Add webhook/ with webhook JSON config and deploy.sh with docs #400
Conversation
humphd
added
category: deployment
.github/workflows/ci.yaml
Outdated
| with: | ||
| url: https://mycustomdomain-dev.senecacollege.ca/hooks/deploy | ||
| hmacSecret: ${{ env.HMAC_SECRET }} | ||
| data: '{"tag": "${{ env.IMAGE }}:sha-${{ env.GITHUB_SHA_SHORT }}"}' |
There was a problem hiding this comment.
Don't send image here, only the new tag.
There was a problem hiding this comment.
Apart from changing this as you mentioned, and one small question looks good
| permissions: | ||
| contents: read | ||
| packages: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Define GITHUB_SHORT_SHA | ||
| run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-6)" >> $GITHUB_ENV |
There was a problem hiding this comment.
I don't think this really makes a difference (and I may also be entirely wrong) but aren't the characters on the tail end of a sha the most meaningful?
There was a problem hiding this comment.
You can take any hash and truncate it to use only the first part of it as a short-hand. This is what GitHub does when they show my commit as 93a5088 vs. 93a508896294bdd9f74b1d4ca92a57c49999f34e
There was a problem hiding this comment.
I don't think I am going to be able to find a fault with this. After everything in the needs occurs add IMAGE to env, then build and push an image with new tags, use navied/[email protected] to post to hooks safely, then deploy.sh logic which you already noticed uses image twice there because you pass image in with tag
.github/workflows/ci.yaml
Outdated
| with: | ||
| url: https://mycustomdomain-dev.senecacollege.ca/hooks/deploy | ||
| hmacSecret: ${{ env.HMAC_SECRET }} | ||
| data: '{"tag": "${{ env.IMAGE }}:sha-${{ env.GITHUB_SHA_SHORT }}"}' |
There was a problem hiding this comment.
Apart from changing this as you mentioned, and one small question looks good
|
Fixed the review issue. |
Correct, these files won't be used as is. They are a template for manually setting this up on staging. |
|
I've updated this again. I've added the |
|
Thanks for the review! I'm going to try this now... |
|
Crap, I got my order wrong, I have to do another PR to make this happen. |
Closes #77
Closes #76
Closes #74
Closes #50
This finishes the work begun in #57 to get our deployment webhook in place. ITS wants it to run outside of Docker, and has already installed
webhookon the manager nodes.This is the first of at least 2 parts to get this completed. I need to land the major bits here, then test it and adjust and document things in a follow-up.
The main points here are as follows:
/hooks/*to this server.deploymessages from GitHub, which will include 2 things. First a newtagto use with Docker. When we update to a new version onmain, this will send that image tag so it can be deployed; second, we'll send a digest created with a secret. Our deployment servers will only respond to webhooks that can sign the body (i.e., no one else can hit this endpoint)deploy.shscript will be run. The newtagwill be sent along as an ENV var. Docker will try to update the starchart image to the new tag.As we discussed in #291, I'm not doing any database migration/syncing in here. Any changes to the database schema would require a manual shut-down and update of the DB first. It would be good to get to an automated version of this some day, but not in this PR.