blurts-server/.github/workflows/production_deploy.yml at main · mozilla/blurts-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Monitor 1-click Deployment

permissions: {}

on:
  workflow_dispatch:
    inputs:
      environment:
        description: 'Environment to deploy to'
        required: true
        default: 'prod'
        type: choice
        options:
          - stage
          - prod
          - dev
      originalImageTag:
        description: 'The original image tag that has been deployed'
        required: true
        type: string
        pattern: '^[a-f0-9]{7,12}$'
jobs:
  pull_retag_push:
    name: Pull, Retag, and Push Images
    runs-on: ubuntu-latest
    environment: build
    permissions:
      contents: "read" # Needed for checkout
      id-token: "write" # Needed for GCP auth
      packages: "none" # Explicitly disable package permissions
    env:
      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }}
      GAR_REGISTRY: us-docker.pkg.dev # Define GAR registry hostname
      DOCKERHUB_IMAGE: mozilla/blurts-server # Define Docker Hub image name
      SAFE_IMAGE_TAG: ${{ inputs.originalImageTag }}
      SAFE_ENVIRONMENT: ${{ inputs.environment }}
    steps:
      - name: Checkout Repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false

      - name: Authenticate to Google Cloud
        id: gcp-auth
        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
        with:
          token_format: access_token
          workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}

      - name: Login to Artifact Registry
        id: gar-login
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ${{ env.GAR_REGISTRY }}
          username: oauth2accesstoken
          password: ${{ steps.gcp-auth.outputs.access_token }}

      - name: Pull GAR image
        run: docker pull "$GAR_IMAGE_BASE:$SAFE_IMAGE_TAG"

      - name: Retag GAR image
        run: docker tag "$GAR_IMAGE_BASE:$SAFE_IMAGE_TAG" "$GAR_IMAGE_BASE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"

      - name: Push GAR image
        run: docker push "$GAR_IMAGE_BASE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"