jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-30 03:01:36 -05:00
Code Issues Projects Releases Wiki Activity

Docker image deploy to Heroku (#21248)

Browse Source 
* Start parallel Docker image deploy workflows

Co-authored-by: Mike Surowiec <mikesurowiec@users.noreply.github.com>
Co-authored-by: James M. Greene <JamesMGreene@users.noreply.github.com>

* Add early access content build stage

Co-authored-by: Mike Surowiec <mikesurowiec@users.noreply.github.com>

* Create Heroku App script and workflow steps

* Tag the image for Heroku

* Push the image and grab the image ID

* Set app name and image id outputs

* Add parallel deploy script for Docker

* Scope workflow run to 'docker-' and release image to Heroku

* Update .github/workflows/staging-build-pr-docker.yml

Co-authored-by: James M. Greene <JamesMGreene@github.com>

* Exclude Docker workflow

* Cleanup Docker deploys

* Use action sha

Co-authored-by: Mike Surowiec <mikesurowiec@users.noreply.github.com>
Co-authored-by: James M. Greene <JamesMGreene@users.noreply.github.com>
Co-authored-by: James M. Greene <JamesMGreene@github.com>
This commit is contained in:
Robert Sese
2021-09-03 11:34:48 -05:00
committed by GitHub
parent d8b4383dc6
commit cbfba14ac1
8 changed files with 1074 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
.github/workflows/staging-build-pr-docker.yml vendored Normal file
View File

@@ -0,0 +1,94 @@
name: Staging - Build PR Docker
# **What it does**: Builds PRs before deploying them.
# **Why we have it**: Because it's not safe to share our deploy secrets with forked repos: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# **Who does it impact**: All contributors.
on:
pull_request:
types:
- opened
- reopened
- synchronize
- unlocked
branches:
- 'docker-*'
jobs:
build:
if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
name: Build
runs-on: ubuntu-latest
timeout-minutes: 5
concurrency:
group: staging_${{ github.head_ref }}
cancel-in-progress: true
steps:
- name: Check out repo
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
# Make sure only approved files are changed if it's in github/docs
- name: Check changed files
if: github.repository == 'github/docs' && github.event.pull_request.user.login != 'Octomerger'
uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58
id: filter
with:
# Base branch used to get changed files
base: 'main'
# Enables setting an output in the format in `${FILTER_NAME}_files
# with the names of the matching files formatted as JSON array
list-files: json
# Returns list of changed files matching each filter
filters: |
notAllowed:
- '*.mjs'
- '*.ts'
- '*.tsx'
- '*.json'
- 'Dockerfile*'
# When there are changes to files we can't accept
- name: 'Fail when not allowed files are changed'
if: ${{ steps.filter.outputs.notAllowed }}
run: exit 1
- name: Create an archive
run: |
tar -cf app.tar \
assets/ \
content/ \
stylesheets/ \
pages/ \
data/ \
includes/ \
lib/ \
middleware/ \
translations/ \
server.mjs \
package*.json \
.npmrc \
feature-flags.json \
next.config.js \
tsconfig.json \
next-env.d.ts \
Dockerfile
# Upload only the files needed to run + build this application.
# We are not willing to trust the rest (e.g. script/) for the remainder
# of the deployment process.
- name: Upload build artifact
uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
with:
name: pr_build_docker
path: app.tar
- name: Send Slack notification if workflow fails
uses: someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd
if: ${{ failure() }}
with:
channel: ${{ secrets.DOCS_STAGING_DEPLOYMENT_FAILURES_SLACK_CHANNEL_ID }}
bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
color: failure
text: Staging build (docker) failed for PR ${{ github.event.pull_request.html_url }} at commit ${{ github.sha }}. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

312
.github/workflows/staging-deploy-pr-docker.yml vendored Normal file
View File

@@ -0,0 +1,312 @@
name: Staging - Deploy PR Docker
# **What it does**: To deploy PRs to a Heroku staging environment.
# **Why we have it**: To deploy with high visibility in case of failures.
# **Who does it impact**: All contributors.
on:
workflow_run:
workflows:
- 'Staging - Build PR Docker'
types:
- completed
env:
EARLY_ACCESS_SCRIPT_PATH: script/early-access/clone-for-build.js
EARLY_ACCESS_SUPPORT_FILES: script/package.json
# In this specific workflow relationship, the `github.event.workflow_run.pull_requests`
# array will always contain only 1 item! Specifically, it will contain the PR associated
# with the `github.event.workflow_run.head_branch` that triggered the preceding
# `pull_request` event that triggered the "Staging - Build PR" workflow.
PR_URL: ${{ github.event.workflow_run.repository.html_url }}/pull/${{ github.event.workflow_run.pull_requests[0].number }}
jobs:
prepare:
if: >-
${{
github.event.workflow_run.conclusion == 'success' &&
(github.repository == 'github/docs-internal' || github.repository == 'github/docs') &&
startsWith(github.event.workflow_run.head_branch, 'docker-')
}}
runs-on: ubuntu-latest
timeout-minutes: 5
concurrency:
group: staging_${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true
outputs:
source_blob_url: ${{ steps.build-source.outputs.download_url }}
app_name: ${{ steps.create-app.outputs.app_name}}
docker_image_id: ${{ steps.image-id.outputs.image_id}}
steps:
- name: Dump event context
env:
GITHUB_EVENT_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_EVENT_CONTEXT"
- name: Download build artifact
uses: dawidd6/action-download-artifact@b9571484721e8187f1fd08147b497129f8972c74
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
run_id: ${{ github.event.workflow_run.id }}
name: pr_build_docker
path: ./
- name: Show contents
run: ls -l
- name: Extract the archive
run: |
tar -xf app.tar -C ./
rm app.tar
- name: Show contents again
run: ls -l
- if: ${{ github.repository == 'github/docs-internal' }}
name: Setup node to clone early access
uses: actions/setup-node@38d90ce44d5275ad62cc48384b3d8a58c500bb5f
with:
node-version: 16.x
cache: npm
- if: ${{ github.repository == 'github/docs-internal' }}
name: Download the script to clone early access
uses: Bhacaz/checkout-files@c8f01756bfd894ba746d5bf48205e19000b0742b
with:
files: ${{ env.EARLY_ACCESS_SCRIPT_PATH }} ${{ env.EARLY_ACCESS_SUPPORT_FILES }}
token: ${{ secrets.GITHUB_TOKEN }}
# Add any dependencies that are needed for this workflow below
- if: ${{ github.repository == 'github/docs-internal' }}
name: Install temporary development-only dependencies
run: npm install --no-save rimraf dotenv
- if: ${{ github.repository == 'github/docs-internal' }}
name: Clone early access
run: node ${{ env.EARLY_ACCESS_SCRIPT_PATH }}
env:
DOCUBOT_REPO_PAT: ${{ secrets.DOCUBOT_REPO_PAT }}
GIT_BRANCH: ${{ github.event.workflow_run.head_branch }}
# Remove any dependencies installed for this workflow below
# - if: ${{ github.repository == 'github/docs-internal' }}
# name: Remove development-only dependencies
# run: npm prune --production
- if: ${{ github.repository == 'github/docs-internal' }}
name: Delete the script directory after cloning early access
run: rm -rf script/
# - name: Create a gzipped archive
# run: |
# touch app.tar.gz
# tar --exclude=app.tar.gz -czf app.tar.gz ./
# - name: Install Heroku client development-only dependency
# run: npm install --no-save heroku-client
# - name: Create a Heroku build source
# id: build-source
# uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
# env:
# HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}
# with:
# script: |
# const { owner, repo } = context.repo
# if (owner !== 'github') {
# throw new Error(`Repository owner must be 'github' but was: ${owner}`)
# }
# if (repo !== 'docs-internal' && repo !== 'docs') {
# throw new Error(`Repository name must be either 'docs-internal' or 'docs' but was: ${repo}`)
# }
# const Heroku = require('heroku-client')
# const heroku = new Heroku({ token: process.env.HEROKU_API_TOKEN })
# const { source_blob: sourceBlob } = await heroku.post('/sources')
# const { put_url: uploadUrl, get_url: downloadUrl } = sourceBlob
# core.setOutput('upload_url', uploadUrl)
# core.setOutput('download_url', downloadUrl)
# # See: https://devcenter.heroku.com/articles/build-and-release-using-the-api#sources-endpoint
# - name: Upload to the Heroku build source
# run: |
# curl '${{ steps.build-source.outputs.upload_url }}' \
# -X PUT \
# -H 'Content-Type:' \
# --data-binary @app.tar.gz
- name: Install one-off development-only dependencies
run: npm install --no-save --include=optional esm
- name: Create app
id: create-app
uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
with:
script: |
const esm = require('esm')
require = esm({})
const { default: createApp } = require('./scripts/create-app.js')
const { default: parsePrUrl } = require('./scripts/parse-pr-url.js')
// This helper uses the `GITHUB_TOKEN` implicitly!
// We're using our usual version of Octokit vs. the provided `github`
// instance to avoid versioning discrepancies.
const octokit = getOctokit()
try {
const { owner, repo, pullNumber } = parsePrUrl(process.env.PR_URL)
if (!owner || !repo || !pullNumber) {
throw new Error(`'pullRequestUrl' input must match URL format 'https://github.com/github/(docs|docs-internal)/pull/123' but was '${PR_URL}'`)
}
const { data: pullRequest } = await octokit.pulls.get({
owner,
repo,
pull_number: pullNumber
})
const appName = await createApp(pullRequest)
core.setOutput('app_name', appName)
} catch(err) {
console.log(`Failed to create app: ${err}`)
throw(err)
}
- name: Build, tag, push, and release the Docker image
env:
HEROKU_API_KEY: ${{ secrets.HEROKU_TOKEN }}
run: |
docker image build --target production_early_access -t registry.heroku.com/${{ steps.create-app.outputs.app_name}}/web .
heroku container:login
docker push registry.heroku.com/${{ steps.create-app.outputs.app_name }}/web
heroku container:release web --app=${{ steps.create-app.outputs.app_name }}
# https://devcenter.heroku.com/articles/container-registry-and-runtime#getting-a-docker-image-id
- name: Get Docker Image ID
id: image-id
run: |
echo "::set-output name=image_id::$(docker image inspect registry.heroku.com/${{ steps.create-app.outputs.app_name }}/web --format={{.Id}})"
exit 1 # Stop at this point, don't move on to prepare job
# TODO - heroku stuff
# - create a release based on the image
- name: Send Slack notification if workflow fails
uses: someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd
if: ${{ failure() }}
with:
channel: ${{ secrets.DOCS_STAGING_DEPLOYMENT_FAILURES_SLACK_CHANNEL_ID }}
bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
color: failure
text: Staging preparation (docker) failed for PR ${{ env.PR_URL }} at commit ${{ github.sha }}. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
deploy:
needs: prepare
runs-on: ubuntu-latest
timeout-minutes: 10
concurrency:
group: staging_${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true
steps:
- name: Check out repo's default branch
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Setup node
uses: actions/setup-node@38d90ce44d5275ad62cc48384b3d8a58c500bb5f
with:
node-version: 16.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Install one-off development-only dependencies
run: npm install --no-save --include=optional esm
- name: Deploy
id: deploy
uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HEROKU_API_TOKEN: ${{ secrets.HEROKU_API_TOKEN }}
HYDRO_ENDPOINT: ${{ secrets.HYDRO_ENDPOINT }}
HYDRO_SECRET: ${{ secrets.HYDRO_SECRET }}
PR_URL: ${{ env.PR_URL }}
SOURCE_BLOB_URL: ${{ needs.prepare.outputs.source_blob_url }}
APP_NAME: ${{ needs.prepare.outputs.app_name }}
DOCKER_IMAGE_ID: ${{ needs.prepare.outputs.docker_image_id }}
with:
script: |
const { GITHUB_TOKEN, HEROKU_API_TOKEN } = process.env
// Exit if GitHub Actions PAT is not found
if (!GITHUB_TOKEN) {
throw new Error('You must supply a GITHUB_TOKEN environment variable!')
}
// Exit if Heroku API token is not found
if (!HEROKU_API_TOKEN) {
throw new Error('You must supply a HEROKU_API_TOKEN environment variable!')
}
// Workaround to allow us to load ESM files with `require(...)`
const esm = require('esm')
require = esm({})
const { default: parsePrUrl } = require('./script/deployment/parse-pr-url')
const { default: getOctokit } = require('./script/helpers/github')
const { default: deployToStaging } = require('./script/deployment/deploy-to-staging-docker')
// This helper uses the `GITHUB_TOKEN` implicitly!
// We're using our usual version of Octokit vs. the provided `github`
// instance to avoid versioning discrepancies.
const octokit = getOctokit()
try {
const { PR_URL, SOURCE_BLOB_URL } = process.env
const { owner, repo, pullNumber } = parsePrUrl(PR_URL)
if (!owner || !repo || !pullNumber) {
throw new Error(`'pullRequestUrl' input must match URL format 'https://github.com/github/(docs|docs-internal)/pull/123' but was '${PR_URL}'`)
}
const { data: pullRequest } = await octokit.pulls.get({
owner,
repo,
pull_number: pullNumber
})
await deployToStaging({
octokit,
pullRequest,
forceRebuild: false,
// These parameters will ONLY be set by Actions
sourceBlobUrl: SOURCE_BLOB_URL,
runId: context.runId
})
} catch (error) {
console.error(`Failed to deploy to staging: ${error.message}`)
console.error(error)
throw error
}
- name: Mark the deployment as inactive if timed out
if: ${{ steps.deploy.outcome == 'cancelled' }}
uses: actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d
with:
script: |
// TODO: Find the relevant deployment
// TODO: Create a new deployment status for it as "inactive"
return 'TODO'
- name: Send Slack notification if workflow fails
uses: someimportantcompany/github-actions-slack-message@0b470c14b39da4260ed9e3f9a4f1298a74ccdefd
if: ${{ failure() }}
with:
channel: ${{ secrets.DOCS_STAGING_DEPLOYMENT_FAILURES_SLACK_CHANNEL_ID }}
bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
color: failure
text: Staging deployment failed for PR ${{ env.PR_URL }} at commit ${{ github.sha }}. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

2
.github/workflows/workflow-lint.yml vendored
View File

@@ -28,4 +28,4 @@ jobs:
- name: Run linter
uses: cschleiden/actions-linter@caffd707beda4fc6083926a3dff48444bc7c24aa
with:
workflows: '[".github/workflows/*.yml", ".github/workflows/*.yaml", "!.github/workflows/remove-from-fr-board.yaml", "!.github/workflows/staging-deploy-pr.yml"]'
workflows: '[".github/workflows/*.yml", ".github/workflows/*.yaml", "!.github/workflows/remove-from-fr-board.yaml", "!.github/workflows/staging-deploy-pr.yml", "!.github/workflows/staging-deploy-pr-docker.yml"]'