Cicd/gcp configuration (#80)

* 1st github actions config * Updating gcp authentication creds * Auth gc from github actions * Switchin push to true * Adding missing entrypoint * Updating entrypoint file * Skipping entrypoint by the moment * Removing schema search path * Adding review-env setup (database creation) * Replacing vars * Adding adapter to database.yml * Testing * Returning back entrypoint config * Reverting entrypoint execution * Turning into underscore db name * Docker layer cache issue * Adding password strongly * Adding username * Turning entrypoint back on * Test * Skipping entrypoint * Test * Test * test * Testing * Trying with tankef config * Test * Debuggin * Adding google-cloud-secret_manager gem * Test * Enabling entrypoint * Test * Adding permissions to entrypoint file * Updating gitignore * Test
IcaliaLabs · Aug 24, 2023 · 5fc499d · 5fc499d
1 parent 98cdae9
commit 5fc499d
Show file tree

Hide file tree

Showing 11 changed files with 330 additions and 11 deletions.
diff --git a/.github/workflows/ci-and-cd-for-review.yml b/.github/workflows/ci-and-cd-for-review.yml
@@ -6,7 +6,30 @@ on:
     branches:
       - main
 
+# Generate a GitHub token that can be exchanged with Google Cloud - see
+# https://github.com/google-github-actions/auth/tree/v0.6.0#setting-up-workload-identity-federation
+permissions:
+  contents: read
+  id-token: write
+  deployments: write
+
 jobs:
   test-and-build:
     name: Integration
     uses: ./.github/workflows/test-and-build.yml
+    secrets: inherit
+
+  release-to-review:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    name: Delivery
+    uses: ./.github/workflows/deploy-to-cloud-run.yml
+    needs:
+      - test-and-build
+    with:
+      environment: ${{ github.head_ref }}
+      deploy-name: pr${{ github.event.pull_request.number }}
+      cloud-sql-instance: sepomex-365521:us-central1:sepomex
+      cloud-sql-username-secret: database-username:latest
+      cloud-sql-password-secret: database-password:latest
+      cloud-run-service-suffix: ${{ needs.test-and-build.outputs.git-commit-short-sha }}
+      cloud-run-container-image: us-central1-docker.pkg.dev/sepomex-365521/icalialabs-sepomex/sepomex@${{ needs.test-and-build.outputs.container-image-digest }}
diff --git a/.github/workflows/ci-and-cd.yml b/.github/workflows/ci-and-cd.yml
@@ -6,7 +6,29 @@ on:
     branches:
       - main
 
+# Generate a GitHub token that can be exchanged with Google Cloud - see
+# https://github.com/google-github-actions/auth/tree/v0.6.0#setting-up-workload-identity-federation
+permissions:
+  contents: read
+  id-token: write
+  deployments: write
+
 jobs:
   test-and-build:
     name: Integration
     uses: ./.github/workflows/test-and-build.yml
+
+  deploy-to-staging:
+    name: Staging
+    uses: ./.github/workflows/deploy-to-cloud-run.yml
+    needs:
+      - test-and-build
+    with:
+      environment: staging
+      deploy-name: staging
+      cloud-sql-instance: sepomex-365521:us-central1:sepomex
+      cloud-sql-username-secret: database-username:latest
+      cloud-sql-password-secret: database-password:latest
+      cloud-run-service-suffix: ${{ needs.test-and-build.outputs.git-commit-short-sha }}
+      cloud-run-container-image: us-central1-docker.pkg.dev/sepomex-365521/sepomex/sepomex@${{ needs.test-and-build.outputs.container-image-digest }}
+    secrets: inherit
diff --git a/.github/workflows/deploy-to-cloud-run.yml b/.github/workflows/deploy-to-cloud-run.yml
@@ -0,0 +1,101 @@
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      deploy-name:
+        required: true
+        type: string
+      cloud-sql-instance:
+        required: true
+        type: string
+      cloud-sql-username-secret:
+        required: false
+        type: string
+        default: projects/582875546495/secrets/database-username:latest
+      cloud-sql-password-secret:
+        required: false
+        type: string
+        default: projects/582875546495/secrets/database-password:latest
+      cloud-run-container-image:
+        required: true
+        type: string
+      cloud-run-service-suffix:
+        required: false
+        type: string
+      cloud-run-minimum-instances:
+        required: false
+        type: number
+        default: 0
+
+jobs:
+  service-deploy:
+    name: Service Deploy
+    runs-on: ubuntu-latest
+    env:
+      DATABASE_NAME: sepomex_${{ inputs.deploy-name }}
+    steps:
+      # actions/checkout MUST come before auth
+      - name: Checkout the code
+        uses: actions/checkout@v3.1.0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v0.8.0
+        with:
+          service_account: github-actions@sepomex-365521.iam.gserviceaccount.com
+          workload_identity_provider: projects/582875546495/locations/global/workloadIdentityPools/github-pool/providers/github-provider
+
+      - name: Set up Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v0.6.0
+
+      - name: URLEncode Cloud SQL Instance string
+        id: url-encode-cloud-sql-instance
+        run: |-
+          ruby -e 'require "erb"; puts "encoded-value=#{ERB::Util.url_encode("${{ inputs.cloud-sql-instance }}")}"' >> $GITHUB_OUTPUT
+
+      - name: Register Deploy Start on Github
+        uses: bobheadxi/deployments@v1.3.0
+        id: deploy-start
+        with:
+          step: start
+          ref: ${{ github.head_ref }}
+          env: ${{ inputs.environment }}
+          token: ${{ github.token }}
+
+      - name: Set deploy timestamp
+        id: set-deploy-timestamp
+        run: echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
+
+      - name: Deploy to Cloud Run
+        id: deploy
+        uses: google-github-actions/deploy-cloudrun@v0.9.0
+        with:
+          region: us-central1
+          service: sepomex-${{ inputs.deploy-name }}
+          suffix: ${{ inputs.cloud-run-service-suffix }}-${{ steps.set-deploy-timestamp.outputs.timestamp }}
+          image: ${{ inputs.cloud-run-container-image }}
+          secrets: |
+            DATABASE_USERNAME=${{ inputs.cloud-sql-username-secret }}
+            DATABASE_PASSWORD=${{ inputs.cloud-sql-password-secret }}
+          env_vars: |
+            DATABASE_URL=postgres://%2Fcloudsql%2F${{ steps.url-encode-cloud-sql-instance.outputs.encoded-value }}/${{ env.DATABASE_NAME }}
+            GOOGLE_CLOUD_PROJECT=sepomex-365521
+          flags: |-
+            --allow-unauthenticated
+            --add-cloudsql-instances ${{ inputs.cloud-sql-instance }}
+            --min-instances=${{ inputs.cloud-run-minimum-instances }}
+            --service-account github-actions@sepomex-365521.iam.gserviceaccount.com
+
+      - name: Finalize the deployment state on Github
+        uses: bobheadxi/deployments@v1.3.0
+        if: always()
+        with:
+          step: finish
+          override: true
+          auto_inactive: true
+          status: ${{ job.status }}
+          token: ${{ github.token }}
+          env_url: ${{ steps.deploy.outputs.url }}
+          env: ${{ steps.deploy-start.outputs.env }}
+          deployment_id: ${{ steps.deploy-start.outputs.deployment_id }}
diff --git a/.github/workflows/review-env-setup.yml b/.github/workflows/review-env-setup.yml
@@ -0,0 +1,48 @@
+name: Review Environment Setup
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - reopened
+
+jobs:
+  create_deployment:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    name: Create deployment
+    runs-on: ubuntu-latest
+    env:
+      DB_NAME: "sepomex-pr${{ github.event.pull_request.number }}"
+      GOOGLE_CLOUD_PROJECT: sepomex-365521
+
+    # Generate a GitHub token that can be exchanged with Google Cloud - see
+    # https://github.com/google-github-actions/auth/tree/v0.6.0#setting-up-workload-identity-federation
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      # actions/checkout MUST come before auth
+      - name: Checkout the code
+        uses: actions/checkout@v3.1.0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v0.6.0
+        with:
+          service_account: github-actions@sepomex-365521.iam.gserviceaccount.com
+          workload_identity_provider: projects/582875546495/locations/global/workloadIdentityPools/github-pool/providers/github-provider
+
+      - name: Set up Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v0.6.0
+
+      - name: Ensure a review database exists
+        run: |-
+          gcloud sql databases describe ${{ env.DB_NAME }} \
+            --instance=sepomex \
+            --format="value(name)" \
+          && echo "Database ${{ env.DB_NAME }} already exists" \
+          || gcloud sql databases create ${{ env.DB_NAME }} \
+            --instance=sepomex
diff --git a/.github/workflows/test-and-build.yml b/.github/workflows/test-and-build.yml
@@ -47,7 +47,9 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2.0.0
+        uses: docker/setup-buildx-action@v2.2.1
+        with:
+          version: v0.9.1
 
       - name: Build Test Image
         id: build-test-image
@@ -81,20 +83,32 @@ jobs:
           path: |
             tmp/capybara/screenshots
 
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v0.8.0
+        with:
+          service_account: github-actions@sepomex-365521.iam.gserviceaccount.com
+          workload_identity_provider: projects/582875546495/locations/global/workloadIdentityPools/github-pool/providers/github-provider
+
+      - name: Set up Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v0.6.0
+
+      - name: Authorize push to Google Cloud Artifact Registry
+        run: gcloud auth configure-docker us-central1-docker.pkg.dev
+
       - name: Build & Push Release Image
         id: build-and-push-release-image
         uses: docker/build-push-action@v3.1.1
         with:
-          push: false
+          push: true
           target: release
           platforms: linux/amd64
           builder: ${{ steps.buildx.outputs.name }}
           build-args: |
             DEVELOPER_UID=${{ steps.variables.outputs.runner-uid }}
             DEVELOPER_USERNAME=${{ steps.variables.outputs.runner-user }}
           tags: |
-            us-central1-docker.pkg.dev/icalia-labs-sepomex/sepomex/sepomex-web:${{ steps.variables.outputs.git-commit-short-sha }}
-            us-central1-docker.pkg.dev/icalia-labs-sepomex/sepomex/sepomex-web:${{ steps.variables.outputs.git-dasherized-branch }}
-            us-central1-docker.pkg.dev/icalia-labs-sepomex/sepomex/sepomex-web:latest
+            us-central1-docker.pkg.dev/sepomex-365521/icalialabs-sepomex/sepomex:${{ steps.variables.outputs.git-commit-short-sha }}
+            us-central1-docker.pkg.dev/sepomex-365521/icalialabs-sepomex/sepomex:${{ steps.variables.outputs.git-dasherized-branch }}
+            us-central1-docker.pkg.dev/sepomex-365521/icalialabs-sepomex/sepomex:latest
           cache-from: type=gha
           cache-to: type=gha,mode=max
diff --git a/.gitignore b/.gitignore
@@ -2,16 +2,23 @@
 
 /db/development.sqlite3
 /log/development.log
-/tmp
-tmp/cache/bootsnap-load-path-cache
 log/test.log
 
 docker-compose.override.yml
-tmp/cache
 
 # Ignore history files
 **/.*_hist*
 
 # Ignore database dumps
 db/dumps/*
 !db/dumps/.keep
+
+# Ignore all logfiles and tempfiles.
+/tmp/*
+!/tmp/.keep
+
+# Ignore pidfiles, but keep the directory.
+/tmp/pids/*
+!/tmp/pids/
+!/tmp/pids/.keep
+!/tmp/pids/server.pid
diff --git a/Gemfile b/Gemfile
@@ -9,7 +9,7 @@ ruby '2.7.5'
 gem 'rails', '~> 6.0', '>= 6.0.3.2'
 
 # Use pg as the database for Active Record
-gem 'pg'
+gem 'pg', '~> 1.1'
 
 # Use Puma as the app server
 gem 'puma', '~> 4.3'
@@ -31,6 +31,9 @@ gem 'pagy', '~> 3.8', '>= 3.8.2'
 gem 'rack-cors', '~> 1.1', '>= 1.1.1'
 # Testing
 
+# Read secrets from Google Cloud Secret Manager
+gem 'google-cloud-secret_manager', '~> 1.1', '>= 1.1.3'
+
 group :development, :test do
   gem 'listen', '>= 3.0.5', '< 3.2'