Skip to content

Deploy

Deploy #2835

Workflow file for this run

name: Deploy
concurrency: deploy-${{ fromJSON('["pastaporto", "production"]')[github.ref == 'refs/heads/main'] }}
on:
push:
branches:
- main
workflow_dispatch:
env:
TF_WORKSPACE: ${{ fromJSON('["pastaporto", "production"]')[github.ref == 'refs/heads/main'] }}
jobs:
create-db:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./infrastructure/applications
steps:
- uses: actions/checkout@v4
if: github.ref != 'refs/heads/main'
with:
ref: ${{ github.ref }}
fetch-depth: 0
- name: Configure AWS credentials
if: github.ref != 'refs/heads/main'
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: eu-central-1
- uses: hashicorp/setup-terraform@v3
if: github.ref != 'refs/heads/main'
with:
terraform_version: 1.2.4
- name: Terraform Init
if: github.ref != 'refs/heads/main'
run: terraform init
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Terraform apply
if: github.ref != 'refs/heads/main'
run: terraform apply -target module.database -no-color -auto-approve &> /dev/null
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu-central-1
build-pretix:
runs-on: [self-hosted]
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
fetch-depth: 0
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: eu-central-1
- name: Get service githash
id: git
run: |
hash=$(git rev-list -1 HEAD -- ./pretix)
echo "githash=$hash" >> $GITHUB_OUTPUT
- name: Check if commit is already on ECR
id: image
run: |
set +e
aws ecr describe-images --repository-name=pythonit/pretix --image-ids=imageTag=arm-${{ steps.git.outputs.githash }}
if [[ $? == 0 ]]; then
echo "image_exists=1" >> $GITHUB_OUTPUT
else
echo "image_exists=0" >> $GITHUB_OUTPUT
fi
- uses: actions/checkout@v4
if: ${{ steps.image.outputs.image_exists == 0 }}
with:
repository: pretix/pretix
ref: v2024.10.0
path: ./pretix-clone
- name: Login to Amazon ECR
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: aws-actions/amazon-ecr-login@v2
- name: Set up Docker Buildx
id: buildx
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: docker/setup-buildx-action@v3
- name: Build pretix base
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: docker/build-push-action@v6
id: build-pretix-base
with:
context: ./pretix-clone
file: ./pretix-clone/Dockerfile
builder: ${{ steps.buildx.outputs.name }}
provenance: false
push: true
tags: |
${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-central-1.amazonaws.com/pythonit/pretix:pretix-base-${{ steps.git.outputs.githash }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
platforms: linux/arm64
- name: Build and push pretix
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: docker/build-push-action@v6
with:
context: ./pretix
file: ./pretix/Dockerfile
builder: ${{ steps.buildx.outputs.name }}
provenance: false
push: true
tags: |
${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-central-1.amazonaws.com/pythonit/pretix:arm-${{ steps.git.outputs.githash }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
platforms: linux/arm64
build-args: |
PRETIX_IMAGE=${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-central-1.amazonaws.com/pythonit/pretix:pretix-base-${{ steps.git.outputs.githash }}
build-and-push-arm-service:
runs-on: [self-hosted]
permissions:
packages: write
contents: read
strategy:
fail-fast: false
matrix:
service:
- name: pycon-backend
dir: backend
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
fetch-depth: 0
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: eu-central-1
- name: Get service githash
id: git
run: |
hash=$(git rev-list -1 HEAD -- ${{ matrix.service.dir }})
echo "githash=$hash" >> $GITHUB_OUTPUT
- name: Check if commit is already on ECR
id: image
run: |
set +e
aws ecr describe-images --repository-name=pythonit/${{ matrix.service.name }} --image-ids=imageTag=arm-${{ steps.git.outputs.githash }}
if [[ $? == 0 ]]; then
echo "image_exists=1" >> $GITHUB_OUTPUT
else
echo "image_exists=0" >> $GITHUB_OUTPUT
fi
- name: Set up QEMU dependency
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: docker/setup-qemu-action@v3
- name: Login to GitHub Packages
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Amazon ECR
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: aws-actions/amazon-ecr-login@v2
- name: Set up Docker Buildx
id: buildx
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: docker/setup-buildx-action@v3
- name: Build and push
if: ${{ steps.image.outputs.image_exists == 0 }}
uses: docker/build-push-action@v6
with:
context: ./${{ matrix.service.dir }}
file: ./${{ matrix.service.dir }}/Dockerfile
builder: ${{ steps.buildx.outputs.name }}
provenance: false
push: true
tags: |
${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-central-1.amazonaws.com/pythonit/${{ matrix.service.name }}:arm-${{ steps.git.outputs.githash }}
ghcr.io/pythonitalia/pycon/${{ matrix.service.name }}:arm-${{ steps.git.outputs.githash }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
platforms: linux/arm64
terraform:
runs-on: ubuntu-latest
needs: [build-and-push-arm-service, build-pretix, create-db]
environment:
name: ${{ fromJSON('["pastaporto", "production"]')[github.ref == 'refs/heads/main'] }}
defaults:
run:
working-directory: ./infrastructure/applications
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
fetch-depth: 0
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.2.4
- name: Terraform Init
run: terraform init
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform apply
run: terraform apply -no-color -auto-approve &> /dev/null
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu-central-1
wait-aws-update:
runs-on: ubuntu-latest
needs: [terraform]
steps:
- name: Check health status
run: |
while true; do
response=$(curl -s "https://${{ fromJSON('["pastaporto-", ""]')[github.ref == 'refs/heads/main'] }}admin.pycon.it/health")
commit=$(echo $response | jq -r '.commit')
if [ "$commit" == "${{ steps.git.outputs.githash }}" ]; then
echo "New version live"
break
else
echo "Commit hash does not match. Retrying..."
sleep 3
fi
done
shell: bash
deploy-fe:
runs-on: ubuntu-latest
needs: [wait-aws-update]
steps:
- name: Trigger hook
if: github.ref == 'refs/heads/main'
run: |
curl -X POST ${{ secrets.VERCEL_DEPLOY_HOOK }}