cleanup and adjust pg secret for BW #2899
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Offline Build Workflow | |
| # | |
| # This workflow builds offline deployment artifacts for different profiles: | |
| # - default: Production deployment (includes external charts, ansible, terraform) | |
| # - build-wiab-staging: Wire-in-a-box (wiab-stag) a production like deployment (includes external charts, ansible, terraform) | |
| # - wiab-dev: Wire-in-a-box dev deployment (includes databases-ephemeral) | |
| # - min: Minimal deployment | |
| # | |
| # Build Optimization via PR Labels: | |
| # - No label: No builds run (must add label to trigger builds) | |
| # - 'build-default': Builds only default profile | |
| # - 'build-dev': Builds only demo profile | |
| # - 'build-wiab-staging' - Builds only wiab-staging profile | |
| # - 'build-min': Builds only min profile | |
| # - 'build-all': Explicitly builds all profiles (useful for workflow changes) | |
| # | |
| # Push to master/develop: Always builds all profiles regardless of labels | |
| # | |
| on: | |
| push: | |
| branches: ["**"] | |
| tags: [v*] | |
| paths-ignore: | |
| - "*.md" | |
| - "**/*.md" | |
| pull_request: | |
| types: [synchronize, reopened, labeled] | |
| branches: ["**"] | |
| paths-ignore: | |
| - "*.md" | |
| - "**/*.md" | |
| jobs: | |
| # Build default profile and create local assets | |
| build-default: | |
| name: Build default profile | |
| if: | | |
| (github.event_name == 'push' && github.ref == 'refs/heads/master') || | |
| contains(github.event.pull_request.labels.*.name, 'build-all') || | |
| contains(github.event.pull_request.labels.*.name, 'build-default') || | |
| contains(github.event.pull_request.labels.*.name, 'build-wiab-staging') | |
| runs-on: | |
| group: wire-server-deploy | |
| outputs: | |
| upload_name: ${{ steps.upload_name.outputs.UPLOAD_NAME }} | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| submodules: true | |
| - uses: cachix/install-nix-action@v27 | |
| - uses: cachix/cachix-action@v15 | |
| with: | |
| name: wire-server | |
| signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
| - name: Install nix environment | |
| run: nix-env -f default.nix -iA env | |
| - name: Get upload name | |
| id: upload_name | |
| run: echo "UPLOAD_NAME=$GITHUB_SHA" >> $GITHUB_OUTPUT | |
| # default profile build | |
| - name: Process the default profile build | |
| run: ./offline/default-build/build.sh | |
| env: | |
| GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}' | |
| DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}' | |
| - name: Copy default build assets tarball to S3 | |
| run: | | |
| aws s3 cp offline/default-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz | |
| echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz" | |
| env: | |
| AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}' | |
| AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}' | |
| AWS_REGION: "eu-west-1" | |
| verify-default: | |
| name: Verify default profile | |
| needs: build-default | |
| if: | | |
| (github.event_name == 'push' && github.ref == 'refs/heads/master') || | |
| contains(github.event.pull_request.labels.*.name, 'build-all') || | |
| contains(github.event.pull_request.labels.*.name, 'build-default') | |
| runs-on: | |
| group: wire-server-deploy | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| submodules: true | |
| - uses: cachix/install-nix-action@v27 | |
| - uses: cachix/cachix-action@v15 | |
| with: | |
| name: wire-server | |
| signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
| - name: Install nix environment | |
| run: nix-env -f default.nix -iA env | |
| - name: Install terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "^1.3.7" | |
| terraform_wrapper: false | |
| - name: Deploy offline environment to hetzner | |
| run: ./offline/cd.sh | |
| env: | |
| HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' | |
| - name: Clean up hetzner environment; just in case | |
| if: always() | |
| run: (cd terraform/examples/wire-server-deploy-offline-hetzner ; terraform init && terraform destroy -auto-approve) | |
| env: | |
| HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' | |
| # verify wiab-staging profile | |
| verify-wiab-staging: | |
| name: Verify wiab staging profile | |
| needs: build-default | |
| if: | | |
| (github.event_name == 'push' && github.ref == 'refs/heads/master') || | |
| contains(github.event.pull_request.labels.*.name, 'build-all') || | |
| contains(github.event.pull_request.labels.*.name, 'build-wiab-staging') | |
| runs-on: | |
| group: wire-server-deploy | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| submodules: true | |
| - uses: cachix/install-nix-action@v27 | |
| - uses: cachix/cachix-action@v15 | |
| with: | |
| name: wire-server | |
| signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
| - name: Install nix environment | |
| run: nix-env -f default.nix -iA env | |
| - name: Install terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "^1.3.7" | |
| terraform_wrapper: false | |
| - name: Deploy offline wiab-staging environment to hetzner | |
| run: ./offline/cd_staging.sh | |
| env: | |
| HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' | |
| - name: Clean up hetzner wiab-staging environment; just in case | |
| if: always() | |
| run: (cd terraform/examples/wiab-staging-hetzner ; terraform init && terraform destroy -auto-approve) | |
| env: | |
| HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' | |
| # Build container in parallel | |
| build-container: | |
| name: Build container | |
| needs: build-default | |
| runs-on: | |
| group: wire-server-deploy | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| submodules: true | |
| - uses: cachix/install-nix-action@v27 | |
| - uses: cachix/cachix-action@v15 | |
| with: | |
| name: wire-server | |
| signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
| - name: Build and upload wire-server-deploy container | |
| run: | | |
| container_image=$(nix-build --no-out-link -A container) | |
| skopeo copy --retry-times 10 --dest-creds "$DOCKER_LOGIN" \ | |
| docker-archive:"$container_image" \ | |
| "docker://quay.io/wire/wire-server-deploy:${{ needs.build-default.outputs.upload_name }}" | |
| env: | |
| DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}' | |
| # Build demo profile | |
| build-dev: | |
| name: Build demo profile | |
| if: | | |
| (github.event_name == 'push' && github.ref == 'refs/heads/master') || | |
| contains(github.event.pull_request.labels.*.name, 'build-all') || | |
| contains(github.event.pull_request.labels.*.name, 'build-dev') | |
| runs-on: | |
| group: wire-server-deploy | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| submodules: true | |
| - uses: cachix/install-nix-action@v27 | |
| - uses: cachix/cachix-action@v15 | |
| with: | |
| name: wire-server | |
| signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
| - name: Install nix environment | |
| run: nix-env -f default.nix -iA env | |
| - name: Get upload name | |
| id: upload_name | |
| run: echo "UPLOAD_NAME=$GITHUB_SHA" >> $GITHUB_OUTPUT | |
| - name: Process the demo profile build | |
| run: ./offline/demo-build/build.sh | |
| env: | |
| GPG_PRIVATE_KEY: "${{ secrets.GPG_PRIVATE_KEY }}" | |
| DOCKER_LOGIN: "${{ secrets.DOCKER_LOGIN }}" | |
| - name: Copy demo build assets tarball to S3 | |
| run: | | |
| aws s3 cp offline/demo-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz | |
| echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz" | |
| env: | |
| AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" | |
| AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" | |
| AWS_REGION: "eu-west-1" | |
| - name: Install terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "^1.3.7" | |
| terraform_wrapper: false | |
| - name: Deploy offline demo-wiab environment to hetzner | |
| run: ./offline/cd_demo.sh | |
| env: | |
| HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' | |
| - name: Clean up hetzner wiab environment; just in case | |
| if: always() | |
| run: (cd terraform/examples/wiab-demo-hetzner ; terraform init && terraform destroy -auto-approve) | |
| env: | |
| HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' | |
| - name: Cleanup demo build assets | |
| run: rm -rf offline/demo-build/output/ | |
| # Build min profile | |
| build-min: | |
| name: Build min profile | |
| if: | | |
| (github.event_name == 'push' && github.ref == 'refs/heads/master') || | |
| contains(github.event.pull_request.labels.*.name, 'build-all') || | |
| contains(github.event.pull_request.labels.*.name, 'build-min') | |
| runs-on: | |
| group: wire-server-deploy | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| submodules: true | |
| - uses: cachix/install-nix-action@v27 | |
| - uses: cachix/cachix-action@v15 | |
| with: | |
| name: wire-server | |
| signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
| - name: Install nix environment | |
| run: nix-env -f default.nix -iA env | |
| - name: Get upload name | |
| id: upload_name | |
| run: echo "UPLOAD_NAME=$GITHUB_SHA" >> $GITHUB_OUTPUT | |
| - name: Process the min profile build | |
| run: ./offline/min-build/build.sh | |
| env: | |
| GPG_PRIVATE_KEY: "${{ secrets.GPG_PRIVATE_KEY }}" | |
| DOCKER_LOGIN: "${{ secrets.DOCKER_LOGIN }}" | |
| - name: Copy min build assets tarball to S3 | |
| run: | | |
| aws s3 cp offline/min-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz | |
| echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz" | |
| env: | |
| AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" | |
| AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" | |
| AWS_REGION: "eu-west-1" | |
| - name: Cleanup min build assets | |
| run: rm -rf offline/min-build/output/ |