Skip to content

chore: prod settings #116

chore: prod settings

chore: prod settings #116

Workflow file for this run

name: Build and Test
on:
push:
branches:
- main
- dev
pull_request:
branches:
- main
- dev
concurrency:
group: "${{ github.head_ref || github.ref }}"
cancel-in-progress: true
jobs:
test:
name: Setup and Test
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
show-progress: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: pip
cache-dependency-path: setup.py
- name: Install libkrb5 for Kerberos on Linux
run: |
sudo apt-get update
sudo apt-get install -y libkrb5-dev
- name: Install module
run: pip install .[tests]
- name: Test with pytest
run: pytest
deploy-dev:
name: Deploy to Cloud Run (dev)
needs: test
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/dev'
environment:
name: dev
permissions:
id-token: write
contents: read
steps:
- name: ⬇️ Checkout code
uses: actions/checkout@v4
with:
show-progress: false
- name: 🗝️ Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
token_format: "access_token"
- name: 🐳 Set up Docker Buildx
id: builder
uses: docker/setup-buildx-action@v3
- name: 🗝️ Authenticate Docker to Google Cloud
uses: docker/login-action@v3
with:
registry: us-central1-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: 🏷️ Extract tags from GitHub
id: meta
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job
tags: |
type=ref,suffix=-{{sha}},event=branch
type=ref,prefix=pr-,suffix=-{{sha}},event=pr
type=semver,pattern={{version}}
latest
- name: 📦 Build and push image
uses: docker/build-push-action@v6
with:
builder: ${{ steps.builder.outputs.name }}
tags: ${{ steps.meta.outputs.tags }}
context: .
file: ./Dockerfile
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: false
- name: ☁️ Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: 🚀 Deploy to Cloud Run Job
run: |
if [ ! "$(gcloud run jobs list | grep default)" ]; then
gcloud run jobs create default \
--region us-central1 \
--image us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job:latest \
--service-account cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com \
--memory=3Gi \
--cpu=1 \
--max-retries 0 \
--parallelism 0 \
--set-secrets=/secrets/app/secrets.json=skid-secrets:latest \
--task-timeout 3h
else
gcloud run jobs update default \
--region us-central1 \
--image us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job:latest \
--service-account cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com \
--memory=3Gi \
--cpu=1 \
--max-retries 0 \
--parallelism 0 \
--set-secrets=/secrets/app/secrets.json=skid-secrets:latest \
--task-timeout 3h
fi
- name: 🕰️ Create Cloud Scheduler
run: |
if [ ! "$(gcloud scheduler jobs list --location=us-central1 | grep saturday-evening)" ]; then
gcloud scheduler jobs create http saturday-evening \
--description="Trigger the nfhl-skid bot once a week on saturday evening" \
--schedule="0 3 * * 6" \
--time-zone=America/Denver \
--location=us-central1 \
--uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
--oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
else
gcloud scheduler jobs update http saturday-evening \
--description="Trigger the nfhl-skid bot once a week on saturday evening" \
--schedule="0 3 * * 6" \
--time-zone=America/Denver \
--location=us-central1 \
--uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
--oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
fi
deploy-prod:
name: Deploy to Cloud Run (prod)
needs: test
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
environment:
name: prod
permissions:
id-token: write
contents: read
steps:
- name: ⬇️ Checkout code
uses: actions/checkout@v4
with:
show-progress: false
- name: 🗝️ Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
token_format: "access_token"
- name: 🐳 Set up Docker Buildx
id: builder
uses: docker/setup-buildx-action@v3
- name: 🗝️ Authenticate Docker to Google Cloud
uses: docker/login-action@v3
with:
registry: us-central1-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: 🏷️ Extract tags from GitHub
id: meta
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job
tags: |
type=ref,suffix=-{{sha}},event=branch
type=ref,prefix=pr-,suffix=-{{sha}},event=pr
type=semver,pattern={{version}}
latest
- name: 📦 Build and push image
uses: docker/build-push-action@v6
with:
builder: ${{ steps.builder.outputs.name }}
tags: ${{ steps.meta.outputs.tags }}
context: .
file: ./Dockerfile
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: false
- name: ☁️ Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: 🚀 Deploy to Cloud Run Job
run: |
if [ ! "$(gcloud run jobs list | grep default)" ]; then
gcloud run jobs create default \
--region us-central1 \
--image us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job:latest \
--service-account cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com \
--memory=3Gi \
--cpu=1 \
--max-retries 0 \
--parallelism 0 \
--set-secrets=/secrets/app/secrets.json=skid-secrets:latest \
--task-timeout 3h
else
gcloud run jobs update default \
--region us-central1 \
--image us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job:latest \
--service-account cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com \
--memory=3Gi \
--cpu=1 \
--max-retries 0 \
--parallelism 0 \
--set-secrets=/secrets/app/secrets.json=skid-secrets:latest \
--task-timeout 3h
fi
- name: 🕰️ Create Cloud Scheduler
run: |
if [ ! "$(gcloud scheduler jobs list --location=us-central1 | grep saturday-evening)" ]; then
gcloud scheduler jobs create http saturday-evening \
--description="Trigger the nfhl-skid bot once a week on saturday evening" \
--schedule="0 3 * * 6" \
--time-zone=America/Denver \
--location=us-central1 \
--uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
--oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
else
gcloud scheduler jobs update http saturday-evening \
--description="Trigger the nfhl-skid bot once a week on saturday evening" \
--schedule="0 3 * * 6" \
--time-zone=America/Denver \
--location=us-central1 \
--uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
--oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
fi