ci(back): explicitly define service account #310
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Back - Test, Build, and Deploy to GCP | |
on: | |
push: | |
paths: | |
- 'src/back/**' | |
- '.github/workflows/back.yml' | |
- '.github/actions/back/**' | |
- 'src/common/**' | |
- 'data/migrations/**' | |
- 'data/knexfile.js' | |
- 'data/package*.json' | |
defaults: | |
run: | |
working-directory: src/back | |
permissions: | |
id-token: write | |
contents: read | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
test: | |
name: Test | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- uses: actions/cache@v3 | |
id: cache | |
with: | |
path: ~/.cache/firebase/emulators | |
key: ${{ runner.os }}-firebase-emulators-${{ hashFiles('~/.cache/firebase/emulators/**') }} | |
- name: Setup Node.js | |
uses: actions/setup-node@v3 | |
with: | |
node-version-file: src/back/.node-version | |
- name: Install Dependencies | |
run: | | |
npm ci | |
cd ../common && npm ci | |
- name: Test | |
run: | | |
npm run lint | |
npm run test:ci | |
deploy-staging: | |
name: Migration DB, Build, and Deploy to Staging | |
runs-on: ubuntu-latest | |
needs: test | |
environment: | |
name: Staging | |
if: github.ref_name == 'staging' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: DB Migrations | |
uses: ./.github/actions/back/db-migrations | |
with: | |
environment: Staging | |
project_id: ${{ secrets.PROJECT_ID }} | |
identity_provider: ${{ secrets.IDENTITY_PROVIDER }} | |
service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }} | |
cloudsql_instance: ${{ secrets.CLOUDSQL_INSTANCE }} | |
env: | |
DATABASE_ADMIN_PASSWORD: ${{ secrets.DATABASE_ADMIN_PASSWORD }} | |
- name: 🚀 Deploy | |
uses: agrc/cloud-run-docker-deploy-composite-action@v1 | |
with: | |
docker-context: ./src | |
docker-file: ./src/back/Dockerfile | |
identity-provider: ${{ secrets.IDENTITY_PROVIDER }} | |
service-account-email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }} | |
project-id: ${{ secrets.PROJECT_ID }} | |
service: api | |
flags: | | |
--service-account=cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com | |
--max-instances=10 | |
--min-instances=0 | |
--set-cloudsql-instances=${{ secrets.CLOUDSQL_INSTANCE }} | |
--allow-unauthenticated | |
env-vars: | | |
ADMIN_EMAIL=${{ secrets.ADMIN_EMAIL }} | |
API=${{ secrets.API }} | |
DATABASE_HOST=${{ secrets.DATABASE_HOST }} | |
ENVIRONMENT=staging | |
PROJECT_ID=${{ secrets.PROJECT_ID }} | |
WEBSITE=${{ secrets.WEBSITE }} | |
mounted-secrets: | | |
/secrets/client_id/value=client-id:latest, | |
/secrets/database_password/value=database-password:latest, | |
/secrets/sendgrid_api_key/value=sendgrid-api-key:latest | |
/secrets/apple_sign_in_props/value=apple-sign-in-props:latest | |
deploy-prod: | |
name: Migration DB, Build, and Deploy to Production | |
runs-on: ubuntu-latest | |
needs: test | |
environment: | |
name: Production | |
if: github.ref_name == 'production' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: DB Migrations | |
uses: ./.github/actions/back/db-migrations | |
with: | |
environment: Production | |
project_id: ${{ secrets.PROJECT_ID }} | |
identity_provider: ${{ secrets.IDENTITY_PROVIDER }} | |
service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }} | |
cloudsql_instance: ${{ secrets.CLOUDSQL_INSTANCE }} | |
env: | |
DATABASE_ADMIN_PASSWORD: ${{ secrets.DATABASE_ADMIN_PASSWORD }} | |
- name: 🚀 Deploy | |
uses: agrc/cloud-run-docker-deploy-composite-action@v1 | |
with: | |
docker-context: ./src | |
docker-file: ./src/back/Dockerfile | |
identity-provider: ${{ secrets.IDENTITY_PROVIDER }} | |
service-account-email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }} | |
project-id: ${{ secrets.PROJECT_ID }} | |
service: api | |
flags: | | |
--service-account=cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com | |
--max-instances=10 | |
--min-instances=1 | |
--set-cloudsql-instances=${{ secrets.CLOUDSQL_INSTANCE }} | |
--allow-unauthenticated | |
env-vars: | | |
ADMIN_EMAIL=${{ secrets.ADMIN_EMAIL }} | |
API=${{ secrets.API }} | |
DATABASE_HOST=${{ secrets.DATABASE_HOST }} | |
ENVIRONMENT=production | |
PROJECT_ID=${{ secrets.PROJECT_ID }} | |
WEBSITE=${{ secrets.WEBSITE }} | |
mounted-secrets: | | |
/secrets/client_id/value=client-id:latest, | |
/secrets/database_password/value=database-password:latest, | |
/secrets/sendgrid_api_key/value=sendgrid-api-key:latest | |
/secrets/apple_sign_in_props/value=apple-sign-in-props:latest |