps.build-docker-image.outputs.image }} \
-n insights
kubectl rollout status deployment/${{ steps.config.outputs.k8s_deployment }} -n insights --timeout=300s

- name: Flush Redis cache
if: inputs.service == 'frontend'
run: |
REDIS_URL=$(kubectl get configmap insights-config-map -n insights -o jsonpath="{.data.NUXT_REDIS_URL}")
PASSWORD=$(echo "$REDIS_URL" | sed -n 's|.*://:\([^@]*\)@.*|\1|p')
kubectl exec -i redis-client -n insights -- \
redis-cli -h redis-svc -a "$PASSWORD" FLUSHALL
redis-cli -h redis-svc -a "$PASSWORD" FLUSHALL
47 changes: 43 additions & 4 deletions .github/workflows/staging-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@ name: Staging Deploy

on:
workflow_dispatch:
inputs:
service:
description: Service to deploy
required: true
type: choice
default: frontend
options:
- frontend
- package-downloads-worker
- search-volume-worker

env:
CLOUD_ENV: lf-oracle-staging
Expand All @@ -21,6 +31,32 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: recursive

- name: Set service config
id: config
run: |
case "${{ inputs.service }}" in
frontend)
echo "dockerfile=frontend/Dockerfile" >> $GITHUB_OUTPUT
echo "image_name=insights-app" >> $GITHUB_OUTPUT
echo "k8s_deployment=insights-app-dpl" >> $GITHUB_OUTPUT
Comment on lines +40 to +44
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The case over ${{ inputs.service }} has no default (*) branch. If this workflow is triggered with an unexpected value (e.g., via API), it will continue with empty outputs and fail later in a less obvious way. Consider adding a default branch that prints an error and exits non-zero.

Copilot uses AI. Check for mistakes.
echo "k8s_container=frontend" >> $GITHUB_OUTPUT
;;
package-downloads-worker)
echo "dockerfile=workers/temporal/package_downloads_worker/Dockerfile" >> $GITHUB_OUTPUT
echo "image_name=package-downloads-worker" >> $GITHUB_OUTPUT
echo "k8s_deployment=package-downloads-worker-dpl" >> $GITHUB_OUTPUT
echo "k8s_container=package-downloads-worker" >> $GITHUB_OUTPUT
;;
search-volume-worker)
echo "dockerfile=workers/temporal/search_volume_worker/Dockerfile" >> $GITHUB_OUTPUT
echo "image_name=insights-search-volume-worker" >> $GITHUB_OUTPUT
echo "k8s_deployment=search-volume-worker-dpl" >> $GITHUB_OUTPUT
echo "k8s_container=search-volume-worker" >> $GITHUB_OUTPUT
;;
esac

- name: Setup OCI CLI and Kubectl
run: |
Expand Down Expand Up @@ -64,10 +100,13 @@ jobs:
id: build-docker-image
with:
app-env: staging
env:
NUXT_REDIS_URL: ${{ env.NUXT_REDIS_URL }}
dockerfile: ${{ steps.config.outputs.dockerfile }}
image-name: ${{ steps.config.outputs.image_name }}
build-args: ${{ inputs.service == 'frontend' && format('NUXT_REDIS_URL={0}', env.NUXT_REDIS_URL) || '' }}
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NUXT_REDIS_URL is being passed into the Docker build as a build-arg. Since frontend/Dockerfile exports it as an ENV during the build, this value (often including credentials) can be baked into image layers/build output and be recoverable from the image. Prefer injecting Redis configuration at runtime (Kubernetes env/config) rather than at build time, or ensure the build does not persist secrets into the resulting image.

Suggested change
build-args: ${{ inputs.service == 'frontend' && format('NUXT_REDIS_URL={0}', env.NUXT_REDIS_URL) || '' }}
build-args: ''

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@emlimlf emlimlf Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here


- name: Update Deployment Image
run: |
kubectl set image deployment/insights-app-dpl frontend=${{ steps.build-docker-image.outputs.image }} -n insights
kubectl rollout status deployment/insights-app-dpl -n insights --timeout=300s
kubectl set image deployment/${{ steps.config.outputs.k8s_deployment }} \
${{ steps.config.outputs.k8s_container }}=${{ steps.build-docker-image.outputs.image }} \
-n insights
kubectl rollout status deployment/${{ steps.config.outputs.k8s_deployment }} -n insights --timeout=300s
2 changes: 1 addition & 1 deletion ...ile.package_downloads_worker.dockerignore → ...al/package_downloads_worker/.dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ scripts/
.flake8
*.md
Makefile
backend/
backend/
0 ...r/src/Dockerfile.package_downloads_worker → ...poral/package_downloads_worker/Dockerfile
View file
Open in desktop
File renamed without changes.
Loading