From 548a62476dd3b839be00426b6c5e2f8dcbda91cf Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Mon, 29 Jul 2024 18:11:10 +0100 Subject: [PATCH] ref(workflows): align workflows with `zfnd` standards (#42) * ref(workflows): align workflows with `zfnd` standards * imp(workflows): just build and push images if a PR is ready for review --- .github/workflows/cd-deploy-to-dev.yml | 23 +++++++++++++++++--- .github/workflows/cd-deploy-to-prod.yml | 23 +++++++++++++++----- .github/workflows/cd-deploy-to-test.yml | 22 ++++++++++++++++--- .github/workflows/chore-clean-dev.yml | 16 ++++++++------ .github/workflows/ci-lint-codebase.patch.yml | 6 +++-- .github/workflows/ci-lint-codebase.yaml | 19 ++++++++-------- .github/workflows/sub-build-docker-image.yml | 12 +++++----- .github/workflows/sub-cloudrun-deploy.yml | 19 +++++++++++----- 8 files changed, 98 insertions(+), 42 deletions(-) diff --git a/.github/workflows/cd-deploy-to-dev.yml b/.github/workflows/cd-deploy-to-dev.yml index 5de58fd..a88ac76 100644 --- a/.github/workflows/cd-deploy-to-dev.yml +++ b/.github/workflows/cd-deploy-to-dev.yml @@ -2,10 +2,10 @@ name: Deploy to dev on: pull_request: - types: [opened, synchronize, reopened, labeled] + types: [ready_for_review, synchronize] paths: - - coredns/Corefile - - docker/Dockerfile + - '**/Corefile' + - '**/Dockerfile' - .github/workflows/cd-deploy-to-dev.yml - .github/workflows/sub-cloudrun-deploy.yml @@ -16,6 +16,22 @@ concurrency: group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: read + statuses: read + jobs: # TODO: Add a job to run unit tests # test: @@ -23,6 +39,7 @@ jobs: build: uses: ./.github/workflows/sub-build-docker-image.yml + if: ${{ !github.event.pull_request.draft }} with: environment: dev dockerfile_path: ./docker/Dockerfile diff --git a/.github/workflows/cd-deploy-to-prod.yml b/.github/workflows/cd-deploy-to-prod.yml index 03ae155..00b9f7e 100644 --- a/.github/workflows/cd-deploy-to-prod.yml +++ b/.github/workflows/cd-deploy-to-prod.yml @@ -12,12 +12,23 @@ concurrency: group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true -jobs: - # TODO: Add a job to run unit tests - # test: - # uses: ./.github/workflows/sub-unit-tests.yml - +permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: read + statuses: read +jobs: build: # needs: [test] uses: ./.github/workflows/sub-build-docker-image.yml @@ -40,7 +51,7 @@ jobs: registry: ${{ vars.GAR_BASE }} image_digest: ${{ needs.build.outputs.image_digest }} min_instances: '1' - max_instances: '100' + max_instances: '10' cpu: '1' memory: 1Gi secrets: inherit diff --git a/.github/workflows/cd-deploy-to-test.yml b/.github/workflows/cd-deploy-to-test.yml index 8d29c20..d46cc0c 100644 --- a/.github/workflows/cd-deploy-to-test.yml +++ b/.github/workflows/cd-deploy-to-test.yml @@ -3,10 +3,10 @@ name: Deploy to test on: push: branches: - - master + - main paths: - - coredns/Corefile - - docker/Dockerfile + - '**/Corefile' + - '**/Dockerfile' - .github/workflows/cd-deploy-to-test.yml - .github/workflows/sub-cloudrun-deploy.yml @@ -17,6 +17,22 @@ concurrency: group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: read + statuses: read + jobs: # TODO: Add a job to run unit tests # test: diff --git a/.github/workflows/chore-clean-dev.yml b/.github/workflows/chore-clean-dev.yml index dd2d37b..a6b88bf 100644 --- a/.github/workflows/chore-clean-dev.yml +++ b/.github/workflows/chore-clean-dev.yml @@ -4,30 +4,32 @@ on: delete: pull_request: branches: - - master + - main types: - closed +permissions: read-all + jobs: delete: runs-on: ubuntu-latest permissions: - contents: read - id-token: write + contents: 'read' + id-token: 'write' steps: - name: Inject slug/short variables uses: rlespinasse/github-slug-action@v4.5.0 - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@v2.1.2 + uses: google-github-actions/auth@v2.1.3 with: workload_identity_provider: '${{ vars.GCP_WIF }}' - service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}' + project_id: '${{ vars.GCP_PROJECT }}' - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v1.1.1 + uses: google-github-actions/setup-gcloud@v2.1.0 - name: Removing CR service run: | - gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GOOGLE_CLOUD_REGION }} --quiet + gcloud run services delete ${{ vars.APP_NAME }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} --region=${{ vars.GCP_REGION }} --quiet diff --git a/.github/workflows/ci-lint-codebase.patch.yml b/.github/workflows/ci-lint-codebase.patch.yml index b6c4082..4cc276b 100644 --- a/.github/workflows/ci-lint-codebase.patch.yml +++ b/.github/workflows/ci-lint-codebase.patch.yml @@ -4,10 +4,12 @@ on: pull_request: branches: [main] paths-ignore: - - coredns/Corefile - - docker/Dockerfile + - '**/Corefile' + - '**/Dockerfile' - .github/workflows/ci-lint-codebase.yml +permissions: read-all + jobs: linter: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-lint-codebase.yaml b/.github/workflows/ci-lint-codebase.yaml index 53bd98b..fd66405 100644 --- a/.github/workflows/ci-lint-codebase.yaml +++ b/.github/workflows/ci-lint-codebase.yaml @@ -4,18 +4,15 @@ on: pull_request: branches: [main] paths: - - '**.js*' - - '**.ts*' - - Dockerfile - - package.json - - pnpm-lock.yaml + - '**/Corefile' + - '**/Dockerfile' - .github/workflows/ci-lint-codebase.yml push: branches: [main] paths: - - coredns/Corefile - - docker/Dockerfile + - '**/Corefile' + - '**/Dockerfile' - .github/workflows/ci-lint-codebase.yml concurrency: @@ -25,6 +22,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: read-all + jobs: linter: runs-on: ubuntu-latest @@ -37,7 +36,7 @@ jobs: fetch-depth: 0 - name: Lint Code Base - uses: super-linter/super-linter/slim@v5.2.1 + uses: super-linter/super-linter/slim@v6.7.0 env: LOG_LEVEL: ERROR VALIDATE_ALL_CODEBASE: false @@ -46,9 +45,9 @@ jobs: VALIDATE_CSS: false VALIDATE_EDITORCONFIG: false VALIDATE_MARKDOWN: false + VALIDATE_JAVASCRIPT_ES: false + VALIDATE_JAVASCRIPT_STANDARD: false VALIDATE_DOCKERFILE_HADOLINT: false LINTER_RULES_PATH: / - JAVASCRIPT_DEFAULT_STYLE: prettier - TYPESCRIPT_DEFAULT_STYLE: prettier DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sub-build-docker-image.yml b/.github/workflows/sub-build-docker-image.yml index 2c4a1f5..51c30f9 100644 --- a/.github/workflows/sub-build-docker-image.yml +++ b/.github/workflows/sub-build-docker-image.yml @@ -23,6 +23,8 @@ on: description: The image digest to be used on a caller workflow value: ${{ jobs.build.outputs.image_digest }} +permissions: read-all + jobs: build: name: Build images @@ -46,7 +48,7 @@ jobs: # Automatic tag management and OCI Image Format Specification for labels - name: Docker meta id: meta - uses: docker/metadata-action@v5.5.0 + uses: docker/metadata-action@v5.5.1 with: # list of Docker images to use as base name for tags images: | @@ -68,11 +70,11 @@ jobs: # Setup Docker Buildx to allow use of docker cache layers from GH - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3.0.0 + uses: docker/setup-buildx-action@v3.4.0 - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@v2.1.2 + uses: google-github-actions/auth@v2.1.3 with: workload_identity_provider: '${{ vars.GCP_WIF }}' service_account: '${{ vars.GCP_ARTIFACTS_SA }}' @@ -83,7 +85,7 @@ jobs: access_token_lifetime: 10800s - name: Login to Google Artifact Registry - uses: docker/login-action@v3.0.0 + uses: docker/login-action@v3.2.0 with: registry: us-docker.pkg.dev username: oauth2accesstoken @@ -92,7 +94,7 @@ jobs: # Build and push image to Google Artifact Registry, and possibly DockerHub - name: Build & push id: docker_build - uses: docker/build-push-action@v5.1.0 + uses: docker/build-push-action@v6.3.0 with: target: ${{ inputs.dockerfile_target }} context: . diff --git a/.github/workflows/sub-cloudrun-deploy.yml b/.github/workflows/sub-cloudrun-deploy.yml index 2c7ec93..60dba14 100644 --- a/.github/workflows/sub-cloudrun-deploy.yml +++ b/.github/workflows/sub-cloudrun-deploy.yml @@ -14,7 +14,7 @@ on: type: string description: The image digest to deploy project_id: - required: true + required: false type: string description: The project to deploy to region: @@ -42,6 +42,8 @@ on: type: string description: The amount of memory to use for the service +permissions: read-all + jobs: versioning: runs-on: ubuntu-latest @@ -75,19 +77,23 @@ jobs: - name: Inject slug/short variables uses: rlespinasse/github-slug-action@v4.5.0 + - uses: actions/checkout@v4.1.7 + with: + persist-credentials: false + - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@v2.1.2 + uses: google-github-actions/auth@v2.1.3 with: workload_identity_provider: '${{ vars.GCP_WIF }}' - service_account: '${{ vars.GCP_DEPLOYMENTS_SA }}' + project_id: '${{ vars.GCP_PROJECT }}' - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v2.1.0 - name: Deploy to cloud run id: deploy - uses: google-github-actions/deploy-cloudrun@v2.2.0 + uses: google-github-actions/deploy-cloudrun@v2.6.0 with: service: ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} image: ${{ inputs.registry }}/${{ inputs.app_name }}@${{ inputs.image_digest }} @@ -101,10 +107,11 @@ jobs: --cpu=${{ inputs.cpu }} --memory=${{ inputs.memory }} --port=53 - --network=projects/zfnd-dev-net-spoke-0/global/networks/dev-spoke-0 - --subnet=projects/zfnd-dev-net-spoke-0/regions/us-east1/subnetworks/dev-default-ue1 + --network=${{ vars.GCP_NETWORK }} + --subnet=${{ vars.GCP_SUBNETWORK }} - name: Allow unauthenticated calls to the service + if: ${{ inputs.environment != 'prod' }} run: | gcloud run services add-iam-policy-binding ${{ inputs.app_name }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || inputs.environment }} \ --region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet