Skip to content

fix: implement admin permissions #1121

fix: implement admin permissions

fix: implement admin permissions #1121

Workflow file for this run

name: CD
on:
push:
tags:
- '*'
# Deploy PR if "deploy" label exists
pull_request:
types: [ reopened, synchronize, labeled ]
# Do not use concurrency to prevent simultaneous helm deployments
jobs:
build:
name: Build
if: ${{ github.repository == 'api-platform/demo' && (github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'deploy')) }}
runs-on: ubuntu-latest
env:
PHP_DOCKER_IMAGE: europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:${{ github.sha }}
PWA_DOCKER_IMAGE: europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:${{ github.sha }}
KEYCLOAK_DOCKER_IMAGE: europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:${{ github.sha }}
permissions:
contents: 'read'
id-token: 'write'
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Auth gcloud
id: auth
uses: google-github-actions/auth@v2
with:
token_format: access_token
credentials_json: ${{ secrets.GKE_SA_KEY }}
-
name: Login to GAR
uses: docker/login-action@v3
with:
registry: europe-west1-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
-
name: Generate AUTH_SECRET
run: echo "AUTH_SECRET=$(openssl rand -hex 32)" >> $GITHUB_ENV
# https://nextjs.org/docs/app/building-your-application/configuring/environment-variables#bundling-environment-variables-for-the-browser
-
name: Generate NEXT_PUBLIC_OIDC_SERVER_URL
run: |
if [ "${{ github.event_name }}" == "push" ]; then
echo "NEXT_PUBLIC_OIDC_SERVER_URL=https://demo.api-platform.com/oidc/realms/demo" >> $GITHUB_ENV
else
echo "NEXT_PUBLIC_OIDC_SERVER_URL=https://pr-${{ github.event.pull_request.number }}-demo.api-platform.com/oidc/realms/demo" >> $GITHUB_ENV
fi
-
name: Build Docker images
uses: docker/bake-action@v5
with:
# push and load may not be set together
# must push manually in a next step
pull: true
load: true
files: |
compose.yaml
compose.prod.yaml
set: |
php.cache-from=type=gha,scope=${{ github.ref }}
php.cache-from=type=gha,scope=refs/heads/main
php.cache-to=type=gha,scope=${{ github.ref }},mode=max
pwa.cache-from=type=gha,scope=${{ github.ref }}
pwa.cache-from=type=gha,scope=refs/heads/main
pwa.cache-to=type=gha,scope=${{ github.ref }},mode=max
keycloak.cache-from=type=gha,scope=${{ github.ref }}
keycloak.cache-from=type=gha,scope=refs/heads/main
keycloak.cache-to=type=gha,scope=${{ github.ref }},mode=max
-
name: Docker push
run: |
docker push $PHP_DOCKER_IMAGE
docker push $PWA_DOCKER_IMAGE
docker push $KEYCLOAK_DOCKER_IMAGE
-
name: Docker tag and push latest
if: github.event_name != 'pull_request'
run: |
docker tag $PHP_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:${{ github.ref_name }}
docker tag $PWA_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:${{ github.ref_name }}
docker tag $KEYCLOAK_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:${{ github.ref_name }}
docker tag $PHP_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:latest
docker tag $PWA_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:latest
docker tag $KEYCLOAK_DOCKER_IMAGE europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:latest
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:${{ github.ref_name }}
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:${{ github.ref_name }}
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:${{ github.ref_name }}
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/php:latest
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/pwa:latest
docker push europe-west1-docker.pkg.dev/${{ secrets.GKE_PROJECT }}/${{ secrets.GKE_PROJECT }}/keycloak:latest
deploy:
name: Deploy
needs: [ build ]
uses: ./.github/workflows/deploy.yml
with:
docker-images-version: ${{ github.sha }}
gke-cluster: api-platform-demo
gke-zone: europe-west1-c
secrets:
gke-credentials: ${{ secrets.GKE_SA_KEY }}
gke-project: ${{ secrets.GKE_PROJECT }}
cloudflare-api-token: ${{ secrets.CF_API_TOKEN }}
cloudflare-zone-id: ${{ secrets.CF_ZONE_ID }}
keycloak-admin-password: ${{ secrets.KEYCLOAK_ADMIN_PASSWORD }}
check:
name: Check
needs: [ deploy ]
uses: ./.github/workflows/check.yml
with:
url: ${{needs.deploy.outputs.url}}