-
Notifications
You must be signed in to change notification settings - Fork 0
130 lines (111 loc) · 3.83 KB
/
deploy.yml
File metadata and controls
130 lines (111 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Deploy
on:
workflow_run:
workflows: ["CI"]
types: [completed]
branches: [main]
workflow_dispatch:
permissions:
contents: read
jobs:
deploy-infra:
name: Deploy ${{ matrix.app }}
runs-on: ubuntu-latest
timeout-minutes: 30
if: >-
${{
(github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') ||
(github.event_name == 'workflow_run' && github.event.workflow_run.head_branch == 'main' && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.repository)
}}
concurrency:
group: fly-${{ matrix.app }}
cancel-in-progress: true
permissions:
contents: read
environment:
name: production
strategy:
fail-fast: false
matrix:
include:
- app: relay
config: fly.relay.toml
workdir: "."
token_secret: FLY_API_TOKEN_RELAY
- app: blossom
config: fly.blossom.toml
workdir: "."
token_secret: FLY_API_TOKEN_BLOSSOM
- app: tlsn-verifier
config: fly.toml
workdir: crates/tlsn-server
token_secret: FLY_API_TOKEN_VERIFIER
steps:
- name: Harden runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Flyctl
uses: superfly/flyctl-actions/setup-flyctl@ed8efb33836e8b2096c7fd3ba1c8afe303ebbff1 # master
- name: Deploy ${{ matrix.app }}
working-directory: ${{ matrix.workdir }}
run: flyctl deploy --remote-only --config ${{ matrix.config }}
env:
FLY_API_TOKEN: ${{ secrets[matrix.token_secret] }}
deploy-app:
name: Deploy Anchr App
needs: deploy-infra
runs-on: ubuntu-latest
timeout-minutes: 30
concurrency:
group: fly-app
cancel-in-progress: true
permissions:
contents: read
environment:
name: production
steps:
- name: Harden runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Flyctl
uses: superfly/flyctl-actions/setup-flyctl@ed8efb33836e8b2096c7fd3ba1c8afe303ebbff1 # master
- name: Deploy
run: flyctl deploy --remote-only --config fly.toml
env:
FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN_APP }}
deploy-worker:
name: Deploy Auto-Worker
needs: deploy-app
runs-on: ubuntu-latest
timeout-minutes: 30
concurrency:
group: fly-worker
cancel-in-progress: true
permissions:
contents: read
environment:
name: production
steps:
- name: Harden runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Flyctl
uses: superfly/flyctl-actions/setup-flyctl@ed8efb33836e8b2096c7fd3ba1c8afe303ebbff1 # master
- name: Deploy
run: flyctl deploy --remote-only --config fly.worker.toml
env:
FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN_WORKER }}
# deploy-market lives in its own workflow now — see
# .github/workflows/deploy-market.yml. The example apps deploy on their
# own cadence so a market UI tweak doesn't trigger an infra rollout
# (and vice versa). Future examples follow the same pattern:
# deploy-<example>.yml with path filtering.