anotheroneofthese is deploying the project #425
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Name of the workflow and an action title to display in the GitHub UI | |
name: Deploy Project | |
run-name: ${{ github.actor }} is deploying the project | |
# Decides when the workflow gets triggered, this is a "coarse" definition for whole workflow | |
# Jobs can refine it further or use the defaults defined here | |
# List of all events that can be used for triggering workflows: | |
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows | |
on: | |
# Run on push to main branch and tags in the form v*.*.* eg.: v1.0.0 | |
push: | |
branches: | |
- main | |
tags: | |
- v*.*.* | |
# Runs every time a pull request is created, updated, etc. can use "types" to run only on select PR activities | |
pull_request: | |
# Used to make sure that only one workflow in the specified group runs at the same time | |
concurrency: | |
# Define concurrency group which is then used to determine duplicate workflow runs | |
# The second property uses fallback values since not every run is a PR run | |
group: ${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }} | |
cancel-in-progress: true | |
# Modify access granted to the workflow in the GITHUB_TOKEN | |
# Mainly used here to give checks a write permission to allow a test run reporter to publish test results | |
permissions: | |
contents: read | |
actions: read | |
checks: write # See the [[test-report-publisher]] step for explanation why this is needed | |
# List of jobs that this workflow executes, each job can run on different runners, have different steps, etc. | |
jobs: | |
# Unique identifier for this job, make sure it is unique, you can use "name" property to give it a more descriptive name | |
test-project: | |
# This name is displayed in the GitHub UI when the job is running | |
name: Build and Test the Project | |
# Defines what runner to run this job on, if you want you can use an array of tags/identifiers to match the runner name | |
# For example this can be written as [self-hosted, linux] and only runner matching all of these values will run it | |
runs-on: self-hosted-linux | |
# List of steps that this job executes in sequential order, any changes done in one step will carry over to others | |
# Be mindful of that when making changes to files | |
steps: | |
# Simple step which merely checks out the repository to the runner, making it available for other steps | |
- name: Checkout | |
# Specifies that this step should run a pre-defined action, meaning an action that was made by someone else or exists elsewhere | |
# In this case the provided identifier is a reference to a repository in: https://github.com/actions/checkout and the version is set tov4 | |
uses: actions/checkout@v4 | |
# This steps installs specified Java JDK | |
- name: Setup Java JDK | |
uses: actions/setup-java@v4 | |
# Settings/Inputs/Parameters for the action | |
with: | |
# What JDK distribution to download and use | |
distribution: temurin # If you have no good reasons to choose something else, go with Temurin distribution | |
java-version: 21 | |
architecture: x64 | |
# Sets up caching and restoring of dependencies for the specified package manager | |
# NB! If you decide to use a non-standard path for package repositories you need to set up caching yourself | |
# In that case use the "@actions/cache" action | |
cache: maven | |
# Since the self-hosted runner does not come with Maven, it must be installed manually | |
# Same for git, it is needed to upload the test results, hence why repo is initialized using "git init" | |
# Lastly gettext provides envsubst which is used in the [[verify-the-project]] step to replace env variables | |
- name: Install Maven and Initialize Repo | |
# Map of environment variables available for this step only, you can define it on job or workflow level too | |
env: | |
MAVEN_VERSION: 3.9.7 # So we can easily change the Maven version | |
run: | # Pipe allows to make the script multiline, if you need to run only one command you can skip it | |
sudo apt-get update -y | |
sudo apt-get install wget git gettext -y | |
wget https://downloads.apache.org/maven/maven-3/$MAVEN_VERSION/binaries/apache-maven-$MAVEN_VERSION-bin.tar.gz | |
sudo tar xzf apache-maven-$MAVEN_VERSION-bin.tar.gz -C /opt | |
sudo ln -s /opt/apache-maven-$MAVEN_VERSION/bin/mvn /usr/local/bin/mvn | |
echo "PATH=/opt/apache-maven-$MAVEN_VERSION/bin:$PATH" >> $GITHUB_ENV | |
git init | |
mvn -v | |
# This step imports secrets from Vault, it is recommended to use Vault as it allows checking and editing the secrets | |
# GitHub does not permit to check secret value or re-use the secrets | |
# Speak with Platform team to set up a namespace if needed | |
# They should also create an approle "user" which allows fetching the secrets within a GitHub action | |
# | |
# The url must be in form: https://<URL>, while IDs are UUIDs | |
# When providing path to the secret you need to include "/data" after namespace and before the secret name | |
- name: Import Secrets | |
uses: hashicorp/vault-action@v3 | |
with: | |
url: ${{ secrets.VAULT_URL }} | |
method: approle # Method used to authenticate against Vault | |
roleId: ${{ secrets.VAULT_ROLE_ID }} | |
secretId: ${{ secrets.VAULT_SECRET_ID }} | |
secrets: secret/v1/application/k8s/mlt/data/proxy * # The "*" at the end is a wildcard, it will get all secrets in the path | |
# This step actually builds, tests, and verifies the project using Maven #[[verify-the-project]] | |
# "envsubst" supplies proxy settings for Maven, proxy host address must be an IP address, not a URL | |
- name: Verify the Project | |
# Replace tags in settings.xml with values from environment and save it to a new file, then use it when running Maven | |
run: | | |
envsubst < .m2/settings.xml > .m2/replaced.xml | |
mvn -B -e -s .m2/replaced.xml verify | |
# This step uses the test-reporter action to publish test results in the workflow run #[[test-report-publisher]] | |
# It looks for any file named "TEST-...xml" in the project and uses it to publish the test results | |
# The job name in GitHub with the test results is "JUnit Test Results" | |
- name: Publish Test Report | |
uses: dorny/test-reporter@v1 | |
# If defines conditions that need to be fulfilled to run this step, in this case this step will always run | |
# That is because the report should be published, even if the tests failed | |
if: always() | |
with: | |
name: JUnit Test Results # Name for the report | |
path: ./**/TEST-*.xml # Where to look for report files, any file named "TEST-...xml" anywhere in the project | |
reporter: java-junit # What reporter to use, since this project uses JUnit, the reporter is "java-junit" | |
fail-on-error: true # Fail this step if there are test errors | |
fail-on-empty: true # Fail this step if no test results were found | |
# This step uploads the JAR file as an artifact which can then be used in other jobs | |
- name: Upload the JAR File | |
uses: actions/upload-artifact@v4 | |
with: | |
name: packaged-project # Artifact ID, used to reference the artifact in other jobs when downloading it #[[packaged-project-id]] | |
path: target/wls.jar # File(s) to include, the path is relative to the repository root | |
# Set "project.build.finalName --> ${project.artifactId}" in pom.xml to drop the version suffix | |
if-no-files-found: error # Fail if artifact is not found | |
overwrite: true # Allow overwriting of previous artifacts | |
# This job builds a Docker image with relevant tags and labels, and publishes it to Harbor | |
publish-image: | |
name: Build and Publish the Docker Image | |
# Defines that test-project job must finish successfully first, before this one can run | |
needs: test-project | |
# The if statement limits the job to only run if action was triggered on main branch or one of the tags | |
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') | |
runs-on: self-hosted-linux | |
# Outputs allows a job to output values that can be picked up by _downstream_ jobs that _depend_ on this job | |
outputs: | |
# The metadata step produces an image name that is then used in deployment jobs | |
# Gets the value from the "meta" step: [[meta-step-id]] | |
image-name: ${{ steps.meta.outputs.tags }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# Sets up a Docker Build action which is then used to produce the Docker image | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
driver: docker | |
# See this step description in the first job | |
- name: Import Secrets | |
uses: hashicorp/vault-action@v3 | |
with: | |
url: ${{ secrets.VAULT_URL }} | |
method: approle | |
roleId: ${{ secrets.VAULT_ROLE_ID }} | |
secretId: ${{ secrets.VAULT_SECRET_ID }} | |
secrets: secret/v1/application/k8s/mlt/data/harbor * | |
# Simple action that authenticates against the NLN's Harbor instance | |
# The url must be in form: https://<URL>, username and password should be for the GitHub robot user | |
# Ask Platform team to create a robot user with access to your project(s) in Harbor registry | |
- name: Log in to Harbor Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.HARBOR_URL }} | |
username: ${{ env.HARBOR_USERNAME }} | |
password: ${{ env.HARBOR_PASSWORD }} | |
- name: Extract Metadata for Docker | |
# Give this step a unique ID for referencing it elsewhere, here it is used to get the value of tags #[[meta-step-id]] | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
# Define to use for tags, can be multiple values if needed | |
images: harbor.nb.no/mlt/wls | |
# Defines list of tag types to use for generating the metadata | |
# the semver type uses GitHub tag in semver form and turns it into a proper tag for the image (semantic versioning: v4.2.0 -> 4.2.0) | |
# the ref type bases its version either on branch or PR event and generates the tag for the image based on that (branch -> branch-name, pr -> pr-number) | |
tags: | | |
type=semver,pattern={{version}} | |
type=ref,event=branch | |
type=ref,event=pr | |
# Downloads previously uploaded artifact with provided id/name, see [[packaged-project-id]] to see how it was defined | |
- name: Download the JAR File | |
uses: actions/download-artifact@v4 | |
with: | |
name: packaged-project | |
# Builds and publishes the image in Harbor | |
- name: Build the Docker Image | |
uses: docker/build-push-action@v5 | |
with: | |
push: true # Makes the action push image to Harbor, equivalent to "--output-type=registry" | |
context: . # Build context, makes the build process use actual files in the runner instead of using files from GitHub | |
file: ./docker/Dockerfile # Override the path to the Dockerfile, since this project has it in the docker folder | |
tags: ${{ steps.meta.outputs.tags }} # Set tags for the image using output from the meta step | |
labels: ${{ steps.meta.outputs.labels }} # Set labels for the image using output from the meta step | |
# Deploys the image to kubernetes stage environment | |
deploy-to-stage: | |
name: Deploy to Kubernetes Stage | |
needs: publish-image | |
# Runs only on main branch | |
# Can be changed to also run on tags, to ensure that stage & prod use same image after a new version release | |
if: github.ref == 'refs/heads/main' | |
runs-on: self-hosted-linux | |
# Defines what environment this job references, this allows for setting deployment protections in the project | |
# Allows requiring a number of reviewers or specific reviewers, or allow only specific branches or tags | |
# It also permits setting specific secrets and variables | |
environment: stage | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Import Secrets | |
uses: hashicorp/vault-action@v3 | |
with: | |
url: ${{ secrets.VAULT_URL }} | |
method: approle | |
roleId: ${{ secrets.VAULT_ROLE_ID }} | |
secretId: ${{ secrets.VAULT_SECRET_ID }} | |
secrets: secret/v1/application/k8s/mlt/data/k8s-stage * | |
# Installs and prepares a local kubectl instance | |
- name: Setup Kubectl | |
uses: azure/setup-kubectl@v4 | |
# Script that sets some needed variables in deployment file, and then configures kubectl for deploying to stage | |
# Script itself is rather generic, especially for simple deployments, so it can be easily re-used | |
# Just make sure to set correct context and namespace when used in other projects | |
# | |
# K8S_HOST_URL - URL pointing where to host the app, there are two default options for both stage and prod | |
# K8S_STAGE_SERVER - URL to the stage server in form https://<IP_ADDRESS>:<PORT> | |
# K8S_STAGE_NB_NO_CA - certificate auth data, get it from the Platform team | |
# K8S_STAGE_USER - name of the robot user that can deploy to the given namespace, get it from the Platform team | |
# K8S_STAGE_NB_NO_TOKEN - credentials token for the robot user, get it from the Platform team | |
- name: Deploy to Stage | |
run: | | |
echo "Deploying to stage: ${{ needs.publish-image.outputs.image-name }}" | |
sed -i "s|<image_name>|${{ needs.publish-image.outputs.image-name }}|g" k8s/stage/wls.yml | |
sed -i "s|<host_url>|${{ env.K8S_HOST_URL }}|g" k8s/stage/wls.yml | |
kubectl config set-cluster stagecl --server=${{ env.K8S_STAGE_SERVER }} | |
kubectl config set clusters.stagecl.certificate-authority-data ${{ env.K8S_STAGE_NB_NO_CA }} | |
kubectl config set-credentials ${{ env.K8S_STAGE_USER }} --token=${{ env.K8S_STAGE_NB_NO_TOKEN }} | |
kubectl config set-context mlt --cluster=stagecl --user=${{ env.K8S_STAGE_USER }} --namespace=mlt | |
kubectl config use-context mlt | |
kubectl config view | |
kubectl version | |
kubectl apply -f k8s/stage/wls.yml | |
kubectl rollout restart deploy/wls | |
deploy-to-prod: | |
name: Deploy to Kubernetes Prod | |
needs: publish-image | |
# Runs only on tags | |
if: startsWith(github.event.ref,'refs/tags/v') | |
runs-on: self-hosted-linux | |
environment: prod | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Import Secrets | |
uses: hashicorp/vault-action@v3 | |
with: | |
url: ${{ secrets.VAULT_URL }} | |
method: approle | |
roleId: ${{ secrets.VAULT_ROLE_ID }} | |
secretId: ${{ secrets.VAULT_SECRET_ID }} | |
secrets: secret/v1/application/k8s/mlt/data/k8s-prod * | |
- name: Setup Kubectl | |
uses: azure/setup-kubectl@v4 | |
# Same concept as in stage deployment, just using production values | |
- name: Deploy to Prod | |
run: | | |
echo "Deploying to prod:${{ needs.publish-image.outputs.image-name }}" | |
sed -i "s|<image_name>|${{ needs.publish-image.outputs.image-name }}|g" k8s/prod/wls.yml | |
sed -i "s|<host_url>|${{ env.K8S_HOST_URL }}|g" k8s/prod/wls.yml | |
kubectl config set-cluster prodcl --server=${{ env.K8S_PROD_SERVER }} | |
kubectl config set clusters.prodcl.certificate-authority-data ${{ env.K8S_PROD_NB_NO_CA }} | |
kubectl config set-credentials ${{ env.K8S_PROD_USER }} --token=${{ env.K8S_PROD_NB_NO_TOKEN }} | |
kubectl config set-context mlt --cluster=prodcl --user=${{ env.K8S_PROD_USER }} --namespace=mlt | |
kubectl config use-context mlt | |
kubectl config view | |
kubectl version | |
kubectl apply -f k8s/prod/wls.yml | |
kubectl rollout restart deploy/wls |