107 lines
3.7 KiB
YAML
107 lines
3.7 KiB
YAML
name: release-traceability
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch: {}
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
service_image_ref: ${{ steps.meta.outputs.service_image_ref }}
|
|
service_image_tag: ${{ steps.meta.outputs.service_image_tag }}
|
|
service_image_commit: ${{ steps.meta.outputs.service_image_commit }}
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Derive image identity
|
|
id: meta
|
|
run: bash ./scripts/github-actions/resolve-service-image-ref.sh
|
|
|
|
- name: Build image
|
|
env:
|
|
SERVICE_IMAGE_REF: ${{ steps.meta.outputs.service_image_ref }}
|
|
SERVICE_IMAGE_LATEST_REF: ghcr.io/${{ github.repository }}:latest
|
|
run: bash ./scripts/github-actions/build-service-image.sh
|
|
|
|
- name: Build linux binary artifact
|
|
env:
|
|
BILLING_SERVICE_BINARY_ARTIFACT: dist/billing-service-linux-amd64
|
|
run: bash ./scripts/github-actions/build-service-binary.sh
|
|
|
|
- name: Upload billing-service binary artifact
|
|
uses: actions/upload-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
name: billing-service-linux-amd64
|
|
path: dist/billing-service-linux-amd64
|
|
if-no-files-found: error
|
|
|
|
- name: Push image
|
|
run: bash ./scripts/github-actions/push-image-placeholder.sh
|
|
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
needs: build
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Download billing-service binary artifact
|
|
uses: actions/download-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
with:
|
|
name: billing-service-linux-amd64
|
|
path: dist
|
|
|
|
- name: Install ansible
|
|
run: sudo apt-get update && sudo apt-get install -y ansible
|
|
|
|
- name: Configure deploy SSH
|
|
env:
|
|
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
run: |
|
|
test -n "${SSH_PRIVATE_KEY}"
|
|
install -d -m 0700 ~/.ssh
|
|
printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
|
|
chmod 0600 ~/.ssh/id_ed25519
|
|
ssh-keyscan -H jp-xhttp-contabo.svc.plus >> ~/.ssh/known_hosts
|
|
|
|
- name: Deploy via playbook
|
|
env:
|
|
BILLING_SERVICE_IMAGE_REF: ${{ needs.build.outputs.service_image_ref }}
|
|
BILLING_SERVICE_BINARY_ARTIFACT: dist/billing-service-linux-amd64
|
|
DATABASE_URL: ${{ secrets.DATABASE_URL }}
|
|
INTERNAL_SERVICE_TOKEN: ${{ secrets.INTERNAL_SERVICE_TOKEN }}
|
|
STACK_TARGET_HOST: jp-xhttp-contabo.svc.plus
|
|
run: bash ./scripts/github-actions/deploy-billing-service.sh
|
|
|
|
validate:
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- build
|
|
- deploy
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Verify workflow dependency chain
|
|
run: bash ./scripts/github-actions/test-release-traceability-workflow.sh
|
|
|
|
- name: Verify traceability script cases
|
|
run: bash ./scripts/github-actions/test-validate-release-traceability.sh
|
|
|
|
- name: Configure validate SSH
|
|
env:
|
|
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
run: |
|
|
test -n "${SSH_PRIVATE_KEY}"
|
|
install -d -m 0700 ~/.ssh
|
|
printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
|
|
chmod 0600 ~/.ssh/id_ed25519
|
|
ssh-keyscan -H jp-xhttp-contabo.svc.plus >> ~/.ssh/known_hosts
|
|
|
|
- name: Validate runtime traceability
|
|
env:
|
|
SERVICE_IMAGE_REF: ${{ needs.build.outputs.service_image_ref }}
|
|
STACK_TARGET_HOST: jp-xhttp-contabo.svc.plus
|
|
run: bash ./scripts/github-actions/validate-release-traceability-remote.sh
|