fix: implement admin permissions #1121
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CD | |
on: | |
push: | |
tags: | |
- '*' | |
# Deploy PR if "deploy" label exists | |
pull_request: | |
types: [ reopened, synchronize, labeled ] | |
# Do not use concurrency to prevent simultaneous helm deployments | |
jobs: | |
build: | |
name: Build | |
if: ${{ github.repository == 'api-platform/demo' && (github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'deploy')) }} | |
runs-on: ubuntu-latest | |
env: | |
PHP_DOCKER_IMAGE: europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:${{ github.sha }} | |
PWA_DOCKER_IMAGE: europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:${{ github.sha }} | |
KEYCLOAK_DOCKER_IMAGE: europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:${{ github.sha }} | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Auth gcloud | |
id: auth | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: access_token | |
credentials_json: ${{ secrets.GKE_SA_KEY }} | |
- | |
name: Login to GAR | |
uses: docker/login-action@v3 | |
with: | |
registry: europe-west1-docker.pkg.dev | |
username: oauth2accesstoken | |
password: ${{ steps.auth.outputs.access_token }} | |
- | |
name: Generate AUTH_SECRET | |
run: echo "AUTH_SECRET=$(openssl rand -hex 32)" >> $GITHUB_ENV | |
# https://nextjs.org/docs/app/building-your-application/configuring/environment-variables#bundling-environment-variables-for-the-browser | |
- | |
name: Generate NEXT_PUBLIC_OIDC_SERVER_URL | |
run: | | |
if [ "${{ github.event_name }}" == "push" ]; then | |
echo "NEXT_PUBLIC_OIDC_SERVER_URL=https://demo.api-platform.com/oidc/realms/demo" >> $GITHUB_ENV | |
else | |
echo "NEXT_PUBLIC_OIDC_SERVER_URL=https://pr-${{ github.event.pull_request.number }}-demo.api-platform.com/oidc/realms/demo" >> $GITHUB_ENV | |
fi | |
- | |
name: Build Docker images | |
uses: docker/bake-action@v5 | |
with: | |
# push and load may not be set together | |
# must push manually in a next step | |
pull: true | |
load: true | |
files: | | |
compose.yaml | |
compose.prod.yaml | |
set: | | |
php.cache-from=type=gha,scope=${{ github.ref }} | |
php.cache-from=type=gha,scope=refs/heads/main | |
php.cache-to=type=gha,scope=${{ github.ref }},mode=max | |
pwa.cache-from=type=gha,scope=${{ github.ref }} | |
pwa.cache-from=type=gha,scope=refs/heads/main | |
pwa.cache-to=type=gha,scope=${{ github.ref }},mode=max | |
keycloak.cache-from=type=gha,scope=${{ github.ref }} | |
keycloak.cache-from=type=gha,scope=refs/heads/main | |
keycloak.cache-to=type=gha,scope=${{ github.ref }},mode=max | |
- | |
name: Docker push | |
run: | | |
docker push $PHP_DOCKER_IMAGE | |
docker push $PWA_DOCKER_IMAGE | |
docker push $KEYCLOAK_DOCKER_IMAGE | |
- | |
name: Docker tag and push latest | |
if: github.event_name != 'pull_request' | |
run: | | |
docker tag $PHP_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:${{ github.ref_name }} | |
docker tag $PWA_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:${{ github.ref_name }} | |
docker tag $KEYCLOAK_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:${{ github.ref_name }} | |
docker tag $PHP_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:latest | |
docker tag $PWA_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:latest | |
docker tag $KEYCLOAK_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:latest | |
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:${{ github.ref_name }} | |
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:${{ github.ref_name }} | |
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:${{ github.ref_name }} | |
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:latest | |
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:latest | |
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:latest | |
deploy: | |
name: Deploy | |
needs: [ build ] | |
uses: ./.github/workflows/deploy.yml | |
with: | |
docker-images-version: ${{ github.sha }} | |
gke-cluster: api-platform-demo | |
gke-zone: europe-west1-c | |
secrets: | |
gke-credentials: ${{ secrets.GKE_SA_KEY }} | |
gke-project: ${{ secrets.GKE_PROJECT }} | |
cloudflare-api-token: ${{ secrets.CF_API_TOKEN }} | |
cloudflare-zone-id: ${{ secrets.CF_ZONE_ID }} | |
keycloak-admin-password: ${{ secrets.KEYCLOAK_ADMIN_PASSWORD }} | |
check: | |
name: Check | |
needs: [ deploy ] | |
uses: ./.github/workflows/check.yml | |
with: | |
url: ${{needs.deploy.outputs.url}} |