Skip to content

ci(back): explicitly define service account #310

ci(back): explicitly define service account

ci(back): explicitly define service account #310

Workflow file for this run

name: Back - Test, Build, and Deploy to GCP
on:
push:
paths:
- 'src/back/**'
- '.github/workflows/back.yml'
- '.github/actions/back/**'
- 'src/common/**'
- 'data/migrations/**'
- 'data/knexfile.js'
- 'data/package*.json'
defaults:
run:
working-directory: src/back
permissions:
id-token: write
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/cache@v3
id: cache
with:
path: ~/.cache/firebase/emulators
key: ${{ runner.os }}-firebase-emulators-${{ hashFiles('~/.cache/firebase/emulators/**') }}
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version-file: src/back/.node-version
- name: Install Dependencies
run: |
npm ci
cd ../common && npm ci
- name: Test
run: |
npm run lint
npm run test:ci
deploy-staging:
name: Migration DB, Build, and Deploy to Staging
runs-on: ubuntu-latest
needs: test
environment:
name: Staging
if: github.ref_name == 'staging'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: DB Migrations
uses: ./.github/actions/back/db-migrations
with:
environment: Staging
project_id: ${{ secrets.PROJECT_ID }}
identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
cloudsql_instance: ${{ secrets.CLOUDSQL_INSTANCE }}
env:
DATABASE_ADMIN_PASSWORD: ${{ secrets.DATABASE_ADMIN_PASSWORD }}
- name: 🚀 Deploy
uses: agrc/cloud-run-docker-deploy-composite-action@v1
with:
docker-context: ./src
docker-file: ./src/back/Dockerfile
identity-provider: ${{ secrets.IDENTITY_PROVIDER }}
service-account-email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
project-id: ${{ secrets.PROJECT_ID }}
service: api
flags: |
--service-account=cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
--max-instances=10
--min-instances=0
--set-cloudsql-instances=${{ secrets.CLOUDSQL_INSTANCE }}
--allow-unauthenticated
env-vars: |
ADMIN_EMAIL=${{ secrets.ADMIN_EMAIL }}
API=${{ secrets.API }}
DATABASE_HOST=${{ secrets.DATABASE_HOST }}
ENVIRONMENT=staging
PROJECT_ID=${{ secrets.PROJECT_ID }}
WEBSITE=${{ secrets.WEBSITE }}
mounted-secrets: |
/secrets/client_id/value=client-id:latest,
/secrets/database_password/value=database-password:latest,
/secrets/sendgrid_api_key/value=sendgrid-api-key:latest
/secrets/apple_sign_in_props/value=apple-sign-in-props:latest
deploy-prod:
name: Migration DB, Build, and Deploy to Production
runs-on: ubuntu-latest
needs: test
environment:
name: Production
if: github.ref_name == 'production'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: DB Migrations
uses: ./.github/actions/back/db-migrations
with:
environment: Production
project_id: ${{ secrets.PROJECT_ID }}
identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
cloudsql_instance: ${{ secrets.CLOUDSQL_INSTANCE }}
env:
DATABASE_ADMIN_PASSWORD: ${{ secrets.DATABASE_ADMIN_PASSWORD }}
- name: 🚀 Deploy
uses: agrc/cloud-run-docker-deploy-composite-action@v1
with:
docker-context: ./src
docker-file: ./src/back/Dockerfile
identity-provider: ${{ secrets.IDENTITY_PROVIDER }}
service-account-email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
project-id: ${{ secrets.PROJECT_ID }}
service: api
flags: |
--service-account=cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
--max-instances=10
--min-instances=1
--set-cloudsql-instances=${{ secrets.CLOUDSQL_INSTANCE }}
--allow-unauthenticated
env-vars: |
ADMIN_EMAIL=${{ secrets.ADMIN_EMAIL }}
API=${{ secrets.API }}
DATABASE_HOST=${{ secrets.DATABASE_HOST }}
ENVIRONMENT=production
PROJECT_ID=${{ secrets.PROJECT_ID }}
WEBSITE=${{ secrets.WEBSITE }}
mounted-secrets: |
/secrets/client_id/value=client-id:latest,
/secrets/database_password/value=database-password:latest,
/secrets/sendgrid_api_key/value=sendgrid-api-key:latest
/secrets/apple_sign_in_props/value=apple-sign-in-props:latest