AUT-270: implement new deployment workflow for autograph (#1037)

In AUT-326 we decided that we would: * Deploy stage in response to new version tags in the autograph repository * Avoid rebuilding docker images when pushing a version tag to dockerhub (we will instead pull the docker image we deployed to dev from the ref that we tagged) This commit implements this. Slightly tangential, but also of note is mozilla-it/global-platform-admin#2138 adding support for disabling automatic sync in ArgoCD, and doing so for autograph prod. This means that prod will notice new version tags, but not automatically deploy in response to them (human approval will be needed). You can see example runs of this for the push and release cases in: * https://github.com/bhearsum/autograph/actions/runs/11557423769/job/32167407424 * https://github.com/bhearsum/autograph/actions/runs/11557348483/job/32167157862
mozilla-services · Oct 29, 2024 · 31de8a3 · 31de8a3
1 parent 7a4aecf
commit 31de8a3
Showing 1 changed file with 30 additions and 4 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -4,8 +4,9 @@ on:
   push:
     branches:
       - main
-    tags:
-      - '[0-9]+.[0-9a-z]+.[0-9a-z]+'
+  release:
+    types:
+      - released
 
 jobs:
   docker:
@@ -26,12 +27,16 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
+          flavor:
+            # don't automatically tag with `latest`; we do this conditionally in the `tags` section
+            latest=false
           images: |
             ${{ vars.DOCKERHUB_REPO }}
             ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${{ vars.GAR_REPOSITORY}}/autograph
           tags: |
             type=semver,pattern={{raw}}
-            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=latest,enable=${{ github.event_name == 'push' }}
+            type=sha,format=long,enable=${{ github.event_name == 'push' }}
 
       - name: Generate version.json
         shell: bash
@@ -58,10 +63,31 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Build and push
+        # On pushes to `main`, we build and push a new image, so we can simply
+        # use the `docker/build-push-action` action.
+        if: ${{ github.event_name == 'push' }}
         uses: docker/build-push-action@v6
         with:
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event_name == 'push' }}
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           context: .
+
+      - name: Tag and push
+        # For releases, we specifically do _not_ want to rebuild, just tag the
+        # existing image and push. There's no officially maintained action for
+        # this use case, but it's trivial enough to do ourselves.
+        if: ${{ github.event_name == 'release' }}
+        env:
+          # Tags come in the form of a fully qualified image name and tag, eg:
+          # mozilla/autograph:1.1.8
+          # us-west2-docker.pkg.dev/autograph-proj/autograph-repo/autograph:1.1.8
+          TAGS: ${{ steps.meta.outputs.tags }}
+          SRC: ${{ vars.DOCKERHUB_REPO}}:sha-${{ github.sha }}
+        run: |
+          docker pull $SRC
+          for tag in $TAGS; do
+            docker tag $SRC $tag
+            docker push $tag
+          done