From 64dc3a3813d4230a07c262734c0b157dcb8d8642 Mon Sep 17 00:00:00 2001 From: whekin Date: Mon, 16 Mar 2026 06:28:36 +0400 Subject: [PATCH] refactor(ci): remove dev environment, build images in CD --- .github/workflows/cd.yml | 124 ++++++++++++++++++++------------------- .github/workflows/ci.yml | 63 +------------------- 2 files changed, 67 insertions(+), 120 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f31bf79..df8ac08 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -8,21 +8,19 @@ on: - completed branches: - main - - dev workflow_dispatch: inputs: environment: description: 'Target environment' required: true - default: 'dev' + default: 'prod' type: choice options: - - dev - prod ref: description: 'Git ref to deploy (branch, tag, or SHA)' required: true - default: 'dev' + default: 'main' permissions: contents: read @@ -51,23 +49,13 @@ jobs: target_env="${{ inputs.environment }}" ref="${{ inputs.ref }}" else - if [[ "${{ github.event.workflow_run.head_branch }}" == "main" ]]; then - target_env="prod" - else - target_env="dev" - fi + target_env="prod" ref="${{ github.event.workflow_run.head_sha }}" fi - if [[ "$target_env" == "prod" ]]; then - github_environment="Production" - db_schema="public" - service_suffix="prod" - else - github_environment="Development" - db_schema="test" - service_suffix="dev" - fi + github_environment="Production" + db_schema="public" + service_suffix="prod" echo "target_env=$target_env" >> "$GITHUB_OUTPUT" echo "github_environment=$github_environment" >> "$GITHUB_OUTPUT" @@ -121,12 +109,63 @@ jobs: echo "secrets_ok=$vars_ok" >> "$GITHUB_OUTPUT" echo "db_secret_ok=$db_secret_ok" >> "$GITHUB_OUTPUT" - deploy: - name: Deploy Cloud Run + images: + name: Docker / build & push runs-on: ubuntu-latest needs: [detect-environment, check-secrets] timeout-minutes: 30 - if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' }} + if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' && needs.detect-environment.outputs.target_env == 'prod' }} + environment: Production + strategy: + fail-fast: false + matrix: + service: + - bot + - miniapp + steps: + - name: Checkout deployment ref + uses: actions/checkout@v4 + with: + ref: ${{ needs.detect-environment.outputs.ref }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Authenticate to Google Cloud + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} + + - name: Configure Artifact Registry auth + run: | + gcloud auth configure-docker "${{ vars.GCP_REGION || 'europe-west1' }}-docker.pkg.dev" --quiet + + - name: Resolve image name + id: image + env: + GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }} + ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }} + run: | + repo="${GCP_REGION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}" + echo "name=${repo}/${{ matrix.service }}:latest" >> "$GITHUB_OUTPUT" + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: . + file: apps/${{ matrix.service }}/Dockerfile + push: true + tags: ${{ steps.image.outputs.name }} + platforms: linux/amd64 + provenance: false + + deploy: + name: Deploy Cloud Run + runs-on: ubuntu-latest + needs: [detect-environment, check-secrets, images] + timeout-minutes: 30 + if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' && needs.detect-environment.outputs.target_env == 'prod' }} environment: ${{ needs.detect-environment.outputs.github_environment }} env: GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }} @@ -167,37 +206,12 @@ jobs: - name: Resolve image tags id: images run: | - # For workflow_run, use the SHA from the triggering commit (which CI already built & pushed). - # For workflow_dispatch, the user-supplied ref may be a branch or tag name — resolve to SHA. - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - deploy_sha=$(git rev-parse HEAD) - else - deploy_sha="${{ github.event.workflow_run.head_sha }}" - fi - repo="${GCP_REGION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}" - echo "bot_image=${repo}/bot:${deploy_sha}" >> "$GITHUB_OUTPUT" - echo "mini_image=${repo}/miniapp:${deploy_sha}" >> "$GITHUB_OUTPUT" - echo "deploy_sha=${deploy_sha}" >> "$GITHUB_OUTPUT" - - - name: Check for newer commits - id: check-newer - if: github.event_name == 'workflow_run' - run: | - git fetch origin "${{ github.event.workflow_run.head_branch }}" - latest_sha=$(git rev-parse "origin/${{ github.event.workflow_run.head_branch }}") - deploy_sha="${{ steps.images.outputs.deploy_sha }}" - - if [[ "$latest_sha" != "$deploy_sha" ]]; then - echo "::notice::Newer commit ($latest_sha) found on branch. Skipping deployment of $deploy_sha to avoid race conditions." - echo "skip=true" >> "$GITHUB_OUTPUT" - else - echo "skip=false" >> "$GITHUB_OUTPUT" - fi + echo "bot_image=${repo}/bot:latest" >> "$GITHUB_OUTPUT" + echo "mini_image=${repo}/miniapp:latest" >> "$GITHUB_OUTPUT" - name: Load Telegram bot token for command sync id: telegram-token - if: steps.check-newer.outputs.skip != 'true' run: | set +e token="$(gcloud secrets versions access latest \ @@ -220,7 +234,6 @@ jobs: } >> "$GITHUB_OUTPUT" - name: Deploy bot service - if: steps.check-newer.outputs.skip != 'true' run: | gcloud run deploy "household-${SERVICE_SUFFIX}-bot-api" \ --image "${{ steps.images.outputs.bot_image }}" \ @@ -231,7 +244,6 @@ jobs: --quiet - name: Route traffic to latest bot revision - if: steps.check-newer.outputs.skip != 'true' run: | gcloud run services update-traffic "household-${SERVICE_SUFFIX}-bot-api" \ --region "${GCP_REGION}" \ @@ -240,7 +252,6 @@ jobs: --quiet - name: Deploy mini app service - if: steps.check-newer.outputs.skip != 'true' run: | gcloud run deploy "household-${SERVICE_SUFFIX}-mini-app" \ --image "${{ steps.images.outputs.mini_image }}" \ @@ -250,7 +261,6 @@ jobs: --quiet - name: Route traffic to latest mini app revision - if: steps.check-newer.outputs.skip != 'true' run: | gcloud run services update-traffic "household-${SERVICE_SUFFIX}-mini-app" \ --region "${GCP_REGION}" \ @@ -259,19 +269,15 @@ jobs: --quiet - name: Sync Telegram commands - if: ${{ steps.telegram-token.outputs.available == 'true' && steps.check-newer.outputs.skip != 'true' }} + if: ${{ steps.telegram-token.outputs.available == 'true' }} env: TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }} run: bun run ops:telegram:commands set - name: Load webhook secret id: webhook-secret - if: steps.check-newer.outputs.skip != 'true' run: | secret_name="telegram-webhook-secret" - if [[ "${SERVICE_SUFFIX}" == "dev" ]]; then - secret_name="telegram-webhook-secret-test" - fi echo "Loading secret: ${secret_name}" secret="$(gcloud secrets versions access latest \ @@ -282,7 +288,7 @@ jobs: echo "secret=${secret}" >> "$GITHUB_OUTPUT" - name: Set Telegram Webhook - if: ${{ !cancelled() && steps.telegram-token.outputs.available == 'true' && steps.check-newer.outputs.skip != 'true' }} + if: ${{ !cancelled() && steps.telegram-token.outputs.available == 'true' }} env: TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }} TELEGRAM_WEBHOOK_SECRET: ${{ steps.webhook-secret.outputs.secret }} @@ -302,7 +308,7 @@ jobs: bun run ops:telegram:webhook set - name: Verify Telegram Webhook - if: ${{ steps.telegram-token.outputs.available == 'true' && steps.check-newer.outputs.skip != 'true' }} + if: ${{ steps.telegram-token.outputs.available == 'true' }} env: TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }} run: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9cc574a..980489f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,11 +4,9 @@ on: push: branches: - main - - dev pull_request: branches: - main - - dev permissions: contents: read @@ -119,63 +117,6 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - images-push: - name: Docker / build & push ${{ matrix.service }} - if: github.event_name == 'push' - runs-on: ubuntu-latest - timeout-minutes: 20 - environment: ${{ github.ref_name == 'main' && 'Production' || 'Development' }} - strategy: - fail-fast: false - matrix: - service: - - bot - - miniapp - permissions: - contents: read - id-token: write - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 - with: - workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ vars.GCP_SERVICE_ACCOUNT }} - - - name: Configure Artifact Registry auth - run: | - gcloud auth configure-docker "${{ vars.GCP_REGION || 'europe-west1' }}-docker.pkg.dev" --quiet - - - name: Resolve image name - id: image - env: - GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }} - ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }} - run: | - repo="${GCP_REGION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}" - echo "name=${repo}/${{ matrix.service }}:${GITHUB_SHA}" >> "$GITHUB_OUTPUT" - echo "cache_ref=${repo}/${{ matrix.service }}:cache" >> "$GITHUB_OUTPUT" - echo "latest=${repo}/${{ matrix.service }}:latest" >> "$GITHUB_OUTPUT" - - - name: Build and push - uses: docker/build-push-action@v6 - with: - context: . - file: apps/${{ matrix.service }}/Dockerfile - push: true - tags: | - ${{ steps.image.outputs.name }} - ${{ steps.image.outputs.latest }} - platforms: linux/amd64 - provenance: false - cache-from: type=registry,ref=${{ steps.image.outputs.cache_ref }} - cache-to: type=registry,ref=${{ steps.image.outputs.cache_ref }},mode=max - # Gate job: CD triggers on this workflow's conclusion. # By depending on all jobs, a failure in any job marks CI as failed, # which causes CD's `workflow_run` trigger to see conclusion != 'success' @@ -183,7 +124,7 @@ jobs: ci: name: CI complete runs-on: ubuntu-latest - needs: [quality, terraform, images-pr, images-push] + needs: [quality, terraform, images-pr] if: always() steps: - name: Check all jobs passed @@ -193,7 +134,7 @@ jobs: failed=false for result in $(echo "$results" | jq -r '.[].result'); do - # 'skipped' is expected — images-pr skips on push, images-push skips on PR + # 'skipped' is expected — images-pr skips on push if [[ "$result" != "success" && "$result" != "skipped" ]]; then echo "Job failed with result: $result" failed=true