feat: per-environment approval gates for release pipeline (#1523) #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Deploy das-web-react (develop) | |
| on: | |
| push: | |
| branches: | |
| - develop | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| actions: read | |
| contents: read | |
| id-token: write | |
| jobs: | |
| config: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| build-args: ${{ steps.env-vars.outputs.build-args }} | |
| image-tag: ${{ steps.tag.outputs.value }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 24 | |
| - run: | | |
| npm pkg set "buildbranch"="${{ github.ref_name }}" | |
| npm pkg set "buildnum"="${{ github.run_number }}" | |
| - name: Select env file for build | |
| id: env-vars | |
| run: echo "build-args=ENV_FILE=.env.development" >> $GITHUB_OUTPUT | |
| - name: Generate image tag | |
| id: tag | |
| run: | | |
| SHORT_SHA="${GITHUB_SHA:0:7}" | |
| BRANCH_SAFE=$(echo "${GITHUB_REF_NAME}" | tr '/' '-' | tr '[:upper:]' '[:lower:]') | |
| echo "value=${BRANCH_SAFE}-${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: npm-config | |
| path: package.json | |
| build: | |
| needs: config | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: npm-config | |
| path: . | |
| - name: GCP Auth | |
| id: auth | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| token_format: 'access_token' | |
| workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ vars.SERVICE_ACCOUNT }} | |
| - name: Login to serca-artifact-registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: europe-west3-docker.pkg.dev/serca-artifact-registry | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - name: Login to padas-app | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: europe-west3-docker.pkg.dev/padas-app | |
| username: oauth2accesstoken | |
| password: ${{ steps.auth.outputs.access_token }} | |
| - uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: | | |
| image=europe-west3-docker.pkg.dev/serca-artifact-registry/virtual-docker/moby/buildkit:buildx-stable-1 | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| europe-west3-docker.pkg.dev/serca-artifact-registry/earthranger/das-web-react | |
| europe-west3-docker.pkg.dev/padas-app/er-mt/das-web-react | |
| tags: | | |
| type=raw,value=${{ needs.config.outputs.image-tag }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: true | |
| context: . | |
| file: Dockerfile.mt | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: ${{ needs.config.outputs.build-args }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| deploy-dev: | |
| needs: [config, build] | |
| uses: ./.github/workflows/_update-argo.yml | |
| with: | |
| app-name: das-web-react | |
| app-subdir: earthranger | |
| environment: er-dev | |
| image-tag: ${{ needs.config.outputs.image-tag }} | |
| secrets: | |
| ARGOCD_APPS_SSH_KEY: ${{ secrets.ARGOCD_APPS_SSH_KEY }} | |
| sync-dev: | |
| needs: [config, deploy-dev] | |
| uses: ./.github/workflows/_sync-argo.yml | |
| with: | |
| app-name: das-web-react-er-dev | |
| secrets: | |
| ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }} |