Pre-release maintenance #70
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Deploy TLJH on GCP" | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
paths: | |
- "**.tf" | |
jobs: | |
terraform-deploy: | |
runs-on: ubuntu-latest | |
# Ensuring the GITHUB_TOKEN has needed permissions | |
# see https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs | |
# and ability to comment on PRs | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: write | |
steps: | |
- name: "Checkout repository 🛎" | |
uses: actions/checkout@v3 | |
- name: "Retrieve secrets from Vault 🔐" | |
uses: hashicorp/vault-action@v2.5.0 | |
with: | |
method: jwt | |
url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200" | |
namespace: "admin/quansight" | |
role: "repository-quansight-labs-jupyterlab-user-testing-role" | |
secrets: | | |
kv/data/repository/Quansight-Labs/JupyterLab-user-testing/shared_secrets TF_API_TOKEN | TF_API_TOKEN; | |
kv/data/repository/Quansight-Labs/JupyterLab-user-testing/google_cloud_platform/quansight-jlab-a11y/github project_id | PROJECT_ID; | |
kv/data/repository/Quansight-Labs/JupyterLab-user-testing/google_cloud_platform/quansight-jlab-a11y/github workload_identity_provider | GCP_WORKFLOW_PROVIDER; | |
kv/data/repository/Quansight-Labs/JupyterLab-user-testing/google_cloud_platform/quansight-jlab-a11y/github service_account_name | GCP_SERVICE_ACCOUNT; | |
kv/data/repository/Quansight-Labs/JupyterLab-user-testing/cloudflare/internal-devops@quansight.com/github-quansight-jupyterlab-accesibility-tljh token | CLOUDFLARE_API_TOKEN; | |
- name: "Authenticate to GCP 🤝" | |
uses: "google-github-actions/auth@v1" | |
with: | |
token_format: access_token | |
create_credentials_file: "true" | |
workload_identity_provider: ${{ env.GCP_WORKFLOW_PROVIDER }} | |
service_account: ${{ env.GCP_SERVICE_ACCOUNT }} | |
- uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: "1.3.7" | |
cli_config_credentials_token: ${{ env.TF_API_TOKEN }} | |
- name: "Check Terraform input 🔍" | |
id: fmt | |
run: terraform fmt -check | |
continue-on-error: true | |
- name: "Initialize Teraform 🚒" | |
id: init | |
run: terraform init | |
- name: "Terraform Validate ☑️" | |
id: validate | |
run: terraform validate -no-color | |
- name: "Preview Terraform changes 🔍" | |
id: plan | |
run: terraform plan -no-color | |
continue-on-error: true | |
- name: "Publish plan in PR 🤖" | |
uses: actions/github-script@v6 | |
if: github.event_name == 'pull_request' | |
env: | |
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
// 1. Retrieve existing bot comments for the PR | |
const { data: comments } = await github.rest.issues.listComments({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: context.issue.number, | |
}) | |
const botComment = comments.find(comment => { | |
return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style') | |
}) | |
// 2. Prepare format of the comment | |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | |
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | |
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` | |
<details><summary>Validation Output</summary> | |
\`\`\`\n | |
${{ steps.validate.outputs.stdout }} | |
\`\`\` | |
</details> | |
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | |
<details><summary>Show Plan</summary> | |
\`\`\`\n | |
${process.env.PLAN} | |
\`\`\` | |
</details> | |
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`; | |
// 3. If we have a comment, update it, otherwise create a new one | |
if (botComment) { | |
github.rest.issues.updateComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
comment_id: botComment.id, | |
body: output | |
}) | |
} else { | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: output | |
}) | |
} | |
- name: "Terraform Plan Status" | |
if: steps.plan.outcome == 'failure' | |
run: exit 1 | |
- name: "Deploy Infra 🚀" | |
# only when the changes are merged into main | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
run: terraform apply -auto-approve |