docs: add deployment guide covering local dev and production K8s setup #4170
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - release/** | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| - labeled | |
| - unlabeled | |
| push: | |
| branches: | |
| - main | |
| release: | |
| types: | |
| - released # A release was published, or a pre-release was changed to a release. | |
| env: | |
| active_network: 'stokenet' | |
| active_public_network_id: '2' | |
| active_public_log_level: 'debug' | |
| release_network: 'mainnet' | |
| release_public_network_id: '1' | |
| release_public_log_level: 'info' | |
| jenkins_job_name: 'kubernetes-deployments/job/radquest' | |
| helm_dir: 'deploy/helm' | |
| dev_eks_cluster: 'rdx-works-main-dev' | |
| prod_eks_cluster: 'rtlj-prod' | |
| permissions: | |
| id-token: write | |
| pull-requests: write | |
| contents: read | |
| deployments: write | |
| packages: write | |
| jobs: | |
| phylum_analyze: | |
| if: ${{ github.event.pull_request }} | |
| permissions: | |
| id-token: write | |
| pull-requests: write | |
| contents: read | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main | |
| secrets: | |
| phylum_api_key: ${{ secrets.PHYLUM_API_KEY }} | |
| with: | |
| phylum_pr_number: ${{ github.event.number }} | |
| phylum_pr_name: ${{ github.head_ref }} | |
| phylum_group_name: dApp-engineering | |
| phylum_project_id: 44ea0438-4c65-465c-8f6c-9ecd56011ad3 | |
| github_repository: ${{ github.repository }} | |
| add_report_comment_to_pull_request: true | |
| setup-tags: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| with: | |
| fetch-depth: 0 | |
| - name: Docker tags for dapp | |
| id: dapp-tags | |
| uses: RDXWorks-actions/metadata-action@master | |
| with: | |
| images: | | |
| docker.io/radixdlt/radquest-dapp | |
| tags: | | |
| type=sha,event=pr | |
| type=sha,event=branch | |
| type=semver,pattern={{version}} | |
| - name: Docker tags for swap | |
| id: swap-tags | |
| uses: RDXWorks-actions/metadata-action@master | |
| with: | |
| images: | | |
| docker.io/radixdlt/radquest-swap | |
| tags: | | |
| type=sha,event=pr | |
| type=sha,event=branch | |
| type=semver,pattern={{version}} | |
| - name: Docker tags for admin | |
| id: admin-tags | |
| uses: RDXWorks-actions/metadata-action@master | |
| with: | |
| images: | | |
| docker.io/radixdlt/radquest-admin | |
| tags: | | |
| type=sha,event=pr | |
| type=sha,event=branch | |
| type=semver,pattern={{version}} | |
| - name: Docker tags for notification | |
| id: notification-tags | |
| uses: RDXWorks-actions/metadata-action@master | |
| with: | |
| images: | | |
| docker.io/radixdlt/radquest-notification | |
| tags: | | |
| type=sha,event=pr | |
| type=sha,event=branch | |
| type=semver,pattern={{version}} | |
| - name: Docker tags for transaction | |
| id: transaction-stream-tags | |
| uses: RDXWorks-actions/metadata-action@master | |
| with: | |
| images: | | |
| docker.io/radixdlt/radquest-transaction-stream | |
| tags: | | |
| type=sha,event=pr | |
| type=sha,event=branch | |
| type=semver,pattern={{version}} | |
| - name: Docker tags for worker | |
| id: worker-tags | |
| uses: RDXWorks-actions/metadata-action@master | |
| with: | |
| images: | | |
| docker.io/radixdlt/radquest-worker | |
| tags: | | |
| type=sha,event=pr | |
| type=sha,event=branch | |
| type=semver,pattern={{version}} | |
| - name: Define network name | |
| id: build-args | |
| run: | | |
| if [ "${{ github.event.action }}" = "released" ]; then | |
| echo "NETWORK_NAME=${{ env.release_network }}" >> $GITHUB_ENV | |
| echo "PUBLIC_NETWORK_ID=${{ env.release_public_network_id }}" >> $GITHUB_OUTPUT | |
| echo "PUBLIC_LOG_LEVEL=${{ env.release_public_log_level }}" >> $GITHUB_OUTPUT | |
| elif [ "${{ github.ref }}" = "refs/heads/main" -a "${{ github.event_name }}" = 'push' ] || [ "${{ github.event_name }}" = "pull_request" ]; then | |
| echo "NETWORK_NAME=${{ env.active_network }}" >> $GITHUB_ENV | |
| echo "PUBLIC_NETWORK_ID=${{ env.active_public_network_id }}" >> $GITHUB_OUTPUT | |
| echo "PUBLIC_LOG_LEVEL=${{ env.active_public_log_level }}" >> $GITHUB_OUTPUT | |
| fi | |
| - id: network | |
| run: | | |
| echo "network-name=${{ env.NETWORK_NAME }}" >> $GITHUB_OUTPUT | |
| - id: tag-with-network | |
| run: | | |
| echo "tag-with-network=${{github.sha}}-${{ env.NETWORK_NAME }}" >> $GITHUB_OUTPUT | |
| - run: | | |
| echo "$GITHUB_OUTPUT" | |
| - name: Output tag value to job summary | |
| run: | | |
| echo "network-name=${{ steps.network.outputs.network-name }}" >> $GITHUB_STEP_SUMMARY | |
| echo "docker-tag=${{ steps.tag-with-network.outputs.tag-with-network }}" >> $GITHUB_STEP_SUMMARY | |
| echo "PUBLIC_NETWORK_ID=${{ steps.build-args.outputs.PUBLIC_NETWORK_ID }}" >> $GITHUB_STEP_SUMMARY | |
| echo "PUBLIC_LOG_LEVEL=${{ steps.build-args.outputs.PUBLIC_LOG_LEVEL }}" >> $GITHUB_STEP_SUMMARY | |
| outputs: | |
| dapp-tags: ${{ steps.dapp-tags.outputs.tags }} | |
| dapp-labels: ${{ steps.dapp-tags.outputs.labels }} | |
| dapp-json: ${{ steps.dapp-tags.outputs.json }} | |
| swap-tags: ${{ steps.swap-tags.outputs.tags }} | |
| swap-labels: ${{ steps.swap-tags.outputs.labels }} | |
| swap-json: ${{ steps.swap-tags.outputs.json }} | |
| admin-tags: ${{ steps.admin-tags.outputs.tags }} | |
| admin-labels: ${{ steps.admin-tags.outputs.labels }} | |
| admin-json: ${{ steps.admin-tags.outputs.json }} | |
| notification-tags: ${{ steps.notification-tags.outputs.tags }} | |
| notification-labels: ${{ steps.notification-tags.outputs.labels }} | |
| notification-json: ${{ steps.notification-tags.outputs.json }} | |
| transaction-stream-tags: ${{ steps.transaction-stream-tags.outputs.tags }} | |
| transaction-stream-labels: ${{ steps.transaction-stream-tags.outputs.labels }} | |
| transaction-stream-json: ${{ steps.transaction-stream-tags.outputs.json }} | |
| worker-tags: ${{ steps.worker-tags.outputs.tags }} | |
| worker-labels: ${{ steps.worker-tags.outputs.labels }} | |
| worker-json: ${{ steps.worker-tags.outputs.json }} | |
| tag-with-network: ${{steps.tag-with-network.outputs.tag-with-network}} | |
| network-name: ${{steps.network.outputs.network-name}} | |
| public-network-id: ${{steps.build-args.outputs.PUBLIC_NETWORK_ID}} | |
| public-log-level: ${{steps.build-args.outputs.PUBLIC_LOG_LEVEL}} | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - setup-tags | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| with: | |
| fetch-depth: 0 | |
| - name: Cache Node.js modules | |
| uses: RDXWorks-actions/cache@main | |
| with: | |
| path: | | |
| node_modules | |
| ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| - name: Get changed svelte files | |
| id: changed-svelte-files | |
| uses: RDXWorks-actions/changed-files@main | |
| with: | |
| files: './apps/dapp/src/lib/components/**/*.svelte' | |
| - name: Use Node.js | |
| uses: RDXWorks-actions/setup-node@main | |
| with: | |
| node-version: '20.3.0' | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Build | |
| run: npm run build:ci | |
| - name: tsc | |
| run: npm run tsc | |
| - name: Unit tests | |
| run: npm run test:ci | |
| - name: Lint | |
| run: npm run lint | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radquest-secrets-read-access' | |
| app_name: 'radquest' | |
| step_name: 'build' | |
| secret_prefix: 'GH' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radquest/chromatic-mj1QEZ' | |
| parse_json: true | |
| - name: Publish to Chromatic | |
| if: ${{ steps.changed-svelte-files.outputs.all_changed_files }} | |
| uses: chromaui/action@05a82adb1e6919df177f54777e81a2ef3e312323 # v10.6.1 | |
| with: | |
| projectToken: ${{ env.GH_CHROMATIC_PROJECT_TOKEN }} | |
| autoAcceptChanges: 'main' | |
| buildScriptName: 'build:storybook' | |
| workingDir: apps/dapp | |
| push-dapp: | |
| name: Docker dapp | |
| needs: | |
| - setup-tags | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
| with: | |
| runs_on: ubuntu-latest | |
| image_registry: 'docker.io' | |
| image_organization: 'radixdlt' | |
| target: 'application' | |
| image_name: 'radquest-dapp' | |
| tag: ${{ needs.setup-tags.outputs.tag-with-network }} | |
| context: '.' | |
| dockerfile: './dockerfiles/dapp.Dockerfile' | |
| platforms: 'linux/amd64' | |
| use_gh_remote_cache: true | |
| scan_image: false | |
| provenance: false | |
| with_sbom: false | |
| build-args: | | |
| NETWORK_NAME=${{ needs.setup-tags.outputs.network-name }} | |
| PUBLIC_NETWORK_ID=${{ needs.setup-tags.outputs.public-network-id }} | |
| PUBLIC_LOG_LEVEL=${{ needs.setup-tags.outputs.public-log-level }} | |
| push-swap: | |
| name: Docker swap | |
| needs: | |
| - setup-tags | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
| with: | |
| runs_on: ubuntu-latest | |
| image_registry: 'docker.io' | |
| image_organization: 'radixdlt' | |
| target: 'application' | |
| image_name: 'radquest-swap' | |
| tag: ${{ needs.setup-tags.outputs.tag-with-network }} | |
| context: '.' | |
| dockerfile: './dockerfiles/jetty-swap.Dockerfile' | |
| platforms: 'linux/amd64' | |
| use_gh_remote_cache: true | |
| scan_image: false | |
| provenance: false | |
| with_sbom: false | |
| build-args: | | |
| PUBLIC_NETWORK_ID=${{ needs.setup-tags.outputs.public-network-id }} | |
| PUBLIC_LOG_LEVEL=${{ needs.setup-tags.outputs.public-log-level }} | |
| push-admin: | |
| name: Docker admin | |
| needs: | |
| - setup-tags | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
| with: | |
| runs_on: ubuntu-latest | |
| image_registry: 'docker.io' | |
| image_organization: 'radixdlt' | |
| target: 'application' | |
| image_name: 'radquest-admin' | |
| tag: ${{ needs.setup-tags.outputs.tag-with-network }} | |
| context: '.' | |
| dockerfile: './dockerfiles/admin.Dockerfile' | |
| platforms: 'linux/amd64' | |
| use_gh_remote_cache: true | |
| scan_image: false | |
| provenance: false | |
| with_sbom: false | |
| build-args: | | |
| PUBLIC_NETWORK_ID=${{ needs.setup-tags.outputs.public-network-id }} | |
| PUBLIC_LOG_LEVEL=${{ needs.setup-tags.outputs.public-log-level }} | |
| push-notification: | |
| name: Docker notification | |
| needs: | |
| - setup-tags | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
| with: | |
| runs_on: ubuntu-latest | |
| image_registry: 'docker.io' | |
| image_organization: 'radixdlt' | |
| target: 'application' | |
| image_name: 'radquest-notification' | |
| tag: ${{ needs.setup-tags.outputs.tag-with-network }} | |
| context: '.' | |
| dockerfile: './dockerfiles/notification.Dockerfile' | |
| platforms: 'linux/amd64' | |
| use_gh_remote_cache: true | |
| scan_image: false | |
| provenance: false | |
| with_sbom: false | |
| push-transaction-stream: | |
| name: Docker transaction-stream | |
| needs: | |
| - setup-tags | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
| with: | |
| runs_on: ubuntu-latest | |
| image_registry: 'docker.io' | |
| image_organization: 'radixdlt' | |
| target: 'application' | |
| image_name: 'radquest-transaction-stream' | |
| tag: ${{ needs.setup-tags.outputs.tag-with-network }} | |
| context: '.' | |
| dockerfile: './dockerfiles/transaction-stream.Dockerfile' | |
| platforms: 'linux/amd64' | |
| use_gh_remote_cache: true | |
| scan_image: false | |
| provenance: false | |
| with_sbom: false | |
| push-worker: | |
| name: Docker worker | |
| needs: | |
| - setup-tags | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
| with: | |
| runs_on: ubuntu-latest | |
| image_registry: 'docker.io' | |
| image_organization: 'radixdlt' | |
| target: 'application' | |
| image_name: 'radquest-worker' | |
| tag: ${{ needs.setup-tags.outputs.tag-with-network }} | |
| context: '.' | |
| dockerfile: './dockerfiles/workers.Dockerfile' | |
| platforms: 'linux/amd64' | |
| use_gh_remote_cache: true | |
| scan_image: false | |
| provenance: false | |
| with_sbom: false | |
| deploy_pull_request: | |
| if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy-pr') }} | |
| name: Deploy PR | |
| needs: | |
| - push-dapp | |
| - push-swap | |
| - push-admin | |
| - push-notification | |
| - push-transaction-stream | |
| - push-worker | |
| - setup-tags | |
| concurrency: | |
| group: ${{ github.head_ref }} | |
| cancel-in-progress: false | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
| with: | |
| jenkins_job_name: 'kubernetes-deployments/job/radquest' | |
| github_branch: '${{ github.head_ref }}' | |
| application_name: 'radquest' | |
| hierarchical_namespace: 'radquest-ci-pr' | |
| create_subnamespace: 'true' | |
| kubernetes_namespace: 'radquest-pr-${{ github.event.number }}' | |
| aws_eks_cluster: 'rdx-works-main-dev' | |
| aws_iam_role_name: 'jenkins-radquest-pr-deployer' | |
| helmfile_environment: 'pr' | |
| helmfile_extra_vars: 'ci.tag=${{ needs.setup-tags.outputs.tag-with-network }},ci.prNumber=${{ github.event.number }}' | |
| secrets: | |
| aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }} | |
| secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
| deploy_dev: | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| name: Deploy DEV | |
| needs: | |
| - push-dapp | |
| - push-swap | |
| - push-admin | |
| - push-notification | |
| - push-transaction-stream | |
| - push-worker | |
| - setup-tags | |
| concurrency: | |
| group: ${{ github.ref }} | |
| cancel-in-progress: false | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
| with: | |
| github_environment: 'dev' | |
| github_branch: '${{ github.ref }}' | |
| jenkins_job_name: 'kubernetes-deployments/job/radquest' | |
| application_name: 'radquest' | |
| kubernetes_namespace: 'radquest-dev' | |
| aws_eks_cluster: 'rdx-works-main-dev' | |
| aws_iam_role_name: 'jenkins-radquest-dev-deployer' | |
| helmfile_environment: 'dev' | |
| helmfile_extra_vars: 'ci.tag=${{ needs.setup-tags.outputs.tag-with-network }}' | |
| secrets: | |
| aws_deployment_account_id: ${{ secrets.AWS_DEV_ACCOUNT_ID }} | |
| secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
| deploy_mainnet: | |
| if: github.event_name == 'release' && github.event.action == 'released' | |
| name: Deploy MAINNET | |
| needs: | |
| - push-dapp | |
| - push-swap | |
| - push-admin | |
| - push-notification | |
| - push-transaction-stream | |
| - push-worker | |
| - setup-tags | |
| concurrency: | |
| group: ${{ github.event_name }} | |
| cancel-in-progress: false | |
| uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/jenkins-deployment.yml@main | |
| with: | |
| github_environment: 'mainnet' | |
| github_branch: '${{ github.ref }}' | |
| jenkins_job_name: 'kubernetes-deployments/job/radquest' | |
| application_name: 'radquest' | |
| kubernetes_namespace: 'radquest-mainnet' | |
| aws_eks_cluster: 'rtlj-prod' | |
| aws_iam_role_name: 'jenkins-radquest-mainnet-deployer' | |
| helmfile_environment: 'mainnet' | |
| helmfile_extra_vars: 'ci.tag=${{ needs.setup-tags.outputs.tag-with-network }}' | |
| secrets: | |
| secrets_account_id: ${{ secrets.SECRETS_ACCOUNT_ID }} | |
| aws_deployment_account_id: ${{ secrets.AWS_PROD_ACCOUNT_ID }} | |
| purge_cloudflare_cache: | |
| if: github.event_name == 'release' && github.event.action == 'released' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - deploy_mainnet | |
| steps: | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: 'arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-radquest-secrets-read-access' | |
| app_name: 'radquest' | |
| step_name: 'purge' | |
| secret_prefix: 'GH' | |
| secret_name: 'arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/radixdlt/radquest/cloudflare-token-DMvTqH' | |
| parse_json: true | |
| - name: Purge Cloudflare Cache | |
| uses: RDXWorks-actions/actions-cloudflare-purge@master | |
| with: | |
| cf_zone: ${{ env.GH_RADQUEST_CLOUDFLARE_ZONE }} | |
| cf_auth: ${{ env.GH_RADQUEST_CLOUDFLARE_AUTH_KEY }} | |
| hosts: | | |
| radquest.io | |
| commitlint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| with: | |
| fetch-depth: 0 | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Validate PR commits with commitlint | |
| if: github.event_name == 'pull_request' | |
| run: npx commitlint --from ${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }} --to ${{ github.event.pull_request.head.sha }} --verbose |