Merge pull request #117 from Pyronewbic/dev #98
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| env: | |
| PROJECT_ID: casecomp-495718 | |
| SERVICE: casecomp-api | |
| IMAGE: gcr.io/casecomp-495718/casecomp-api | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| digest: ${{ steps.digest.outputs.digest }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/129850122606/locations/global/workloadIdentityPools/github-pool/providers/github-provider | |
| service_account: casecomp-deploy@casecomp-495718.iam.gserviceaccount.com | |
| - uses: google-github-actions/setup-gcloud@v3 | |
| - name: Build and push | |
| run: | | |
| BUILD_ID=$(gcloud builds submit \ | |
| --config=cloudbuild.yml \ | |
| --project ${{ env.PROJECT_ID }} \ | |
| --async \ | |
| --format='value(id)' .) | |
| echo "Waiting for build $BUILD_ID..." | |
| while true; do | |
| STATUS=$(gcloud builds describe $BUILD_ID --project ${{ env.PROJECT_ID }} --format='value(status)' 2>/dev/null) | |
| echo " status: $STATUS" | |
| case "$STATUS" in | |
| SUCCESS) break ;; | |
| FAILURE|TIMEOUT|CANCELLED|INTERNAL_ERROR) echo "Build failed: $STATUS"; exit 1 ;; | |
| *) sleep 15 ;; | |
| esac | |
| done | |
| - name: Get image digest | |
| id: digest | |
| run: | | |
| DIGEST=$(gcloud container images describe ${{ env.IMAGE }}:latest \ | |
| --project ${{ env.PROJECT_ID }} \ | |
| --format='value(image_summary.digest)') | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| echo "Image digest: $DIGEST" | |
| - name: Configure Docker auth for GCR | |
| run: gcloud auth configure-docker --quiet | |
| - uses: sigstore/cosign-installer@v3 | |
| - name: Sign image (keyless) | |
| run: | | |
| cosign sign --yes \ | |
| --oidc-issuer=https://token.actions.githubusercontent.com \ | |
| "${{ env.IMAGE }}@${{ steps.digest.outputs.digest }}" | |
| - name: Verify signature | |
| run: | | |
| cosign verify \ | |
| --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
| --certificate-identity-regexp="github.com/Pyronewbic/casecomp" \ | |
| "${{ env.IMAGE }}@${{ steps.digest.outputs.digest }}" || true | |
| - name: Attest SLSA provenance | |
| run: | | |
| cat > /tmp/provenance.json << 'PROV' | |
| { | |
| "buildType": "https://slsa.dev/provenance/v1", | |
| "builder": { "id": "https://github.com/Pyronewbic/casecomp/.github/workflows/deploy.yml" }, | |
| "invocation": { | |
| "configSource": { | |
| "uri": "git+https://github.com/Pyronewbic/casecomp@refs/heads/main", | |
| "digest": { "sha1": "${{ github.sha }}" }, | |
| "entryPoint": ".github/workflows/deploy.yml" | |
| } | |
| } | |
| } | |
| PROV | |
| cosign attest --yes \ | |
| --oidc-issuer=https://token.actions.githubusercontent.com \ | |
| --predicate /tmp/provenance.json \ | |
| --type slsaprovenance \ | |
| "${{ env.IMAGE }}@${{ steps.digest.outputs.digest }}" | |
| deploy: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| region: [asia-south1, us-central1] | |
| fail-fast: false | |
| steps: | |
| - uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/129850122606/locations/global/workloadIdentityPools/github-pool/providers/github-provider | |
| service_account: casecomp-deploy@casecomp-495718.iam.gserviceaccount.com | |
| - uses: google-github-actions/setup-gcloud@v3 | |
| - name: Deploy to Cloud Run (${{ matrix.region }}) | |
| run: | | |
| gcloud run deploy ${{ env.SERVICE }} \ | |
| --image "${{ env.IMAGE }}@${{ needs.build.outputs.digest }}" \ | |
| --region ${{ matrix.region }} \ | |
| --project ${{ env.PROJECT_ID }} \ | |
| --port 3000 \ | |
| --allow-unauthenticated |