whekin/household-bot
1
0
Fork 0
mirror of https://github.com/whekin/household-bot.git synced 2026-03-31 15:44:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use repo vars and streamline CI/CD workflows

Browse Source 
Update GitHub Actions workflows to rely on repository variables and simplify build/deploy logic. cd.yml: switch secret/project lookups to vars, adjust workflow_run detection for auto-deploy, remove derived secret outputs, resolve Artifact Registry image tags from the triggering SHA, and use vars for Google Cloud auth and project references. ci.yml: add dev to PR branches, condense the quality matrix commands, rework the images job to authenticate and push only on branch pushes while doing build-only on PRs (with proper cache usage), add id-token permission, and introduce a final CI gate job that aggregates job results to block CD when CI fails. Also includes minor formatting and whitespace cleanups.
This commit is contained in:
whekin
2026-03-16 00:25:15 +04:00
parent 1cff14662e
commit 543a6f90ef
2 changed files with 138 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

146
.github/workflows/ci.yml vendored
View File

@@ -8,6 +8,7 @@ on:
pull_request:
branches:
- main
- dev
permissions:
contents: read
@@ -32,7 +33,6 @@ jobs:
- build
- db-check
- db-migrations
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -58,38 +58,20 @@ jobs:
- name: Run quality gate
run: |
case "${{ matrix.task }}" in
format)
bun run format:check
;;
lint)
bun run lint
;;
typecheck)
bun run typecheck
;;
test)
bun run test
;;
build)
bun run build
;;
db-check)
bun run db:check
;;
db-migrations)
bun run db:migrations:check
;;
*)
echo "Unknown task: ${{ matrix.task }}"
exit 1
;;
format) bun run format:check ;;
lint) bun run lint ;;
typecheck) bun run typecheck ;;
test) bun run test ;;
build) bun run build ;;
db-check) bun run db:check ;;
db-migrations) bun run db:migrations:check ;;
*) echo "Unknown task: ${{ matrix.task }}"; exit 1 ;;
esac
terraform:
name: Terraform / validate
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -107,8 +89,9 @@ jobs:
terraform -chdir=infra/terraform init -backend=false
terraform -chdir=infra/terraform validate
images:
name: Docker / build ${{ matrix.service }}
images-pr:
name: Docker / build (PR)
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
timeout-minutes: 20
strategy:
@@ -117,7 +100,6 @@ jobs:
service:
- bot
- miniapp
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -125,17 +107,95 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build container image
- name: Build only
uses: docker/build-push-action@v6
with:
context: .
file: apps/${{ matrix.service }}/Dockerfile
push: false
tags: household-${{ matrix.service }}:ci
cache-from: type=gha
cache-to: type=gha,mode=max
images-push:
name: Docker / build & push ${{ matrix.service }}
if: github.event_name == 'push'
runs-on: ubuntu-latest
timeout-minutes: 20
environment: ${{ github.ref_name == 'main' && 'Production' || 'Development' }}
strategy:
fail-fast: false
matrix:
service:
- bot
- miniapp
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
- name: Configure Artifact Registry auth
run: |
case "${{ matrix.service }}" in
bot)
docker build -f apps/bot/Dockerfile -t household-bot:ci .
;;
miniapp)
docker build -f apps/miniapp/Dockerfile -t household-miniapp:ci .
;;
*)
echo "Unknown service: ${{ matrix.service }}"
exit 1
;;
esac
gcloud auth configure-docker "${{ vars.GCP_REGION || 'europe-west1' }}-docker.pkg.dev" --quiet
- name: Resolve image name
id: image
env:
GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
run: |
repo="${GCP_REGION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}"
echo "name=${repo}/${{ matrix.service }}:${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "cache_ref=${repo}/${{ matrix.service }}:cache" >> "$GITHUB_OUTPUT"
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
file: apps/${{ matrix.service }}/Dockerfile
push: true
tags: ${{ steps.image.outputs.name }}
cache-from: type=registry,ref=${{ steps.image.outputs.cache_ref }}
cache-to: type=registry,ref=${{ steps.image.outputs.cache_ref }},mode=max
# Gate job: CD triggers on this workflow's conclusion.
# By depending on all jobs, a failure in any job marks CI as failed,
# which causes CD's `workflow_run` trigger to see conclusion != 'success'
# and skip deployment.
ci:
name: CI complete
runs-on: ubuntu-latest
needs: [quality, terraform, images-pr, images-push]
if: always()
steps:
- name: Check all jobs passed
run: |
results='${{ toJSON(needs) }}'
echo "Job results: $results"
failed=false
for result in $(echo "$results" | jq -r '.[].result'); do
# 'skipped' is expected — images-pr skips on push, images-push skips on PR
if [[ "$result" != "success" && "$result" != "skipped" ]]; then
echo "Job failed with result: $result"
failed=true
fi
done
if [[ "$failed" == "true" ]]; then
echo "One or more CI jobs failed — blocking deployment."
exit 1
fi
echo "All CI jobs passed."