Release r-0447 (v1.15.1) #74
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: deploy-production | |
| concurrency: | |
| group: deploy-production | |
| cancel-in-progress: true | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| deploy-production: | |
| runs-on: ubuntu-latest | |
| environment: production | |
| env: | |
| IS_CI_AUTOMATION: "yes" | |
| steps: | |
| - name: Download deployment artifact | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: deployment.json | |
| - name: Extract deployment values | |
| id: deployment-data | |
| run: | | |
| echo "ecr-tag=$(jq .ecr_tag < deployment.json)" >> $GITHUB_OUTPUT | |
| echo "semver=$(jq .version < deployment.json)" >> $GITHUB_OUTPUT | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-central-1 | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| mask-password: "true" | |
| - name: Retag docker image | |
| id: retag-image | |
| run: | | |
| # Pull the image we want to deploy; its tag is the git commit hash that caused it to exist | |
| SOURCE_TAG="${{ steps.deployment-data.outputs.ecr-tag }}" | |
| docker pull $SOURCE_TAG | |
| # Get the URL for the image, replacing the tag for the semantic version | |
| IMAGE_BASE=$(echo $SOURCE_TAG | cut -d: -f1) | |
| SEMVER="v${{ steps.deployment-data.outputs.semver }}" | |
| TARGET_TAG="$IMAGE_BASE:$SEMVER" | |
| docker tag $SOURCE_TAG $TARGET_TAG | |
| # Push the new image | |
| docker push $TARGET_TAG | |
| # Output the target tag | |
| echo "target-tag=$TARGET_TAG" >> $GITHUB_OUTPUT | |
| - name: Download Pulumi artifact | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: pulumi.tbz | |
| - name: Decompress Pulumi code | |
| shell: bash | |
| run: | | |
| tar -xvf pulumi.tbz | |
| - name: Set up Python ${{ vars.PYTHON_VERSION}} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ vars.PYTHON_VERSION}} | |
| # Build the Pulumi venv on THIS runner. Older pulumi.tbz artifacts shipped | |
| # a venv built on the stage runner, whose bin/python was an absolute | |
| # symlink into /opt/hostedtoolcache/Python/<patch>/... — that path doesn't | |
| # exist on the prod runner whenever the cached patch version differs, and | |
| # pulumi blows up trying to call venv/bin/python. We now exclude the venv | |
| # from the artifact (see merge.yml) and rebuild here. The `rm -rf venv` | |
| # handles already-published drafts whose artifact still contains the | |
| # stage-runner venv. | |
| - name: Rebuild Pulumi venv on prod runner | |
| shell: bash | |
| run: | | |
| cd pulumi | |
| rm -rf venv | |
| python -m pip install virtualenv | |
| virtualenv ./venv | |
| source ./venv/bin/activate | |
| pip install -Ur requirements.txt | |
| - name: Install Pulumi | |
| shell: bash | |
| run: | | |
| curl -fsSL https://get.pulumi.com | sh | |
| - name: Deploy version-tagged image to prod | |
| shell: bash | |
| env: | |
| PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} | |
| run: | | |
| # Update the PATH to include the right version of Pulumi; this is non-trivial or impossible | |
| # to do with the GHA workflow "env" settings. | |
| export PATH="/home/runner/.pulumi/bin:$PATH" | |
| # Pull the versioned tag from the previous step | |
| target_tag="${{ steps.retag-image.outputs.target-tag }}" | |
| # Create a YAML config stump containing only the nested tree leading to the image tag update | |
| cd pulumi | |
| cat << EOF > newimage.yaml | |
| .accounts_image: &ACCOUNTS_IMAGE "$target_tag" | |
| EOF | |
| # Use yq to merge the stump into the main config | |
| yq -i '. *= load("newimage.yaml")' config.prod.yaml | |
| export PULUMI_CONFIG_PASSPHRASE='${{ secrets.PULUMI_PASSPHRASE }}' | |
| # Set up the Pulumi environment and update the service | |
| pulumi login | |
| pulumi stack select thunderbird/prod | |
| TBPULUMI_DISABLE_PROTECTION=True \ | |
| pulumi up -y --diff \ | |
| --target 'urn:pulumi:prod::accounts::tb:fargate:FargateClusterWithLogging$aws:ecs/taskDefinition:TaskDefinition::accounts-prod-fargate-accounts-taskdef' \ | |
| --target 'urn:pulumi:prod::accounts::aws:ecs/taskDefinition:TaskDefinition::accounts-prod-afc-accounts-taskdef-celery-prod' \ | |
| --target 'urn:pulumi:prod::accounts::aws:ecs/taskDefinition:TaskDefinition::accounts-prod-afc-accounts-taskdef-flower-prod' \ | |
| --target-dependents |