CD Deploy Dev #29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CD: apply Pulumi to **dev** Swarm stacks on the pre-prod manager after a green main build. | |
| # Issue: https://github.com/SprocketBot/sprocket/issues/673 | |
| # Refactored: reusable stack-map driven deploy (#682). | |
| # | |
| # Targets **pre-prod / main-dev only**. Never uses the production GitHub Environment or prod stack names. | |
| # | |
| # GitHub Environment: `development` — configure these secrets there (same names as infra preview/deploy where applicable): | |
| # PULUMI_ACCESS_TOKEN | |
| # PULUMI_CONFIG_PASSPHRASE (if your stack configs use secrets encryption) | |
| # PULUMI_BACKEND_URL | |
| # AWS_ACCESS_KEY_ID | |
| # AWS_SECRET_ACCESS_KEY | |
| # PULUMI_MANAGER_NODE_HOST (pre-prod Swarm manager; Tailscale/SSH reachable) | |
| # PULUMI_SSH_USER | |
| # PULUMI_SSH_KEY | |
| # TAILSCALE_AUTHKEY (optional; omit if the runner can reach the manager without Tailscale) | |
| # | |
| # Stack order: infra/ci/stack-map.yaml → environments.dev.deploy_order (see infra/ci/README.md). | |
| # Optional repo variable: PULUMI_DEV_PLATFORM_STACK (default dev) — must not be `prod`. | |
| # | |
| # Triggers: | |
| # - After "Autobuild Docker Containers" succeeds on a push to `main` (via workflow_run). | |
| # - workflow_dispatch for manual testing (set commit SHA if not deploying the branch tip). | |
| name: CD Deploy Dev | |
| on: | |
| workflow_run: | |
| workflows: | |
| - Autobuild Docker Containers | |
| types: | |
| - completed | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| git_sha: | |
| description: 'Full git SHA to checkout and deploy (empty = SHA of the branch you run the workflow from)' | |
| required: false | |
| type: string | |
| concurrency: | |
| group: deploy-dev | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read | |
| actions: read | |
| jobs: | |
| meta: | |
| if: >- | |
| github.event_name == 'workflow_dispatch' || | |
| (github.event.workflow_run.conclusion == 'success' && | |
| github.event.workflow_run.event == 'push' && | |
| github.event.workflow_run.head_branch == 'main' && | |
| github.event.workflow_run.head_repository.full_name == github.repository) | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sha: ${{ steps.resolve.outputs.sha }} | |
| platform_stack: ${{ steps.resolve.outputs.platform_stack }} | |
| bom_run_id: ${{ steps.resolve.outputs.bom_run_id }} | |
| steps: | |
| - name: Resolve deploy SHA, platform stack, BOM run id | |
| id: resolve | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| if [ "${GITHUB_EVENT_NAME}" = "workflow_run" ]; then | |
| echo "sha=${WORKFLOW_HEAD_SHA}" >> "${GITHUB_OUTPUT}" | |
| echo "bom_run_id=${WORKFLOW_RUN_ID}" >> "${GITHUB_OUTPUT}" | |
| elif [ -n "${GIT_SHA_INPUT:-}" ]; then | |
| echo "sha=${GIT_SHA_INPUT}" >> "${GITHUB_OUTPUT}" | |
| echo "bom_run_id=" >> "${GITHUB_OUTPUT}" | |
| else | |
| echo "sha=${GITHUB_SHA}" >> "${GITHUB_OUTPUT}" | |
| echo "bom_run_id=" >> "${GITHUB_OUTPUT}" | |
| fi | |
| STACK="${PULUMI_DEV_PLATFORM_STACK:-dev}" | |
| if [ "${STACK}" = "prod" ]; then | |
| echo "Refusing to run CD against platform stack name 'prod'." >&2 | |
| exit 1 | |
| fi | |
| echo "platform_stack=${STACK}" >> "${GITHUB_OUTPUT}" | |
| env: | |
| GIT_SHA_INPUT: ${{ github.event.inputs.git_sha }} | |
| WORKFLOW_HEAD_SHA: ${{ github.event.workflow_run.head_sha }} | |
| WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }} | |
| PULUMI_DEV_PLATFORM_STACK: ${{ vars.PULUMI_DEV_PLATFORM_STACK }} | |
| deploy-dev: | |
| needs: meta | |
| uses: ./.github/workflows/_reusable-pulumi-deploy.yml | |
| with: | |
| lane: main | |
| target: dev | |
| git_sha: ${{ needs.meta.outputs.sha }} | |
| deploy_profile: dev_cd | |
| bom_download_run_id: ${{ needs.meta.outputs.bom_run_id }} | |
| dev_platform_stack: ${{ needs.meta.outputs.platform_stack }} | |
| secrets: inherit |