feat: Multiple ETL refinements and fixes #156
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Staging | |
| on: | |
| workflow_run: | |
| workflows: ["Build and Push Docker Images"] | |
| types: [completed] | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: # Allow manual triggers | |
| concurrency: | |
| group: | |
| deploy-staging-${{ github.event_name == 'pull_request' && github.head_ref || | |
| 'main' }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| env: | |
| GCP_PROJECT: biocirv-470318 | |
| GCP_REGION: us-west1 | |
| DEPLOY_ENV: staging | |
| # These values come from Pulumi outputs after deploying WIF resources. | |
| # Run `DEPLOY_ENV=staging pixi run -e deployment cloud-outputs` to verify. | |
| # NOTE: Update WIF_PROVIDER after staging migration renames the WIF pool. | |
| WIF_PROVIDER: "projects/194468397458/locations/global/workloadIdentityPools/github-actions-staging/providers/github-oidc-staging" | |
| DEPLOYER_SA: "biocirv-staging-gh-deploy@biocirv-470318.iam.gserviceaccount.com" | |
| jobs: | |
| # --- Preview (runs on PRs) --- | |
| preview: | |
| name: Pulumi Preview | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write # Required for WIF | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Authenticate to GCP | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ env.WIF_PROVIDER }} | |
| service_account: ${{ env.DEPLOYER_SA }} | |
| - name: Set up pixi | |
| uses: prefix-dev/setup-pixi@v0.9.4 | |
| with: | |
| pixi-version: v0.63.2 | |
| environments: deployment | |
| - name: Preview infrastructure changes | |
| run: pixi run -e deployment cloud-plan-direct | |
| # --- Deploy (runs after docker-build completes on main / workflow_dispatch) --- | |
| image-tag: | |
| name: Compute Image Tag | |
| if: >- | |
| (github.event_name == 'workflow_dispatch') || (github.event_name == | |
| 'workflow_run' && github.event.workflow_run.conclusion == 'success') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| actions: read | |
| outputs: | |
| image_tag: ${{ steps.vars.outputs.sha_short }} | |
| steps: | |
| - name: Set short SHA | |
| id: vars | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_run" ]; then | |
| SHA="${{ github.event.workflow_run.head_sha }}" | |
| else | |
| # On workflow_dispatch the current HEAD may not have a built image. | |
| # Query the last successful docker-build run on main to get the | |
| # SHA of the most recently built image. | |
| SHA=$(gh api \ | |
| "repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?branch=main&status=success&per_page=1" \ | |
| --jq '.workflow_runs[0].head_sha') | |
| if [ -z "$SHA" ] || [ "$SHA" = "null" ]; then | |
| echo "::error::No successful docker-build run found on main" | |
| exit 1 | |
| fi | |
| fi | |
| echo "sha_short=${SHA::7}" >> "$GITHUB_OUTPUT" | |
| echo "Resolved image tag: ${SHA::7}" | |
| deploy-infrastructure: | |
| name: Deploy Infrastructure (Pulumi) | |
| needs: image-tag | |
| runs-on: ubuntu-latest | |
| environment: staging | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Authenticate to GCP | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ env.WIF_PROVIDER }} | |
| service_account: ${{ env.DEPLOYER_SA }} | |
| - name: Set up pixi | |
| uses: prefix-dev/setup-pixi@v0.9.4 | |
| with: | |
| pixi-version: v0.63.2 | |
| environments: deployment | |
| - name: Deploy infrastructure | |
| env: | |
| IMAGE_TAG: ${{ needs.image-tag.outputs.image_tag }} | |
| run: pixi run -e deployment cloud-deploy-direct | |
| run-migrations: | |
| name: Run Database Migrations | |
| needs: [image-tag, deploy-infrastructure] | |
| runs-on: ubuntu-latest | |
| environment: staging | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Authenticate to GCP | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ env.WIF_PROVIDER }} | |
| service_account: ${{ env.DEPLOYER_SA }} | |
| - name: Set up pixi | |
| uses: prefix-dev/setup-pixi@v0.9.4 | |
| with: | |
| pixi-version: v0.63.2 | |
| environments: deployment | |
| - name: Run Alembic migrations | |
| env: | |
| IMAGE_TAG: ${{ needs.image-tag.outputs.image_tag }} | |
| run: pixi run -e deployment cloud-migrate-ci | |
| update-services: | |
| name: Force Cloud Run Revision Updates | |
| needs: [image-tag, run-migrations] | |
| runs-on: ubuntu-latest | |
| environment: staging | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Authenticate to GCP | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ env.WIF_PROVIDER }} | |
| service_account: ${{ env.DEPLOYER_SA }} | |
| - name: Set up pixi | |
| uses: prefix-dev/setup-pixi@v0.9.4 | |
| with: | |
| pixi-version: v0.63.2 | |
| environments: deployment | |
| - name: Force new Cloud Run revisions | |
| env: | |
| IMAGE_TAG: ${{ needs.image-tag.outputs.image_tag }} | |
| run: pixi run -e deployment cloud-update-services | |
| validate-deployment: | |
| name: Validate Deployment Health | |
| needs: [image-tag, update-services] | |
| runs-on: ubuntu-latest | |
| environment: staging | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Authenticate to GCP | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ env.WIF_PROVIDER }} | |
| service_account: ${{ env.DEPLOYER_SA }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Validate services are healthy | |
| run: bash scripts/validate-deployment.sh | |
| timeout-minutes: 10 |