Add prod-me ArgoCD deployment with approval gate (#1519) #524
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build das-web-react | |
| on: | |
| push: | |
| branches: | |
| - develop | |
| - 'release-**' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| actions: read | |
| contents: read | |
| id-token: write | |
| jobs: | |
| config: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| build-args: ${{ steps.env-vars.outputs.build-args }} | |
| image-tag: ${{ steps.tag.outputs.value }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 24 | |
| - run: | | |
| npm pkg set "buildbranch"="${{ github.head_ref || github.ref_name }}" | |
| npm pkg set "buildnum"="${{ github.run_number }}" | |
| - name: Select env file for build | |
| id: env-vars | |
| run: | | |
| if [[ "${GITHUB_REF_NAME}" == "develop" ]]; then | |
| echo "build-args=ENV_FILE=.env.development" >> $GITHUB_OUTPUT | |
| else | |
| echo "build-args=ENV_FILE=.env.production" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Image tag | |
| id: tag | |
| run: echo "value=${{ github.ref_name }}-${{ github.run_number }}" >> "$GITHUB_OUTPUT" | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: npm-config | |
| path: package.json | |
| build: | |
| needs: config | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: npm-config | |
| path: . | |
| - name: GCP Auth | |
| id: auth | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| token_format: 'access_token' | |
| workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ vars.SERVICE_ACCOUNT }} | |
| - name: Login to serca-artifact-registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: europe-west3-docker.pkg.dev/serca-artifact-registry | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: Login to padas-app | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: europe-west3-docker.pkg.dev/padas-app | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: | | |
| image=europe-west3-docker.pkg.dev/serca-artifact-registry/virtual-docker/moby/buildkit:buildx-stable-1 | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| europe-west3-docker.pkg.dev/serca-artifact-registry/earthranger/das-web-react | |
| europe-west3-docker.pkg.dev/padas-app/er-mt/das-web-react | |
| tags: | | |
| type=raw,value=${{ needs.config.outputs.image-tag }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: true | |
| context: . | |
| file: Dockerfile.mt | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: ${{ needs.config.outputs.build-args }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-st: | |
| name: Build ST Image (GCR) | |
| needs: [config] | |
| if: startsWith(github.ref_name, 'release-') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: npm-config | |
| path: . | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 24 | |
| - name: GCP Auth | |
| id: auth | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| token_format: 'access_token' | |
| workload_identity_provider: ${{ secrets.WIF_PROVIDER }} | |
| service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Configure GCR Docker auth | |
| run: gcloud auth configure-docker | |
| - name: Install dependencies | |
| run: yarn install --immutable | |
| - name: Build | |
| run: CI=false yarn build | |
| - name: Sanitize branch name for GCR path | |
| id: gcr | |
| run: | | |
| BRANCH="${GITHUB_REF_NAME}" | |
| SANITIZED=$(echo "$BRANCH" | sed 's/[^/A-Za-z0-9_-]/_/g' | tr '[:upper:]' '[:lower:]') | |
| echo "path=gcr.io/padas-app/circleci/das-web-react/${SANITIZED}" >> "$GITHUB_OUTPUT" | |
| - name: Build and push ST image | |
| run: | | |
| docker build -f Dockerfile.prod \ | |
| -t ${{ steps.gcr.outputs.path }}:latest \ | |
| -t ${{ steps.gcr.outputs.path }}:${{ github.sha }} \ | |
| . | |
| docker push ${{ steps.gcr.outputs.path }}:latest | |
| docker push ${{ steps.gcr.outputs.path }}:${{ github.sha }} | |
| update-image-dev: | |
| needs: [config, build] | |
| if: github.ref_name == 'develop' | |
| uses: ./.github/workflows/_update-argo.yml | |
| with: | |
| app-name: das-web-react | |
| app-subdir: earthranger | |
| environment: er-dev | |
| image-tag: ${{ needs.config.outputs.image-tag }} | |
| secrets: | |
| ARGOCD_APPS_SSH_KEY: ${{ secrets.ARGOCD_APPS_SSH_KEY }} | |
| sync-dev: | |
| needs: [config, update-image-dev] | |
| if: github.ref_name == 'develop' | |
| uses: ./.github/workflows/_sync-argo.yml | |
| with: | |
| app-name: das-web-react-er-dev | |
| secrets: | |
| ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }} | |
| update-image-stage: | |
| needs: [config, build] | |
| if: startsWith(github.ref_name, 'release-') | |
| uses: ./.github/workflows/_update-argo.yml | |
| with: | |
| app-name: das-web-react | |
| app-subdir: earthranger | |
| environment: er-stage | |
| image-tag: ${{ needs.config.outputs.image-tag }} | |
| secrets: | |
| ARGOCD_APPS_SSH_KEY: ${{ secrets.ARGOCD_APPS_SSH_KEY }} | |
| sync-stage: | |
| needs: [config, update-image-stage] | |
| if: startsWith(github.ref_name, 'release-') | |
| uses: ./.github/workflows/_sync-argo.yml | |
| with: | |
| app-name: das-web-react-er-stage | |
| secrets: | |
| ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }} | |
| approve-prod: | |
| needs: [sync-stage] | |
| if: startsWith(github.ref_name, 'release-') | |
| runs-on: ubuntu-latest | |
| environment: production-approval | |
| steps: | |
| - run: echo "Production deployment approved" | |
| update-image-prod-me: | |
| needs: [config, build, approve-prod] | |
| if: startsWith(github.ref_name, 'release-') | |
| uses: ./.github/workflows/_update-argo.yml | |
| with: | |
| app-name: das-web-react | |
| app-subdir: earthranger | |
| environment: er-prod-me | |
| image-tag: ${{ needs.config.outputs.image-tag }} | |
| secrets: | |
| ARGOCD_APPS_SSH_KEY: ${{ secrets.ARGOCD_APPS_SSH_KEY }} | |
| sync-prod-me: | |
| needs: [config, update-image-prod-me] | |
| if: startsWith(github.ref_name, 'release-') | |
| uses: ./.github/workflows/_sync-argo.yml | |
| with: | |
| app-name: das-web-react-er-prod-me | |
| secrets: | |
| ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }} |