bitwarden-estensione-browser/.github/workflows/deploy-non-prod-web.yml

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

258 lines
9.7 KiB
YAML
Raw Normal View History

---
name: Deploy Web - Non-Prod
run-name: Deploy Web ${{ inputs.environment }}
on:
workflow_dispatch:
inputs:
environment:
description: 'Environment'
default: 'QA'
type: choice
options:
- QA
- EUQA
- USPROD
workflow_call:
inputs:
environment:
description: 'Environment'
default: 'QA'
type: string
jobs:
setup:
name: Setup
runs-on: ubuntu-20.04
outputs:
environment: ${{ steps.config.outputs.environment }}
environment-url: ${{ steps.config.outputs.environment-url }}
environment-name: ${{ steps.config.outputs.environment-name }}
environment-branch: ${{ steps.config.outputs.environment-branch }}
environment-artifact: ${{ steps.config.outputs.environment-artifact }}
azure-login-creds: ${{ steps.config.outputs.azure-login-creds }}
retrieve-secrets-keyvault: ${{ steps.config.outputs.retrieve-secrets-keyvault }}
steps:
- name: Configure
id: config
run: |
ENV_NAME_LOWER=$(echo "${{ inputs.environment }}" | awk '{print tolower($0)}')
echo "configuring the Web deploy for ${{ inputs.environment }}"
echo "environment=${{ inputs.environment }}" >> $GITHUB_OUTPUT
echo "environment-url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT
echo "environment-name=Web Vault - ${{ inputs.environment }}" >> $GITHUB_OUTPUT
echo "environment-branch=cf-pages-$ENV_NAME_LOWER" >> $GITHUB_OUTPUT
if [ ${{ inputs.environment }} == "QA" ]; then
echo "azure-login-creds=AZURE_KV_US_QA_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT
echo "retrieve-secrets-keyvault=bw-webvault-rlktusqa-kv" >> $GITHUB_OUTPUT
echo "environment-artifact=web-*-cloud-QA.zip" >> $GITHUB_OUTPUT
elif [ ${{ inputs.environment }} == "EUQA" ]; then
echo "azure-login-creds=AZURE_KV_EU_QA_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT
echo "retrieve-secrets-keyvault=webvaulteu-westeurope-qa" >> $GITHUB_OUTPUT
echo "environment-artifact=web-*-cloud-euqa.zip" >> $GITHUB_OUTPUT
elif [ ${{ inputs.environment }} == "USPROD" ]; then
echo "azure-login-creds=AZURE_KV_US_PROD_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT
echo "retrieve-secrets-keyvault=bw-webvault-klrt-kv" >> $GITHUB_OUTPUT
echo "environment-artifact=web-*-cloud-COMMERCIAL.zip" >> $GITHUB_OUTPUT
fi
artifact-check:
name: Check if Web artifact is present
runs-on: ubuntu-22.04
needs: setup
env:
_ENVIRONMENT_ARTIFACT: ${{ needs.setup.outputs.environment-artifact }}
steps:
- name: Download latest cloud asset
2023-11-08 19:08:34 +01:00
uses: bitwarden/gh-actions/download-artifacts@main
id: download-artifacts
continue-on-error: true
with:
workflow: build-web.yml
path: apps/web
workflow_conclusion: success
branch: ${{ github.ref_name }}
artifacts: ${{ env._ENVIRONMENT_ARTIFACT }}
- name: Login to Azure
if: ${{ steps.download-artifacts.outcome == 'failure' }}
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets for Build trigger
if: ${{ steps.download-artifacts.outcome == 'failure' }}
id: retrieve-secret
2023-11-08 19:08:34 +01:00
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Build server missing branch
if: ${{ steps.download-artifacts.outcome == 'failure' }}
uses: convictional/trigger-workflow-and-wait@f69fa9eedd3c62a599220f4d5745230e237904be # v1.6.5
with:
owner: bitwarden
repo: clients
github_token: ${{ steps.retrieve-secret.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
workflow_file_name: build-web.yml
ref: ${{ github.ref_name }}
wait_interval: 100
cfpages-deploy:
name: Deploy Web Vault to ${{ inputs.environment }} CloudFlare Pages branch
if : ${{ inputs.environment == 'QA' }}
needs:
- setup
- artifact-check
runs-on: ubuntu-22.04
env:
_ENVIRONMENT: ${{ needs.setup.outputs.environment }}
_ENVIRONMENT_URL: ${{ needs.setup.outputs.environment-url }}
_ENVIRONMENT_NAME: ${{ needs.setup.outputs.environment-name }}
_ENVIRONMENT_BRANCH: ${{ needs.setup.outputs.environment-branch }}
_ENVIRONMENT_ARTIFACT: ${{ needs.setup.outputs.environment-artifact }}
steps:
- name: Create GitHub deployment
uses: chrnorm/deployment-action@d42cde7132fcec920de534fffc3be83794335c00 # v2.0.5
id: deployment
with:
token: '${{ secrets.GITHUB_TOKEN }}'
initial-status: 'in_progress'
environment-url: ${{ env._ENVIRONMENT_URL }}
environment: ${{ env._ENVIRONMENT_NAME }}
description: 'Deployment from branch ${{ github.ref_name }}'
- name: Checkout Repo
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Download latest cloud asset
2023-11-08 19:08:34 +01:00
uses: bitwarden/gh-actions/download-artifacts@main
with:
workflow: build-web.yml
path: apps/web
workflow_conclusion: success
branch: ${{ github.ref_name }}
artifacts: ${{ env._ENVIRONMENT_ARTIFACT }}
- name: Unzip cloud asset
working-directory: apps/web
run: unzip ${{ env._ENVIRONMENT_ARTIFACT }}
- name: Checkout Repo
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ env._ENVIRONMENT_BRANCH }}
path: deployment
- name: Setup git config
run: |
git config --global user.name "GitHub Action Bot"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global url."https://github.com/".insteadOf ssh://git@github.com/
git config --global url."https://".insteadOf ssh://
- name: Deploy CloudFlare Pages
run: |
rm -rf ./*
cp -R ../apps/web/build/* .
working-directory: deployment
- name: Push new ver to ${{ env._ENVIRONMENT_BRANCH }}
run: |
if [ -n "$(git status --porcelain)" ]; then
git add .
git commit -m "Deploy ${{ github.ref_name }} to ${{ env._ENVIRONMENT }} Cloudflare pages"
git push -u origin ${{ env._ENVIRONMENT_BRANCH }}
else
echo "No changes to commit!";
fi
working-directory: deployment
- name: Update deployment status to Success
if: ${{ success() }}
uses: chrnorm/deployment-status@2afb7d27101260f4a764219439564d954d10b5b0 # v2.0.1
with:
token: '${{ secrets.GITHUB_TOKEN }}'
environment-url: ${{ env._ENVIRONMENT_URL }}
state: 'success'
deployment-id: ${{ steps.deployment.outputs.deployment_id }}
- name: Update deployment status to Failure
if: ${{ failure() }}
uses: chrnorm/deployment-status@2afb7d27101260f4a764219439564d954d10b5b0 # v2.0.1
with:
token: '${{ secrets.GITHUB_TOKEN }}'
environment-url: ${{ env._ENVIRONMENT_URL }}
state: 'failure'
deployment-id: ${{ steps.deployment.outputs.deployment_id }}
azure-deploy:
name: Deploy Web Vault to ${{ inputs.environment }} Storage Account
needs:
- setup
- artifact-check
runs-on: ubuntu-22.04
env:
_ENVIRONMENT_ARTIFACT: ${{ needs.setup.outputs.environment-artifact }}
steps:
- name: Login to Azure
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets[needs.setup.outputs.azure-login-creds] }}
- name: Retrieve Storage Account connection string
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: ${{ needs.setup.outputs.retrieve-secrets-keyvault }}
secrets: "sa-bitwarden-web-vault-dev-key-temp"
- name: Download latest cloud asset
uses: bitwarden/gh-actions/download-artifacts@main
with:
workflow: build-web.yml
path: apps/web
workflow_conclusion: success
branch: ${{ github.event.inputs.tag }}
artifacts: ${{ env._ENVIRONMENT_ARTIFACT }}
- name: Unzip build asset
working-directory: apps/web
run: unzip ${{ env._ENVIRONMENT_ARTIFACT }}
- name: Empty container in Storage Account
run: |
az storage blob delete-batch \
--source '$web' \
--pattern '*' \
--connection-string "${{ steps.retrieve-secrets.outputs.sa-bitwarden-web-vault-dev-key-temp }}"
- name: Deploy to Azure Storage Account
working-directory: apps/web
run: |
az storage blob upload-batch \
--source "./build" \
--destination '$web' \
--connection-string "${{ steps.retrieve-secrets.outputs.sa-bitwarden-web-vault-dev-key-temp }}" \
--overwrite \
--no-progress
notify:
name: Notify Slack with result
runs-on: ubuntu-22.04
if: always()
needs:
- cfpages-deploy
- setup
steps:
2023-11-08 19:08:34 +01:00
- uses: bitwarden/gh-actions/report-deployment-status-to-slack@main
with:
project: Web
environment: US ${{ inputs.environment }} Cloud
tag: ${{ github.ref_name }}
slack-channel: team-eng-qa-devops
failure: ${{ needs.cfpages-deploy.result == 'failure' }}
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}