Skip to content

Rearrange some documentation for CMS building, to make it easier to k… #88

Rearrange some documentation for CMS building, to make it easier to k…

Rearrange some documentation for CMS building, to make it easier to k… #88

name: Build and push a Docker image
on:
push:
branches:
- main
- stage
- run-integration-test
tags:
- '*'
workflow_dispatch:
inputs:
ref:
description: 'ref to be deployed (e.g. "refs/heads/main", "v1.0.0", "2c0472cf")'
type: string
required: true
default: refs/heads/main
env:
APP: bedrock
APPLICATION_REPOSITORY: mozilla/bedrock
IMAGE: bedrock
GAR_LOCATION: us
GCP_PROJECT_ID: moz-fx-bedrock-prod
GAR_REPOSITORY: bedrock-prod
REF_ID: ${{ github.ref }}
jobs:
build_and_publish_public_images:
name: Build public Bedrock images and push to Docker hub
runs-on: ubuntu-latest
if: github.repository == 'mozilla/bedrock'
outputs:
long_sha: ${{ steps.long-sha.outputs.LONG_SHA }}
steps:
- uses: docker/setup-buildx-action@v3
with:
buildkitd-flags: "cache-from: type=gha cache-to: type=gha,mode=max"
- id: checkout-bedrock-repo
name: checkout-bedrock-repo
uses: actions/checkout@v4
with:
fetch-depth: 10 # get enough so we have a Git history, but not everything
fetch-tags: true
ref: ${{ env.REF_ID }}
- id: long-sha
run: |-
echo "LONG_SHA=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
- id: docker-login
name: Docker login
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- id: build_and_push_docker_hub_images
name: Build and push public images to Docker hub
run: |-
./bin/build-release-image.sh --push
env:
GIT_COMMIT: ${{ steps.long-sha.outputs.LONG_SHA }}
push_image_to_gar:
name: Push Image to GAR
needs: build_and_publish_public_images
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
outputs:
deployment_env: ${{ env.DEPLOYMENT_ENV }}
deployment_realm: ${{ env.DEPLOYMENT_REALM }}
image_tag: ${{ env.TAG }}
steps:
- id: checkout-application-repo
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
ref: ${{ env.REF_ID }}
- id: dev_image_tag
name: Set Docker dev image tag for updates of the main branch
if: github.ref == 'refs/heads/main'
run: |
echo TAG="dev-$(git rev-parse HEAD)" >> "$GITHUB_ENV"
# Updates to the main branch are deployed to dev.
echo DEPLOYMENT_ENV=dev >> "$GITHUB_ENV"
echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV"
- id: test_image_tag
name: Set Docker test image tag for updates of the run-integration-test branch
if: github.ref == 'refs/heads/run-integration-tests'
run: |
echo TAG="test-$(git rev-parse HEAD)" >> "$GITHUB_ENV"
# Updates to the run-integration-test branch are deployed to test.
echo DEPLOYMENT_ENV=test >> "$GITHUB_ENV"
echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV"
- id: stage_image_tag
name: Set Docker stage image tag for updates of the stage branch
if: github.ref == 'refs/heads/stage'
run: |
echo TAG="stage-$(git rev-parse HEAD)" >> "$GITHUB_ENV"
# Updates to the main branch are deployed to stage.
echo DEPLOYMENT_ENV=stage >> "$GITHUB_ENV"
echo DEPLOYMENT_REALM=nonprod >> "$GITHUB_ENV"
- id: prod_image_tag
name: Set Docker image tag to the git tag for tagged builds
if: startsWith(github.ref, 'refs/tags/')
run: |
echo TAG="$(git describe --tags --abbrev=7)" >> "$GITHUB_ENV"
# Version tags are deployed to prod.
echo DEPLOYMENT_ENV=prod >> "$GITHUB_ENV"
echo DEPLOYMENT_REALM=prod >> "$GITHUB_ENV"
- uses: docker/setup-buildx-action@v3
- id: gcp_auth
name: GCP authentication
uses: google-github-actions/auth@v2
with:
token_format: access_token
service_account: artifact-writer@${{ env.GCP_PROJECT_ID }}.iam.gserviceaccount.com
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
- id: docker_login
uses: docker/login-action@v3
name: Docker login
with:
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.gcp_auth.outputs.access_token }}
- id: push-existing-image-to-gar
name: Push existing stage image to GAR
run: |-
docker pull mozmeao/bedrock:${{ needs.build_and_publish_public_images.outputs.long_sha }}
docker tag mozmeao/bedrock:${{ needs.build_and_publish_public_images.outputs.long_sha }} ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY}}/${{ env.IMAGE }}:${{ env.TAG }}
docker push ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY}}/${{ env.IMAGE }}:${{ env.TAG }}
upload_static_assets:
name: Upload static assets
runs-on: ubuntu-latest
environment: build
needs: [build_and_publish_public_images, push_image_to_gar]
permissions:
contents: read
id-token: write
steps:
- id: gcp_auth
name: gcp auth
uses: google-github-actions/auth@v2
with:
token_format: access_token
service_account: artifact-writer@${{ env.GCP_PROJECT_ID }}.iam.gserviceaccount.com
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
- id: docker_login
name: docker login
uses: docker/login-action@v3
with:
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.gcp_auth.outputs.access_token }}
- id: setup-gcloud
uses: google-github-actions/setup-gcloud@v2
with:
version: 413.0.0
- id: upload-assets
name: upload static assets
run: |-
TMP_DIR=static-upload
TMP_DIR_HASHED=static-upload-hashed
docker run -d --name assets-tmp $GAR_LOCATION-docker.pkg.dev/$GCP_PROJECT_ID/$GAR_REPOSITORY/$IMAGE:${{ needs.push_image_to_gar.outputs.image_tag }}
mkdir -p ./$TMP_DIR ./$TMP_DIR_HASHED
docker exec assets-tmp docker/bin/build_staticfiles.sh --nolink
docker exec assets-tmp mkdir -p /app/static-upload-hashed
docker exec assets-tmp bin/move_hashed_staticfiles.py /app/static /app/static-upload-hashed
docker cp assets-tmp:app/static/ ./$TMP_DIR/
docker cp assets-tmp:app/static-upload-hashed ./$TMP_DIR_HASHED/
gsutil -m rsync -r ./$TMP_DIR_HASHED/* gs://$APP-${{ needs.push_image_to_gar.outputs.deployment_realm }}-${{ needs.push_image_to_gar.outputs.deployment_env }}-media/media/
gsutil -m rsync -r ./$TMP_DIR/* gs://$APP-${{ needs.push_image_to_gar.outputs.deployment_realm }}-${{ needs.push_image_to_gar.outputs.deployment_env }}-media/media/
rm -rf ./$TMP_DIR/ ./$TMP_DIR_HASHED/
docker kill assets-tmp
docker rm assets-tmp