-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add webhook/ with webhook JSON config and deploy.sh with docs #400
Conversation
.github/workflows/ci.yaml
Outdated
with: | ||
url: https://mycustomdomain-dev.senecacollege.ca/hooks/deploy | ||
hmacSecret: ${{ env.HMAC_SECRET }} | ||
data: '{"tag": "${{ env.IMAGE }}:sha-${{ env.GITHUB_SHA_SHORT }}"}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't send image here, only the new tag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from changing this as you mentioned, and one small question looks good
permissions: | ||
contents: read | ||
packages: write | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Define GITHUB_SHORT_SHA | ||
run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-6)" >> $GITHUB_ENV |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this really makes a difference (and I may also be entirely wrong) but aren't the characters on the tail end of a sha the most meaningful?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can take any hash and truncate it to use only the first part of it as a short-hand. This is what GitHub does when they show my commit as 93a5088
vs. 93a508896294bdd9f74b1d4ca92a57c49999f34e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think I am going to be able to find a fault with this. After everything in the needs occurs add IMAGE to env, then build and push an image with new tags, use navied/[email protected] to post to hooks safely, then deploy.sh logic which you already noticed uses image twice there because you pass image in with tag
.github/workflows/ci.yaml
Outdated
with: | ||
url: https://mycustomdomain-dev.senecacollege.ca/hooks/deploy | ||
hmacSecret: ${{ env.HMAC_SECRET }} | ||
data: '{"tag": "${{ env.IMAGE }}:sha-${{ env.GITHUB_SHA_SHORT }}"}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from changing this as you mentioned, and one small question looks good
Fixed the review issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a small question out of curiosity, but looks good
Correct, these files won't be used as is. They are a template for manually setting this up on staging. |
I've updated this again. I've added the |
Thanks for the review! I'm going to try this now... |
Crap, I got my order wrong, I have to do another PR to make this happen. |
Closes #77
Closes #76
Closes #74
Closes #50
This finishes the work begun in #57 to get our deployment webhook in place. ITS wants it to run outside of Docker, and has already installed
webhook
on the manager nodes.This is the first of at least 2 parts to get this completed. I need to land the major bits here, then test it and adjust and document things in a follow-up.
The main points here are as follows:
/hooks/*
to this server.deploy
messages from GitHub, which will include 2 things. First a newtag
to use with Docker. When we update to a new version onmain
, this will send that image tag so it can be deployed; second, we'll send a digest created with a secret. Our deployment servers will only respond to webhooks that can sign the body (i.e., no one else can hit this endpoint)deploy.sh
script will be run. The newtag
will be sent along as an ENV var. Docker will try to update the starchart image to the new tag.As we discussed in #291, I'm not doing any database migration/syncing in here. Any changes to the database schema would require a manual shut-down and update of the DB first. It would be good to get to an automated version of this some day, but not in this PR.