whekin/household-bot
1
0
Fork 0
mirror of https://github.com/whekin/household-bot.git synced 2026-03-31 15:44:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(ci): remove dev environment, build images in CD

Browse Source
This commit is contained in:
whekin
2026-03-16 06:28:36 +04:00
parent da6bdc3813
commit 64dc3a3813
2 changed files with 67 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
.github/workflows/cd.yml vendored
View File

@@ -8,21 +8,19 @@ on:
- completed
branches:
- main
- dev
workflow_dispatch:
inputs:
environment:
description: 'Target environment'
required: true
default: 'dev'
default: 'prod'
type: choice
options:
- dev
- prod
ref:
description: 'Git ref to deploy (branch, tag, or SHA)'
required: true
default: 'dev'
default: 'main'
permissions:
contents: read
@@ -51,23 +49,13 @@ jobs:
target_env="${{ inputs.environment }}"
ref="${{ inputs.ref }}"
else
if [[ "${{ github.event.workflow_run.head_branch }}" == "main" ]]; then
target_env="prod"
else
target_env="dev"
fi
target_env="prod"
ref="${{ github.event.workflow_run.head_sha }}"
fi
if [[ "$target_env" == "prod" ]]; then
github_environment="Production"
db_schema="public"
service_suffix="prod"
else
github_environment="Development"
db_schema="test"
service_suffix="dev"
fi
github_environment="Production"
db_schema="public"
service_suffix="prod"
echo "target_env=$target_env" >> "$GITHUB_OUTPUT"
echo "github_environment=$github_environment" >> "$GITHUB_OUTPUT"
@@ -121,12 +109,63 @@ jobs:
echo "secrets_ok=$vars_ok" >> "$GITHUB_OUTPUT"
echo "db_secret_ok=$db_secret_ok" >> "$GITHUB_OUTPUT"
deploy:
name: Deploy Cloud Run
images:
name: Docker / build & push
runs-on: ubuntu-latest
needs: [detect-environment, check-secrets]
timeout-minutes: 30
if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' }}
if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' && needs.detect-environment.outputs.target_env == 'prod' }}
environment: Production
strategy:
fail-fast: false
matrix:
service:
- bot
- miniapp
steps:
- name: Checkout deployment ref
uses: actions/checkout@v4
with:
ref: ${{ needs.detect-environment.outputs.ref }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
- name: Configure Artifact Registry auth
run: |
gcloud auth configure-docker "${{ vars.GCP_REGION || 'europe-west1' }}-docker.pkg.dev" --quiet
- name: Resolve image name
id: image
env:
GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
run: |
repo="${GCP_REGION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}"
echo "name=${repo}/${{ matrix.service }}:latest" >> "$GITHUB_OUTPUT"
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
file: apps/${{ matrix.service }}/Dockerfile
push: true
tags: ${{ steps.image.outputs.name }}
platforms: linux/amd64
provenance: false
deploy:
name: Deploy Cloud Run
runs-on: ubuntu-latest
needs: [detect-environment, check-secrets, images]
timeout-minutes: 30
if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' && needs.detect-environment.outputs.target_env == 'prod' }}
environment: ${{ needs.detect-environment.outputs.github_environment }}
env:
GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
@@ -167,37 +206,12 @@ jobs:
- name: Resolve image tags
id: images
run: |
# For workflow_run, use the SHA from the triggering commit (which CI already built & pushed).
# For workflow_dispatch, the user-supplied ref may be a branch or tag name — resolve to SHA.
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
deploy_sha=$(git rev-parse HEAD)
else
deploy_sha="${{ github.event.workflow_run.head_sha }}"
fi
repo="${GCP_REGION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}"
echo "bot_image=${repo}/bot:${deploy_sha}" >> "$GITHUB_OUTPUT"
echo "mini_image=${repo}/miniapp:${deploy_sha}" >> "$GITHUB_OUTPUT"
echo "deploy_sha=${deploy_sha}" >> "$GITHUB_OUTPUT"
- name: Check for newer commits
id: check-newer
if: github.event_name == 'workflow_run'
run: |
git fetch origin "${{ github.event.workflow_run.head_branch }}"
latest_sha=$(git rev-parse "origin/${{ github.event.workflow_run.head_branch }}")
deploy_sha="${{ steps.images.outputs.deploy_sha }}"
if [[ "$latest_sha" != "$deploy_sha" ]]; then
echo "::notice::Newer commit ($latest_sha) found on branch. Skipping deployment of $deploy_sha to avoid race conditions."
echo "skip=true" >> "$GITHUB_OUTPUT"
else
echo "skip=false" >> "$GITHUB_OUTPUT"
fi
echo "bot_image=${repo}/bot:latest" >> "$GITHUB_OUTPUT"
echo "mini_image=${repo}/miniapp:latest" >> "$GITHUB_OUTPUT"
- name: Load Telegram bot token for command sync
id: telegram-token
if: steps.check-newer.outputs.skip != 'true'
run: |
set +e
token="$(gcloud secrets versions access latest \
@@ -220,7 +234,6 @@ jobs:
} >> "$GITHUB_OUTPUT"
- name: Deploy bot service
if: steps.check-newer.outputs.skip != 'true'
run: |
gcloud run deploy "household-${SERVICE_SUFFIX}-bot-api" \
--image "${{ steps.images.outputs.bot_image }}" \
@@ -231,7 +244,6 @@ jobs:
--quiet
- name: Route traffic to latest bot revision
if: steps.check-newer.outputs.skip != 'true'
run: |
gcloud run services update-traffic "household-${SERVICE_SUFFIX}-bot-api" \
--region "${GCP_REGION}" \
@@ -240,7 +252,6 @@ jobs:
--quiet
- name: Deploy mini app service
if: steps.check-newer.outputs.skip != 'true'
run: |
gcloud run deploy "household-${SERVICE_SUFFIX}-mini-app" \
--image "${{ steps.images.outputs.mini_image }}" \
@@ -250,7 +261,6 @@ jobs:
--quiet
- name: Route traffic to latest mini app revision
if: steps.check-newer.outputs.skip != 'true'
run: |
gcloud run services update-traffic "household-${SERVICE_SUFFIX}-mini-app" \
--region "${GCP_REGION}" \
@@ -259,19 +269,15 @@ jobs:
--quiet
- name: Sync Telegram commands
if: ${{ steps.telegram-token.outputs.available == 'true' && steps.check-newer.outputs.skip != 'true' }}
if: ${{ steps.telegram-token.outputs.available == 'true' }}
env:
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
run: bun run ops:telegram:commands set
- name: Load webhook secret
id: webhook-secret
if: steps.check-newer.outputs.skip != 'true'
run: |
secret_name="telegram-webhook-secret"
if [[ "${SERVICE_SUFFIX}" == "dev" ]]; then
secret_name="telegram-webhook-secret-test"
fi
echo "Loading secret: ${secret_name}"
secret="$(gcloud secrets versions access latest \
@@ -282,7 +288,7 @@ jobs:
echo "secret=${secret}" >> "$GITHUB_OUTPUT"
- name: Set Telegram Webhook
if: ${{ !cancelled() && steps.telegram-token.outputs.available == 'true' && steps.check-newer.outputs.skip != 'true' }}
if: ${{ !cancelled() && steps.telegram-token.outputs.available == 'true' }}
env:
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
TELEGRAM_WEBHOOK_SECRET: ${{ steps.webhook-secret.outputs.secret }}
@@ -302,7 +308,7 @@ jobs:
bun run ops:telegram:webhook set
- name: Verify Telegram Webhook
if: ${{ steps.telegram-token.outputs.available == 'true' && steps.check-newer.outputs.skip != 'true' }}
if: ${{ steps.telegram-token.outputs.available == 'true' }}
env:
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
run: |