[build] Allow on detached HEAD (#3446) #765
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Deploy Update to QA Server" | |
on: | |
push: | |
branches: [master] | |
permissions: | |
contents: read | |
jobs: | |
build: | |
strategy: | |
matrix: | |
component: [frontend, backend, maintenance, database] | |
runs-on: ubuntu-22.04 | |
outputs: | |
image_tag: ${{ steps.build_combine.outputs.image_tag }} | |
steps: | |
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on | |
# configuring harden-runner and identifying allowed endpoints. | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
*.actions.githubusercontent.com:443 | |
*.data.mcr.microsoft.com:443 | |
${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com | |
api.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 | |
api.github.com:443 | |
api.nuget.org:443 | |
archive.ubuntu.com:80 | |
auth.docker.io:443 | |
codecov.io:443 | |
dc.services.visualstudio.com:443 | |
deb.debian.org:80 | |
docker.io:443 | |
dotnetcli.azureedge.net:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
mcr.microsoft.com:443 | |
production.cloudflare.docker.com:443 | |
pypi.org:443 | |
registry-1.docker.io:443 | |
registry.npmjs.org:443 | |
security.debian.org:80 | |
security.ubuntu.com:80 | |
storage.googleapis.com:443 | |
sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 | |
uploader.codecov.io:443 | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: Build The Combine | |
id: build_combine | |
uses: ./.github/actions/combine-build | |
with: | |
image_registry: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com | |
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws_default_region: ${{ secrets.AWS_DEFAULT_REGION }} | |
build_component: ${{ matrix.component }} | |
clean_ecr_repo: | |
needs: build | |
runs-on: ubuntu-22.04 | |
steps: | |
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on | |
# configuring harden-runner and identifying allowed endpoints. | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
*.actions.githubusercontent.com:443 | |
api.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 | |
github.com:443 | |
sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443 | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ secrets.AWS_DEFAULT_REGION }} | |
- name: Remove old AWS ECR images | |
# Remove all images for previous version numbers. | |
# Example: for tag beginning with v1.2.5-, remove all images with tag v1.2.4-* | |
# Example: for tag beginning with v2.4.0-, remove all images with tag v2.3.* | |
run: | | |
TAG=${{ needs.build.outputs.image_tag }} | |
if [[ $TAG =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)-.* ]]; then | |
VA=${BASH_REMATCH[1]}; VB=${BASH_REMATCH[2]}; VC=${BASH_REMATCH[3]} | |
if [[ $VC > 0 ]]; then REM="v${VA}\.${VB}\.$((VC - 1))-.*" | |
elif [[ $VB > 0 ]]; then REM="v${VA}\.$((VB - 1))\..*" | |
else REM="v$((VA - 1))\..*"; fi | |
scripts/clean_aws_repo.py combine_frontend combine_backend combine_maint combine_database --remove "${REM}" --verbose | |
fi | |
deploy_update: | |
needs: build | |
# Only push to the QA server when built on the master branch | |
if: ${{ github.ref_name == 'master' }} | |
runs-on: [self-hosted, thecombine] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Deploy The Combine Update | |
uses: ./.github/actions/combine-deploy-update | |
with: | |
image_registry: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com | |
image_tag: ${{ needs.build.outputs.image_tag }} | |
kube_context: ${{ secrets.LTOPS_K8S_STAGING_CONTEXT }} | |
kubectl_version: ${{ vars.KUBECTL_VERSION }} | |
update_cert_proxy: false |