diff --git a/.github/workflows/deploy-cloud-run.yml b/.github/workflows/deploy-cloud-run.yml index cffed2019..95b82d828 100644 --- a/.github/workflows/deploy-cloud-run.yml +++ b/.github/workflows/deploy-cloud-run.yml @@ -1,4 +1,4 @@ -name: Build and Deploy Cloud Run Services +name: Deploy Cloud Run Services # Trigger manually from the Actions tab on: @@ -6,78 +6,64 @@ on: env: GCP_PROJECT_ID: funny-new-goose - GCP_REGION: us-central1 # Cloud Run region - GAR_LOCATION: us-central1 # Artifact Registry location (often same as region) - GAR_REPOSITORY: github-actions-builds # Name of your Artifact Registry repo - IMAGE_NAME: canyon-humctl-interface # Name for the image in Artifact Registry + GCP_REGION: us-central1 # Or choose another region if needed + GAR_LOCATION: us-central1 # Location of the Artifact Registry repository + GAR_REPOSITORY: github-actions-builds # Name of the Artifact Registry repository + IMAGE_NAME: canyonchat # Name for the Docker image jobs: - build-and-deploy: + deploy: runs-on: ubuntu-latest - # IMPORTANT: Add all potential *_ENV secret names referenced in the SERVICE_CONFIG variable here! - # The script below uses SERVICE_CONFIG to pick the correct one for each service. + # Environment variables for the job env: - SERVICE_CONFIG: ${{ vars.SERVICE_CONFIG }} # Read from GitHub Actions Variable + SERVICE_CONFIG: ${{ vars.SERVICE_CONFIG }} # Read from GitHub Actions Variable (contains list of service names) GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }} # Read from GitHub Actions Secret - # Add secrets referenced in SERVICE_CONFIG here (e.g., DOMINICWHITE01_ENV): - DOMINICWHITE01_ENV: ${{ secrets.DOMINICWHITE01_ENV }} - # EXAMPLE_SERVICE_ENV: ${{ secrets.EXAMPLE_SERVICE_ENV }} # Add more as needed - - # Grant GITHUB_TOKEN permissions to write to Artifact Registry - permissions: - contents: 'read' - id-token: 'write' # Required for google-github-actions/auth + CLOUD_RUN_ENV_VARS: ${{ secrets.CLOUD_RUN_ENV_VARS }} # Read from GitHub Actions Secret (contains structured env vars for all services) steps: - name: Checkout code uses: actions/checkout@v4 - # --- Build and Push Docker Image --- - - - name: Authenticate to Google Cloud (for GAR) - id: auth - uses: 'google-github-actions/auth@v2' - with: - credentials_json: ${{ env.GCP_SA_KEY }} - - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v2 - - - name: Configure Docker for GAR - run: gcloud auth configure-docker ${{ env.GAR_LOCATION }}-docker.pkg.dev --quiet - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and push Docker image - id: build-push - uses: docker/build-push-action@v5 - with: - context: . # Build from the root of the repo - push: true - tags: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Echo Built Image URI - run: echo "Built image URI: ${{ steps.build-push.outputs.digest }}" - - # --- Deploy Services --- - - name: Install yq (YAML Processor) run: | sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq sudo chmod +x /usr/bin/yq shell: bash + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v2 + with: + credentials_json: ${{ env.GCP_SA_KEY }} + + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Google Artifact Registry + run: gcloud auth configure-docker ${{ env.GAR_LOCATION }}-docker.pkg.dev --quiet + shell: bash + + - name: Build and Push Docker Image + id: build-push + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=max + - name: Deploy Services Script id: deploy - env: - # Make the built image URI available to the script - BUILT_IMAGE_URI: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} run: | - echo "Using Image URI: $BUILT_IMAGE_URI" + # Define the image URI based on the build step + BUILT_IMAGE_URI="${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}" + echo "Using built image: $BUILT_IMAGE_URI" + echo "Parsing SERVICE_CONFIG variable:" echo "${{ env.SERVICE_CONFIG }}" @@ -95,45 +81,39 @@ jobs: echo "Found $service_count services to process." - # Loop through services using index - for i in $(seq 0 $(($service_count - 1))); do - echo "Processing service index $i..." - service_name=$(echo "${{ env.SERVICE_CONFIG }}" | yq -r ".services[$i].name") - secret_env_var_name=$(echo "${{ env.SERVICE_CONFIG }}" | yq -r ".services[$i].secret_name") + # Validate CLOUD_RUN_ENV_VARS secret structure + if ! echo "${{ env.CLOUD_RUN_ENV_VARS }}" | yq '.' > /dev/null 2>&1; then + echo "::error::CLOUD_RUN_ENV_VARS secret is empty or not valid YAML/JSON." + exit 1 + fi + + # Loop through service names defined in SERVICE_CONFIG variable + echo "${{ env.SERVICE_CONFIG }}" | yq -r '.services[]' | while IFS= read -r service_name; do echo "" # Newline for readability - echo "--- Processing service: $service_name (Index: $i) ---" + echo "--- Processing service: $service_name ---" if [ -z "$service_name" ] || [ "$service_name" == "null" ]; then echo "::warning::Skipping service with missing or null name in SERVICE_CONFIG." continue fi - if [ -z "$secret_env_var_name" ] || [ "$secret_env_var_name" == "null" ]; then - echo "::warning::Skipping service '$service_name' due to missing or null secret_name in SERVICE_CONFIG." - continue - fi - echo "Using environment secret variable name: $secret_env_var_name" + # --- Extract and Format environment variables for this service --- + # Use yq to extract the object for the current service_name from the CLOUD_RUN_ENV_VARS secret, + # then convert it to KEY=value pairs, and join them with commas. + formatted_env_vars=$(echo "${{ env.CLOUD_RUN_ENV_VARS }}" | yq e ".${service_name} | select(.) | to_entries | map(.key + \"=\\\"\" + .value + \"\\\"\") | join(\",\")" -) # Use yq eval 'e' - # --- Get the environment variable string --- - # Use indirect parameter expansion to get the value of the env var whose name is stored in secret_env_var_name - raw_env_vars="${!secret_env_var_name}" - - if [ -z "$raw_env_vars" ]; then - echo "::warning::Environment variable string for secret '$secret_env_var_name' (service '$service_name') is empty or the secret is not defined in the workflow's 'env' block." - formatted_env_vars="" # Deploy with no env vars if secret is empty/missing + if [ -z "$formatted_env_vars" ] || [ "$formatted_env_vars" == "null" ]; then + echo "::warning::No environment variables found for service '$service_name' in CLOUD_RUN_ENV_VARS secret, or the service key doesn't exist." + formatted_env_vars="" # Deploy with no env vars if none found else - # --- Format environment variables for gcloud --- - # Convert space-separated KEY=VALUE pairs to comma-separated KEY=VALUE - # Handles potential extra whitespace between pairs - formatted_env_vars=$(echo "$raw_env_vars" | tr ' ' '\n' | grep '=' | paste -sd,) echo "Formatted env vars for gcloud: $formatted_env_vars" # Mask sensitive values in log output (simple masking, might not catch all formats) masked_vars=$(echo "$formatted_env_vars" | sed -E 's/(=[^,]+)/=***/g') echo "Formatted env vars (masked): $masked_vars" fi - # --- Normalize service name for Cloud Run --- + # --- Normalize service name for Cloud Run --- # Lowercase, replace underscores/spaces with hyphens, remove invalid chars, limit length normalized_service_name=$(echo "$service_name" | tr '[:upper:]' '[:lower:]' | sed -e 's/[_ ]/-/g' -e 's/[^a-z0-9-]//g') # Remove leading/trailing hyphens