Create generator-generic-ossf-slsa3-publish.yml #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Azure Production - Build and Deploy | |
# **What it does**: Builds and deploys the default branch to production | |
# **Why we have it**: To enable us to deploy the latest to production whenever necessary rather than relying on PR merges. | |
# **Who does it impact**: All contributors. | |
on: | |
push: | |
branches: | |
- main | |
workflow_dispatch: | |
permissions: | |
contents: read | |
deployments: write | |
# This allows a subsequently queued workflow run to take priority over | |
# previously queued runs but NOT interrupt currently executing runs | |
concurrency: | |
group: '${{ github.workflow }}' | |
cancel-in-progress: false | |
jobs: | |
azure-prod-build-and-deploy: | |
if: ${{ github.repository == 'github/docs-internal' }} | |
runs-on: ubuntu-20.04-xl | |
timeout-minutes: 20 | |
environment: | |
name: production | |
url: 'https://docs.github.com' | |
env: | |
DOCKER_IMAGE: ${{ secrets.PROD_REGISTRY_SERVER }}/${{ github.repository }}:${{ github.sha }} | |
DOCKER_IMAGE_CACHE_REF: ${{ secrets.PROD_REGISTRY_SERVER }}/${{ github.repository }}:main-production | |
RESOURCE_GROUP_NAME: docs-prod | |
APP_SERVICE_NAME: ghdocs-prod | |
SLOT_NAME: canary | |
steps: | |
- name: 'Az CLI login' | |
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # pin @v1.4.6 | |
with: | |
creds: ${{ secrets.PROD_AZURE_CREDENTIALS }} | |
- name: 'Docker login' | |
uses: azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 | |
with: | |
login-server: ${{ secrets.PROD_REGISTRY_SERVER }} | |
username: ${{ secrets.PROD_REGISTRY_USERNAME }} | |
password: ${{ secrets.PROD_REGISTRY_PASSWORD }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 | |
- name: Check out repo | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
ref: ${{ github.sha }} | |
# To prevent issues with cloning early access content later | |
persist-credentials: 'false' | |
- name: Setup Node.js | |
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 | |
with: | |
node-version-file: 'package.json' | |
cache: npm | |
- name: Clone docs-early-access | |
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 | |
with: | |
repository: github/docs-early-access | |
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} | |
path: docs-early-access | |
- name: Merge docs-early-access repo's folders | |
run: src/early-access/scripts/merge-early-access.sh | |
- uses: ./.github/actions/warmup-remotejson-cache | |
with: | |
restore-only: true | |
- uses: ./.github/actions/precompute-pageinfo | |
with: | |
restore-only: true | |
- uses: ./.github/actions/clone-translations | |
with: | |
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} | |
- name: 'Build and push image' | |
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 | |
with: | |
context: . | |
push: true | |
target: production | |
tags: ${{ env.DOCKER_IMAGE }}, ${{ env.DOCKER_IMAGE_CACHE_REF }} | |
cache-from: type=registry,ref=${{ env.DOCKER_IMAGE_CACHE_REF }} | |
cache-to: type=registry,mode=max,ref=${{ env.DOCKER_IMAGE_CACHE_REF }} | |
build-args: | | |
BUILD_SHA=${{ github.sha }} | |
- name: 'Update docker-compose.prod.yaml template file' | |
run: | | |
sed 's|#{IMAGE}#|${{ env.DOCKER_IMAGE }}|g' src/workflows/docker-compose.prod.tmpl.yaml > docker-compose.prod.yaml | |
- name: 'Apply updated docker-compose.prod.yaml config to canary slot' | |
run: | | |
az webapp config container set --multicontainer-config-type COMPOSE --multicontainer-config-file docker-compose.prod.yaml --slot ${{ env.SLOT_NAME }} -n ${{ env.APP_SERVICE_NAME }} -g ${{ env.RESOURCE_GROUP_NAME }} | |
# Watch canary slot instances to see when all the instances are ready | |
- name: Check that canary slot is ready | |
env: | |
CHECK_INTERVAL: 10000 | |
EXPECTED_SHA: ${{ github.sha }} | |
CANARY_BUILD_URL: https://ghdocs-prod-canary.azurewebsites.net/_build | |
run: src/workflows/check-canary-slots.js | |
- name: 'Swap canary slot to production' | |
run: | | |
az webapp deployment slot swap --slot ${{ env.SLOT_NAME }} --target-slot production -n ${{ env.APP_SERVICE_NAME }} -g ${{ env.RESOURCE_GROUP_NAME }} | |
- uses: ./.github/actions/slack-alert | |
if: ${{ failure() && github.event_name != 'workflow_dispatch' }} | |
with: | |
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} | |
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} |