mozilla · Basma1912 · Sep 30, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 22, 2024
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -0,0 +1,171 @@
+name: Build, test and push a Docker image
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+    tags:
+      - '*'
+
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'ref to be deployed (e.g. "refs/heads/main", "v1.0.0", "2c0472cf")'
+        type: string
+        required: true
+        default: refs/heads/dev
+env:
+  APP: sumo
+  APPLICATION_REPOSITORY: mozilla/kitsune
+  IMAGE_NAME: kitsune
+  GAR_LOCATION: us
+  GCP_PROJECT_ID: moz-fx-sumo-prod
+  GAR_REPOSITORY: sumo-prod
+  REF_ID: ${{ github.ref }}
+
+
+jobs:
+  build:
+    permissions:
+      contents: read
+      deployments: write
+      id-token: write
+    runs-on: ubuntu-latest
+
+    outputs:
+        deployment_env: ${{ env.DEPLOYMENT_ENV }}
+        deployment_realm: ${{ env.DEPLOYMENT_REALM }}
+        image_tag: ${{ env.TAG }}
+
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Create version.json
+        run: |
+          # create a version.json per
+          # https://github.com/mozilla-services/Dockerflow/blob/master/docs/version_object.md
+          printf '{"commit":"%s","version":"%s","source":"%s","build":"%s"}\n' \
+          "$GITHUB_SHA" \
+          "$GITHUB_REF_NAME" \
+          "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \
+          "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > version.json
+
+      - id: checkout_application_repo
+        name: checkout application repo
+        uses: actions/checkout@v4
+        with:
+            fetch-depth: 0
+            fetch-tags: true
+            ref: ${{ env.REF_ID }}
+
+      - id: dev_image_tag
+        name: Set Docker Stag image tag for updates of the DEV branch
+        if: github.ref == 'refs/heads/dev'
+        run: |
+
+          echo TAG ="dev-$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV"
+
+          # Updates to the main branch are deployed to stage.
+          echo DEPLOYMENT_ENV=dev >> "$GITHUB_ENV"
+          echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV"
+
+      - id: stage_image_tag
+        name: Set Docker Stag image tag for updates of the main branch
+        if: github.ref == 'refs/heads/main'
+        run: |
+
+          echo TAG ="$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV"
+
+          # Updates to the main branch are deployed to stage.
+          echo DEPLOYMENT_ENV=stage >> "$GITHUB_ENV"
+          echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV"
+
+      - id: prod_image_tag
+        name: Set Docker image tag to the git tag for tagged builds
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+
+          echo TAG ="$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV"
+          # Version tags are deployed to prod.
+          echo DEPLOYMENT_ENV=prod >> "$GITHUB_ENV"
+          echo DEPLOYMENT_REALM=prod >> "$GITHUB_ENV"
+
+      - id: gcp_auth
+        name: GCP authentication
+        uses: google-github-actions/auth@v2
+        with:
+            token_format: access_token
+            service_account:  artifact-writer@${{ env.GCP_PROJECT_ID }}.iam.gserviceaccount.com
+            workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_POOL_PROJECT_NUMBER }}
+
+      - id: docker_login
+        name: Log in to the container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.gcp_auth.outputs.access_token }}
+
+
+      - id: build_and_push
+        name: Build and push image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          tags: |
+            ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
+
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  upload-static-assets:
+    name: upload static assets
+    environment: ${{ needs.build.outputs.deployment_env }}
+    runs-on: ubuntu-latest
+    needs:
+      - build
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - id: gcp_auth
+        name: gcp auth
+        uses: google-github-actions/auth@v2
+        with:
+          token_format: access_token
+          service_account: deploy-${{ needs.build.outputs.deployment_env }}@moz-fx-sumo-${{ needs.build.outputs.deployment_realm }}.iam.gserviceaccount.com
+          workload_identity_provider: projects/324168772199/locations/global/workloadIdentityPools/github-actions/providers/github-actions
+
+      - id: docker_login
+        name: docker login
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.gcp_auth.outputs.access_token }}
+
+      - id: setup-gcloud
+        uses: google-github-actions/setup-gcloud@v2
+
+      - id: upload-assets
+        name: upload static assets
+        run: |-
+          TMP_DIR=static-upload
+          TMP_DIR_HASHED=static-upload-hashed
+
+          docker create --name tmp $GAR_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GAR_REPOSITORY/$IMAGE:${{ needs.build.outputs.image_tag }}
+
+          mkdir -p ./$TMP_DIR ./$TMP_DIR_HASHED
+
+          docker cp tmp:/app/static/. ./$TMP_DIR/
+
+          find $TMP_DIR -maxdepth 1 -type f -regextype sed -regex ".*\.[0-9a-f]\{16\}\..*" -exec mv -t $TMP_DIR_HASHED {} +
+
+          gsutil -m rsync -r ./$TMP_DIR_HASHED/ gs://$APP-${{ needs.build.outputs.deployment_realm }}-${{ needs.build.outputs.deployment_env }}-assets-bucket/static/
+          gsutil -m rsync -r ./$TMP_DIR/ gs://$APP-${{ needs.build.outputs.deployment_realm }}-${{ needs.build.outputs.deployment_env }}-assets-bucket/static/
+
+          docker rm tmp