-
Notifications
You must be signed in to change notification settings - Fork 25
137 lines (119 loc) · 4.71 KB
/
functions-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Functions
on:
# Check job conditions if you add any triggers here
pull_request:
paths:
- 'functions/**'
- '.github/workflows/functions.yml'
push:
branches:
- "main"
paths:
- 'functions/**'
- '.github/workflows/functions.yml'
workflow_call:
inputs:
deploy_env:
description: "For manual deployments (prod)"
type: string
concurrency:
group: func-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
jobs:
build-functions:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 #@v3.1.0
- name: Set .env for functions
run: echo "CENTRIFUGE_SUBGRAPH_URL=https://api.goldsky.com/api/public/project_clhi43ef5g4rw49zwftsvd2ks/subgraphs/main/prod/gn" > functions/.env
- name: print .env
run: cat functions/.env
- name: Setup Node
uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516 #@v3
with:
node-version: 18
cache: yarn
- name: Install Dependencies
run: yarn install
- name: Build
run: yarn build:functions
- name: Archive functions artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # @v3.1.2
with:
name: func-dist
retention-days: 4
path: functions/dist
# !dist/**/*.md
deploy-functions:
needs: [build-functions]
outputs:
function_url: ${{ steps.gclouddeploy.outputs.url }}
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-latest
# Deployment strategy:
# prod if deploying from main branch or preview from PRs
environment: ${{ inputs.deploy_env || 'gcloud-dev' }}
# https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment
steps:
- name: set function name
id: discover
env:
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
ref: ${{ github.head_ref || github.ref_name }}
pr_number: ${{ github.event.number }}
run: |
echo "Set env vars for deployment"
echo "Github Ref = ${{env.ref}}"
if ${{ env.ref == 'refs/heads/main' }} ; then
if ${{ inputs.deploy_env == 'production' }}; then
# PROD (manual trigger)
echo "function_name=webapi" >> $GITHUB_OUTPUT
else
# STAGING (main branch deploy)
echo "function_name=webapi-staging" >> $GITHUB_OUTPUT
fi
elif ${{ github.event_name == 'pull_request' }}; then
# PRs
echo "function_name=webapi-${{ env.pr_number }}" >> $GITHUB_OUTPUT
else
echo "::error title=No env to deploy::Workflow called from non-deployable branch/tag"
exit 1
fi
- name: download the distribution package
id: download
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # @v3.0.2
with:
name: func-dist
path: ./web-funciton
- name: debug
run: |
echo "Using GH environment -> ${{ inputs.deploy_env && 'production' || 'gcloud-dev' }} "
echo "Because inputs.deploy_env == ${{ inputs.deploy_env }} (empty if not triggered manually)"
- name: Auth gcloud
id: gauth
uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # @v1
with:
workload_identity_provider: '${{ secrets.GWIP }}'
service_account: '${{ secrets.GSA }}'
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce # v1.0.1
- name: Deploy to google functions
id: gclouddeploy
uses: google-github-actions/deploy-cloud-functions@14509ca55199d9348161571e36c48e44f855030d #@v1
with:
name: ${{ steps.discover.outputs.function_name }}
runtime: nodejs16
region: ${{ vars.GCP_REGION }}
source_dir: ${{steps.download.outputs.download-path}}
entry_point: 'handler'
https_trigger_security_level: 'secure_always'
max_instances: ${{ inputs.deploy_env == 'production' && '25' || '1' }}
- name: Change function to allow_unathorized calls
shell: bash
run: |
gcloud functions add-iam-policy-binding ${{ steps.discover.outputs.function_name }} \
--region=${{ vars.GCP_REGION }} \
--member="allUsers" --role="roles/cloudfunctions.invoker"