Skip to content

Instantly share code, notes, and snippets.

@zimbatm

zimbatm/ci.yml

Created June 8, 2022 09:35
Show Gist options
  • Save zimbatm/007f69c14ad880d52bcdf16296a89474 to your computer and use it in GitHub Desktop.
Save zimbatm/007f69c14ad880d52bcdf16296a89474 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ci.yml
on:
push:
branches:
- master
pull_request:
name: CI
env:
SCCACHE_IDLE_TIMEOUT: '0'
jobs:
nix:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: nix-build ./nix
test:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: numtide/clean-git-action@v1
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
role-duration-seconds: 1800
aws-region: eu-west-2
- name: Run tests
env:
SCCACHE_BUCKET: "modeldrive-sccache"
SCCACHE_REGION: "eu-west-2"
run: |
rm -rf ~/.cache ~/.cargo
./devshell.sh just sccache-start test-slow sccache-stop
fmt:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: numtide/clean-git-action@v1
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
role-duration-seconds: 900
aws-region: eu-west-2
- name: Run format checks
env:
SCCACHE_BUCKET: "modeldrive-sccache"
SCCACHE_REGION: "eu-west-2"
run: |
rm -rf ~/.cache ~/.cargo
./devshell.sh just sccache-start fmt sccache-stop
images-backend:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
role-duration-seconds: 900
aws-region: eu-west-2
- name: Setup AWS credentials
run: .github/actions/setup_aws_credentials.sh false
- name: Build and push
run: ops/images/build.rb backend
images-frontend:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
role-duration-seconds: 900
aws-region: eu-west-2
- name: Setup AWS credentials
run: .github/actions/setup_aws_credentials.sh false
- name: Build and push
run: ops/images/build.rb frontend
qa:
runs-on: ubuntu-20.04
needs: [images-frontend, images-backend, test, fmt, nix]
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Setup AWS credentials
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: .github/actions/setup_aws_credentials.sh
- run: ./devshell.sh just qa/up
- name: Run QA
env:
CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
# Recommended: pass the GitHub token lets this action correctly
# determine the unique run id necessary to re-run the checks
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CI_BUILD_ID: ${{ github.repository }}-${{ github.run_id }}-${{ github.run_attempt }}
run: |
echo "script-shell=$(type -p bash)" > /home/runner/.npmrc
./devshell.sh just qa/cypress-ci
Raw
cleanup.yml
on:
schedule:
- cron: "5 4 * * 0" # At 04:05 on Sunday. https://crontab.guru/
pull_request:
types: [ closed ]
repository_dispatch:
types:
- cleanup-command
name: Cleanup
jobs:
review_cleanup:
name: Remove old review deployments
runs-on: ubuntu-latest
env:
AWS_DEFAULT_REGION: eu-west-2
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup AWS credentials
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: .github/actions/setup_aws_credentials.sh
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Terraform destroy
env:
GITHUB_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.number }}
run: ./devshell.sh ops/deploy/review/down_all.sh
Raw
command-deploy.yml
name: Deploy command
on:
repository_dispatch:
types:
- deploy-command
jobs:
images:
runs-on: ubuntu-20.04
strategy:
matrix:
image: [backend, frontend]
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.client_payload.pull_request.head.sha }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
role-duration-seconds: 900
aws-region: eu-west-2
- name: Setup AWS credentials
run: .github/actions/setup_aws_credentials.sh false
- name: Build and push
run: ops/images/build.rb ${{ matrix.image }}
deployment:
runs-on: 'ubuntu-latest'
needs: images
concurrency: deploy-${{ github.event.client_payload.slash_command.args.unnamed.arg1 && github.event.client_payload.slash_command.args.unnamed.arg1 || 'review' }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.client_payload.pull_request.head.sha }}
- name: Setup AWS credentials
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: .github/actions/setup_aws_credentials.sh
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Deploy
id: deploy
env:
TARGET: ${{ github.event.client_payload.slash_command.args.unnamed.arg1 && github.event.client_payload.slash_command.args.unnamed.arg1 || 'review' }}
GITHUB_TOKEN: ${{ github.token }}
GITHUB_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
run: |
./devshell.sh ops/deploy/$TARGET/up.sh ${{ github.event.client_payload.pull_request.number }}
echo --------------------------------------------------------------
echo SUCCESS
- name: Add Success Reaction
if: success()
uses: peter-evans/create-or-update-comment@v2
with:
token: ${{ secrets.PAT }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: hooray, heart
body: |
Deployed on ${{ steps.deploy.outputs.url }}
- name: Add Failure Reaction
if: failure()
uses: peter-evans/create-or-update-comment@v2
with:
token: ${{ secrets.PAT }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: confused
Raw
command-help.yml
name: help action
on:
repository_dispatch:
types: [help-command]
jobs:
display-help-info:
runs-on: ubuntu-latest
steps:
- name: Create comment
uses: peter-evans/create-or-update-comment@v2
with:
issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
body: |
These are the commands available
| Command | Description |
| ------- | ----------- |
| /rebase | Rebase this PR |
| /deploy | Deploy this PR on `review` environment |
| /deploy `<environment>` | Deploy this PR on `<environment>` |
| /undeploy | Uninstall this PR from the `review` environment |
| /cleanup | Uninstall all closed PR from the `review` environment |
| /snapshot | Snapshot postgresql database used by this PR |
| /snapshot `<environment>` | Snapshot postgresql database in `<environment>` |
Raw
command-rebase.yml
name: PR Rebase Command
on:
repository_dispatch:
types:
- rebase-command
jobs:
rebase:
runs-on: ubuntu-latest
steps:
- name: Rebase PR
uses: peter-evans/rebase@v2
id: rebase
with:
token: ${{ secrets.PAT }}
head: ${{ github.event.client_payload.pull_request.head.label }}
- name: Add Success Reaction
if: ${{ steps.rebase.outputs.rebased-count == 1 && github.event.client_payload.github.payload.comment }}
uses: peter-evans/create-or-update-comment@v2
with:
token: ${{ secrets.PAT }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: hooray, heart
- name: Add Failure Reaction
if: ${{ github.event.client_payload.github.payload.comment && (steps.rebase.outputs.rebased-count == 0 || failure()) }}
uses: peter-evans/create-or-update-comment@v2
with:
token: ${{ secrets.PAT }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: confused
Raw
command-snapshot.yml
name: Snapshot
on:
repository_dispatch:
types:
- snapshot-command
jobs:
snapshot:
runs-on: 'ubuntu-latest'
concurrency: snapshot-${{ github.event.client_payload.slash_command.args.unnamed.arg1 && github.event.client_payload.slash_command.args.unnamed.arg1 || 'review' }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.client_payload.pull_request.head.sha }}
- name: Setup AWS credentials
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: .github/actions/setup_aws_credentials.sh
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Snapshot
id: snapshot
env:
TARGET: ${{ github.event.client_payload.slash_command.args.unnamed.arg1 && github.event.client_payload.slash_command.args.unnamed.arg1 || 'review' }}
WAIT_FOR_SNAPSHOT: 1
run: |
./devshell.sh ops/deploy/$TARGET/snapshot.sh ${{ github.event.client_payload.pull_request.number }}
echo --------------------------------------------------------------
echo SUCCESS
- name: Add Success Reaction
if: success()
uses: peter-evans/create-or-update-comment@v2
with:
token: ${{ secrets.PAT }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: hooray, heart
body: |
Snapshot `${{ steps.snapshot.outputs.snapshot_name }}` created
- name: Add Failure Reaction
if: failure()
uses: peter-evans/create-or-update-comment@v2
with:
token: ${{ secrets.PAT }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: confused
Raw
command-undeploy.yml
name: Undeploy
on:
repository_dispatch:
types:
- undeploy-command
jobs:
undeployment:
runs-on: 'ubuntu-latest'
env:
AWS_DEFAULT_REGION: eu-west-2
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.event.client_payload.pull_request.head.sha }}
- name: Setup AWS credentials
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: .github/actions/setup_aws_credentials.sh
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Undeploy
id: undeploy
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
./devshell.sh ops/deploy/review/down.sh ${{ github.event.client_payload.pull_request.number }}
echo --------------------------------------------------------------
echo SUCCESS
- name: Add Success Reaction
if: success()
uses: peter-evans/create-or-update-comment@v2
with:
token: ${{ secrets.PAT }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: hooray, heart
- name: Add Failure Reaction
if: failure()
uses: peter-evans/create-or-update-comment@v2
with:
token: ${{ secrets.PAT }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
reaction-type: confused
Raw
deploy.yml
name: Deploy
on:
workflow_dispatch:
inputs:
ref:
type: string
description: 'Git Reference (branch / SHA)'
required: true
default: 'master'
target:
type: choice
description: 'Target environment'
required: true
default: 'beta'
options:
- beta
- production
skip_migration:
type: boolean
description: 'Skip migration'
required: true
default: false
push:
branches:
- master
jobs:
images:
runs-on: ubuntu-20.04
strategy:
matrix:
include:
- image: backend
ref: ${{ github.event.inputs.ref && github.event.inputs.ref || 'master' }}
- image: frontend
ref: ${{ github.event.inputs.ref && github.event.inputs.ref || 'master' }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ matrix.ref }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
role-duration-seconds: 900
aws-region: eu-west-2
- name: Setup AWS credentials
run: .github/actions/setup_aws_credentials.sh false
- name: Build and push
run: ops/images/build.rb ${{ matrix.image }}
deployment:
runs-on: 'ubuntu-latest'
needs: images
strategy:
matrix:
include:
- ref: ${{ github.event.inputs.ref && github.event.inputs.ref || 'master' }}
target: ${{ github.event.inputs.target && github.event.inputs.target || 'beta' }}
skip_migration: ${{ github.event.inputs.skip_migration != null && github.event.inputs.skip_migration || false }}
concurrency: deploy-${{ matrix.target }}
steps:
- name: Fetch admin team member list
uses: tspascoal/get-user-teams-membership@v1
with:
username: ${{ github.actor }}
organization: modeldrive
team: admin
GITHUB_TOKEN: ${{ secrets.PAT }}
- name: Is user an admin team member?
if: ${{ github.event_name == 'workflow_dispatch' && matrix.target == 'production' && steps.checkUserMember.outputs.isTeamMember == 'false' }}
run: exit 1
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ matrix.ref }}
- name: Setup AWS credentials
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: .github/actions/setup_aws_credentials.sh
- uses: cachix/install-nix-action@v17
- uses: cachix/cachix-action@v10
with:
name: modeldrive
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Deploy
id: deploy
env:
GITHUB_TOKEN: ${{ github.token }}
GITHUB_REF: ${{ matrix.ref }}
run: |
./devshell.sh ops/deploy/${{ matrix.target }}/up.sh ${{ matrix.skip_migration == 'true' && 'false' || 'true' }}
echo --------------------------------------------------------------
echo SUCCESS
- name: Create Sentry release
uses: getsentry/action-release@v1
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ORG: modeldrive
SENTRY_PROJECT: modeldrive
with:
environment: "modeldrive-${{ matrix.target }}"
Raw
slash-command-dispatch.yml
name: Slash Command Dispatch
on:
issue_comment:
types: [created]
jobs:
slashCommandDispatch:
runs-on: ubuntu-latest
steps:
- name: Slash Command Dispatch Pull-Request
if: ${{ github.event.issue.pull_request }}
uses: peter-evans/slash-command-dispatch@v3
with:
token: ${{ secrets.PAT }}
commands: |-
rebase
undeploy
snapshot
- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v3
with:
token: ${{ secrets.PAT }}
commands: |-
deploy
help
cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment