mirror of
https://github.com/whekin/household-bot.git
synced 2026-03-31 18:54:03 +00:00
367 lines
13 KiB
YAML
367 lines
13 KiB
YAML
name: CD / GCP
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows:
|
|
- CI
|
|
types:
|
|
- completed
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
inputs:
|
|
environment:
|
|
description: 'Target environment'
|
|
required: true
|
|
default: 'prod'
|
|
type: choice
|
|
options:
|
|
- prod
|
|
ref:
|
|
description: 'Git ref to deploy (branch, tag, or SHA)'
|
|
required: true
|
|
default: 'main'
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
|
|
concurrency:
|
|
group: cd-${{ github.event_name == 'workflow_dispatch' && inputs.environment || github.ref_name }}
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
detect-environment:
|
|
name: Detect environment
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
target_env: ${{ steps.detect.outputs.target_env }}
|
|
github_environment: ${{ steps.detect.outputs.github_environment }}
|
|
db_schema: ${{ steps.detect.outputs.db_schema }}
|
|
service_suffix: ${{ steps.detect.outputs.service_suffix }}
|
|
ref: ${{ steps.detect.outputs.ref }}
|
|
|
|
steps:
|
|
- name: Determine target environment
|
|
id: detect
|
|
run: |
|
|
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
|
|
target_env="${{ inputs.environment }}"
|
|
ref="${{ inputs.ref }}"
|
|
else
|
|
target_env="prod"
|
|
ref="${{ github.event.workflow_run.head_sha }}"
|
|
fi
|
|
|
|
github_environment="Production"
|
|
db_schema="public"
|
|
service_suffix="prod"
|
|
|
|
echo "target_env=$target_env" >> "$GITHUB_OUTPUT"
|
|
echo "github_environment=$github_environment" >> "$GITHUB_OUTPUT"
|
|
echo "db_schema=$db_schema" >> "$GITHUB_OUTPUT"
|
|
echo "service_suffix=$service_suffix" >> "$GITHUB_OUTPUT"
|
|
echo "ref=$ref" >> "$GITHUB_OUTPUT"
|
|
|
|
echo "Target environment: $target_env"
|
|
echo "GitHub Environment: $github_environment"
|
|
echo "DB Schema: $db_schema"
|
|
echo "Service Suffix: $service_suffix"
|
|
echo "Deploy ref: $ref"
|
|
|
|
check-secrets:
|
|
name: Check deploy prerequisites
|
|
runs-on: ubuntu-latest
|
|
needs: detect-environment
|
|
environment: ${{ needs.detect-environment.outputs.github_environment }}
|
|
outputs:
|
|
eligible_event: ${{ steps.check.outputs.eligible_event }}
|
|
secrets_ok: ${{ steps.check.outputs.secrets_ok }}
|
|
db_secret_ok: ${{ steps.check.outputs.db_secret_ok }}
|
|
|
|
steps:
|
|
- name: Evaluate trigger and required secrets
|
|
id: check
|
|
env:
|
|
GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
|
|
GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
|
|
GCP_SERVICE_ACCOUNT: ${{ vars.GCP_SERVICE_ACCOUNT }}
|
|
DATABASE_URL: ${{ secrets.DATABASE_URL }}
|
|
run: |
|
|
eligible_event=false
|
|
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
|
|
eligible_event=true
|
|
elif [[ "${{ github.event_name }}" == "workflow_run" && "${{ github.event.workflow_run.conclusion }}" == "success" ]]; then
|
|
eligible_event=true
|
|
fi
|
|
|
|
vars_ok=false
|
|
if [[ -n "$GCP_PROJECT_ID" && -n "$GCP_WORKLOAD_IDENTITY_PROVIDER" && -n "$GCP_SERVICE_ACCOUNT" ]]; then
|
|
vars_ok=true
|
|
fi
|
|
|
|
db_secret_ok=false
|
|
if [[ -n "$DATABASE_URL" ]]; then
|
|
db_secret_ok=true
|
|
fi
|
|
|
|
echo "eligible_event=$eligible_event" >> "$GITHUB_OUTPUT"
|
|
echo "secrets_ok=$vars_ok" >> "$GITHUB_OUTPUT"
|
|
echo "db_secret_ok=$db_secret_ok" >> "$GITHUB_OUTPUT"
|
|
|
|
image-bot:
|
|
name: Docker / build & push bot
|
|
runs-on: ubuntu-latest
|
|
needs: [detect-environment, check-secrets]
|
|
timeout-minutes: 30
|
|
if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' && needs.detect-environment.outputs.target_env == 'prod' }}
|
|
environment: Production
|
|
outputs:
|
|
image_repo: ${{ steps.image.outputs.repo }}
|
|
image_digest: ${{ steps.build.outputs.digest }}
|
|
steps:
|
|
- name: Checkout deployment ref
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ needs.detect-environment.outputs.ref }}
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Authenticate to Google Cloud
|
|
uses: google-github-actions/auth@v2
|
|
with:
|
|
workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
|
|
service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
|
|
|
|
- name: Configure Artifact Registry auth
|
|
run: |
|
|
gcloud auth configure-docker "${{ vars.GCP_REGION || 'europe-west1' }}-docker.pkg.dev" --quiet
|
|
|
|
- name: Resolve image name
|
|
id: image
|
|
env:
|
|
GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
|
|
ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
|
|
run: |
|
|
repo="${GCP_REGION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}"
|
|
echo "repo=${repo}/bot" >> "$GITHUB_OUTPUT"
|
|
echo "name=${repo}/bot:latest" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Build and push
|
|
id: build
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: apps/bot/Dockerfile
|
|
push: true
|
|
tags: ${{ steps.image.outputs.name }}
|
|
platforms: linux/amd64
|
|
provenance: false
|
|
|
|
image-miniapp:
|
|
name: Docker / build & push miniapp
|
|
runs-on: ubuntu-latest
|
|
needs: [detect-environment, check-secrets]
|
|
timeout-minutes: 30
|
|
if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' && needs.detect-environment.outputs.target_env == 'prod' }}
|
|
environment: Production
|
|
outputs:
|
|
image_repo: ${{ steps.image.outputs.repo }}
|
|
image_digest: ${{ steps.build.outputs.digest }}
|
|
steps:
|
|
- name: Checkout deployment ref
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ needs.detect-environment.outputs.ref }}
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Authenticate to Google Cloud
|
|
uses: google-github-actions/auth@v2
|
|
with:
|
|
workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
|
|
service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
|
|
|
|
- name: Configure Artifact Registry auth
|
|
run: |
|
|
gcloud auth configure-docker "${{ vars.GCP_REGION || 'europe-west1' }}-docker.pkg.dev" --quiet
|
|
|
|
- name: Resolve image name
|
|
id: image
|
|
env:
|
|
GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
|
|
ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
|
|
run: |
|
|
repo="${GCP_REGION}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}"
|
|
echo "repo=${repo}/miniapp" >> "$GITHUB_OUTPUT"
|
|
echo "name=${repo}/miniapp:latest" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Build and push
|
|
id: build
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: apps/miniapp/Dockerfile
|
|
push: true
|
|
tags: ${{ steps.image.outputs.name }}
|
|
platforms: linux/amd64
|
|
provenance: false
|
|
|
|
deploy:
|
|
name: Deploy Cloud Run
|
|
runs-on: ubuntu-latest
|
|
needs: [detect-environment, check-secrets, image-bot, image-miniapp]
|
|
timeout-minutes: 30
|
|
if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' && needs.detect-environment.outputs.target_env == 'prod' }}
|
|
environment: ${{ needs.detect-environment.outputs.github_environment }}
|
|
env:
|
|
GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
|
|
ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
|
|
SERVICE_SUFFIX: ${{ needs.detect-environment.outputs.service_suffix }}
|
|
DB_SCHEMA: ${{ needs.detect-environment.outputs.db_schema }}
|
|
BOT_SECRET_ID: ${{ vars.TELEGRAM_BOT_TOKEN_SECRET_ID }}
|
|
|
|
steps:
|
|
- name: Checkout deployment ref
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ needs.detect-environment.outputs.ref }}
|
|
|
|
- name: Setup Bun
|
|
uses: oven-sh/setup-bun@v2
|
|
with:
|
|
bun-version-file: .bun-version
|
|
|
|
- name: Install dependencies
|
|
run: bun install --frozen-lockfile
|
|
|
|
- name: Authenticate to Google Cloud
|
|
uses: google-github-actions/auth@v2
|
|
with:
|
|
workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
|
|
service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
|
|
|
|
- name: Run database migrations
|
|
env:
|
|
DATABASE_URL: ${{ secrets.DATABASE_URL }}
|
|
DB_SCHEMA: ${{ needs.detect-environment.outputs.db_schema }}
|
|
run: bun run db:migrate
|
|
|
|
- name: Setup gcloud
|
|
uses: google-github-actions/setup-gcloud@v2
|
|
|
|
- name: Resolve image digests
|
|
id: images
|
|
run: |
|
|
echo "bot_image=${{ needs.image-bot.outputs.image_repo }}@${{ needs.image-bot.outputs.image_digest }}" >> "$GITHUB_OUTPUT"
|
|
echo "mini_image=${{ needs.image-miniapp.outputs.image_repo }}@${{ needs.image-miniapp.outputs.image_digest }}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Load Telegram bot token for command sync
|
|
id: telegram-token
|
|
run: |
|
|
set +e
|
|
token="$(gcloud secrets versions access latest \
|
|
--secret "${BOT_SECRET_ID}" \
|
|
--project "${{ vars.GCP_PROJECT_ID }}" 2>/dev/null)"
|
|
status=$?
|
|
set -e
|
|
|
|
if [[ $status -ne 0 || -z "$token" ]]; then
|
|
echo "available=false" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
echo "::add-mask::$token"
|
|
{
|
|
echo "available=true"
|
|
echo "token<<EOF"
|
|
echo "$token"
|
|
echo "EOF"
|
|
} >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Deploy bot service
|
|
id: bot-api
|
|
run: |
|
|
gcloud run deploy "household-${SERVICE_SUFFIX}-bot-api" \
|
|
--image "${{ steps.images.outputs.bot_image }}" \
|
|
--region "${GCP_REGION}" \
|
|
--project "${{ vars.GCP_PROJECT_ID }}" \
|
|
--allow-unauthenticated \
|
|
--quiet
|
|
|
|
echo "url=$(gcloud run services describe "household-${SERVICE_SUFFIX}-bot-api" --region "${GCP_REGION}" --project "${{ vars.GCP_PROJECT_ID }}" --format 'value(status.url)')" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Route traffic to latest bot revision
|
|
run: |
|
|
gcloud run services update-traffic "household-${SERVICE_SUFFIX}-bot-api" \
|
|
--region "${GCP_REGION}" \
|
|
--project "${{ vars.GCP_PROJECT_ID }}" \
|
|
--to-latest \
|
|
--quiet
|
|
|
|
- name: Deploy mini app service
|
|
run: |
|
|
gcloud run deploy "household-${SERVICE_SUFFIX}-mini-app" \
|
|
--image "${{ steps.images.outputs.mini_image }}" \
|
|
--region "${GCP_REGION}" \
|
|
--project "${{ vars.GCP_PROJECT_ID }}" \
|
|
--allow-unauthenticated \
|
|
--quiet
|
|
|
|
- name: Route traffic to latest mini app revision
|
|
run: |
|
|
gcloud run services update-traffic "household-${SERVICE_SUFFIX}-mini-app" \
|
|
--region "${GCP_REGION}" \
|
|
--project "${{ vars.GCP_PROJECT_ID }}" \
|
|
--to-latest \
|
|
--quiet
|
|
|
|
- name: Sync Telegram commands
|
|
if: ${{ steps.telegram-token.outputs.available == 'true' }}
|
|
env:
|
|
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
|
|
run: bun run ops:telegram:commands set
|
|
|
|
- name: Load webhook secret
|
|
id: webhook-secret
|
|
run: |
|
|
secret_name="telegram-webhook-secret"
|
|
|
|
echo "Loading secret: ${secret_name}"
|
|
secret="$(gcloud secrets versions access latest \
|
|
--secret "${secret_name}" \
|
|
--project "${{ vars.GCP_PROJECT_ID }}")"
|
|
|
|
echo "::add-mask::$secret"
|
|
echo "secret=${secret}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Set Telegram Webhook
|
|
if: ${{ !cancelled() && steps.telegram-token.outputs.available == 'true' }}
|
|
env:
|
|
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
|
|
TELEGRAM_WEBHOOK_SECRET: ${{ steps.webhook-secret.outputs.secret }}
|
|
run: |
|
|
if [[ -z "$TELEGRAM_WEBHOOK_SECRET" ]]; then
|
|
echo "ERROR: TELEGRAM_WEBHOOK_SECRET is not set"
|
|
exit 1
|
|
fi
|
|
|
|
SERVICE_URL=$(gcloud run services describe "household-${SERVICE_SUFFIX}-bot-api" \
|
|
--region "${GCP_REGION}" \
|
|
--project "${{ vars.GCP_PROJECT_ID }}" \
|
|
--format 'value(status.url)')
|
|
|
|
export TELEGRAM_WEBHOOK_URL="$SERVICE_URL/webhook/telegram"
|
|
echo "Setting webhook to: $TELEGRAM_WEBHOOK_URL"
|
|
bun run ops:telegram:webhook set
|
|
|
|
- name: Verify Telegram Webhook
|
|
if: ${{ steps.telegram-token.outputs.available == 'true' }}
|
|
env:
|
|
TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
|
|
run: |
|
|
echo "Checking webhook status..."
|
|
bun run ops:telegram:webhook info | jq -r '.url, .last_error_message' || true
|