ci(*): update publish/deploy to use ghcr.io; untrack static/data.json

Signed-off-by: Vaughn Dice <vaughn.dice@fermyon.com>
nitishm · May 15, 2023 · e617f61 · e617f61
1 parent 1fd3458
commit e617f61
Show file tree

Hide file tree

Showing 8 changed files with 104 additions and 130 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -8,7 +8,6 @@ This documentation has been checked to ensure that:
 - [ ] Does this PR have a new menu item (anywhere in `templates/*.hbs` files) that points to a document `.md` that is set to publish in the future? If so please only publish the `.md` and `.hbs` changes in real-time (otherwise there will be a menu item pointing to a `.md` file that does not exist)
 - [ ] File does not use CRLF, but uses plain LF (hint: use `cat -ve <filename> | grep '^M' | wc -l` and expect 0 as a result) 
 - [ ] Has passed [`bart check`](https://developer.fermyon.com/bartholomew/quickstart)
-- [ ] Has run `npm run build-index`
 - [ ] Has been manually tested by running in Spin/Bartholomew (hint: use `PREVIEW_MODE=1` and run `npm run styles` to update styling)
 - [ ] Headings are using Title Case
 - [ ] Code blocks have the programming language set to properly highlight syntax and the proper copy directive

diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -17,6 +17,16 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install npm packages
+        run: |
+          npm ci
+
+      # TODO: any other node-y things to do prior to build/deploy? 'npm run styles', etc.?
+
+      - name: Create search index
+        run: |
+          npm run build-index
+
       - name: build and deploy preview
         uses: fermyon/actions/spin/preview@v1
         with:

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - 'main'
+      - 'vdice/oci-deploy' # TODO: remove after testing
 
   workflow_dispatch:
     inputs:
@@ -29,7 +30,8 @@ permissions:
   id-token: write # Allow the workflow to create a JWT for AWS auth
 
 env:
-  JOB: fermyon-developer
+  OCI_REGISTRY: docker.io
+  OCI_IMAGE: fermyon/developer
 
 jobs:
   echo-inputs:
@@ -38,12 +40,73 @@ jobs:
     steps:
       - name: Echo Inputs
         run: |
-          echo ref: ${{ github.event.inputs.ref }}
-          echo commit: ${{ github.event.inputs.commit }}
-          echo environment: ${{ github.event.inputs.environment }}
+          echo ref: ${{ inputs.ref }}
+          echo commit: ${{ inputs.commit }}
+          echo environment: ${{ inputs.environment }}
+
+  publish:
+      runs-on: ubuntu-latest
+      if: ${{ github.repository_owner == 'fermyon' }}
+      outputs:
+        oci_ref: ${{ steps.publish-immutable.outputs.oci_ref }}
+      steps:
+        - uses: actions/checkout@v3
+
+        - name: Check out specific ref
+          if: ${{ github.event_name == 'workflow_dispatch' }} && ${{ inputs.ref != ''}}
+          run: git checkout ${{ inputs.ref }}
+
+        - name: Check out specific commit
+          if: ${{ github.event_name == 'workflow_dispatch' }} && ${{ inputs.commit != ''}}
+          run: git checkout ${{ inputs.commit }}
+
+        - name: Setup Node
+          uses: actions/setup-node@v3
+          with:
+            node-version: 16
+
+        - name: Setup Spin
+          uses: fermyon/actions/spin/setup@v1
+          with:
+            github_token: ${{ secrets.GITHUB_TOKEN }}
+            # TODO: update to next release version that includes https://github.com/fermyon/spin/pull/1296
+            version: canary
+
+        - name: Install npm packages
+          run: |
+            npm ci
+
+        # TODO: any other node-y things to do prior to publish? 'npm run styles', etc.?
+
+        - name: Create search index
+          run: |
+            npm run build-index
+
+        - name: Log in to ${{ env.OCI_REGISTRY }}
+          uses: docker/login-action@v2.1.0
+          with:
+            registry: ${{ env.OCI_REGISTRY }}
+            username: fermyon
+            password: ${{ secrets.DOCKERHUB_PAT }}
+
+        - name: Publish Spin app - mutable tag
+          if: ${{ github.ref == 'refs/heads/main' }}
+          run: |
+            spin registry push ${{ env.OCI_REGISTRY }}/${{ env.OCI_IMAGE }}:latest
+
+        - name: Publish Spin app - immutable tag
+          id: publish-immutable
+          shell: bash
+          run: |
+            image_tag="${{ github.ref_name }}-${{ github.sha }}"
+            sanitized_tag="${image_tag/\//-}"
+            export OCI_REF="${{ env.OCI_REGISTRY }}/${{ env.OCI_IMAGE }}:${sanitized_tag}"
+            echo "oci_ref=${OCI_REF}" >> $GITHUB_OUTPUT
+            spin registry push ${OCI_REF}
 
   deploy:
     runs-on: ubuntu-latest
+    needs: publish
     if: ${{ github.repository_owner == 'fermyon' }}
     steps:
       - uses: actions/checkout@v3
@@ -56,10 +119,8 @@ jobs:
           unzip nomad_${NOMAD_VERSION}_linux_$(dpkg --print-architecture).zip -d /usr/local/bin
           chmod +x /usr/local/bin/nomad
 
-      # This action currently generates a warning due to using deprecated features.
-      # https://github.com/aws-actions/configure-aws-credentials/issues/521 tracks the new behaviour.
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.INFRA_NAMESPACE }}-${{ secrets.AWS_REGION }}-gha-certs
           role-session-name: fermyon-developer-deploy
@@ -92,9 +153,6 @@ jobs:
         if: ${{ github.event_name == 'workflow_dispatch' }}
         shell: bash
         run: |
-          echo "GIT_REF=${{ github.event.inputs.ref }}" >> $GITHUB_ENV
-          echo "GIT_SHA=${{ github.event.inputs.commit }}" >> $GITHUB_ENV
-          
           if [[ "${{ github.event.inputs.environment }}" == "prod" ]]; then
             echo "PRODUCTION=true" >> $GITHUB_ENV
             echo "NOMAD_NAMESPACE=prod" >> $GITHUB_ENV
@@ -107,36 +165,17 @@ jobs:
         if: ${{ github.event_name == 'push' }}
         shell: bash
         run: |
-          echo "GIT_REF=${{ github.ref }}" >> $GITHUB_ENV
-          echo "GIT_SHA=${{ github.sha }}" >> $GITHUB_ENV
-
-          echo "PRODUCTION=true" >> $GITHUB_ENV
-          echo "NOMAD_NAMESPACE=prod" >> $GITHUB_ENV
+          # TODO: change back to prod defaults
+          # echo "PRODUCTION=true" >> $GITHUB_ENV
+          # echo "NOMAD_NAMESPACE=prod" >> $GITHUB_ENV
+            echo "PRODUCTION=false" >> $GITHUB_ENV
+            echo "NOMAD_NAMESPACE=staging" >> $GITHUB_ENV
 
       - name: Deploy
         shell: bash
         run: |
-          set -euox pipefail
-
-          # purge any lingering/completed publish jobs
-          nomad job inspect publish-${{ env.JOB }} &>/dev/null && \
-            nomad stop -purge -yes publish-${{ env.JOB }}
-
-          # run the publish job
-          nomad run \
-            -var "region=${{ secrets.AWS_REGION }}" \
-            -var "git_ref=${{ env.GIT_REF }}" \
-            -var "commit_sha=${{ env.GIT_SHA }}" \
-            deploy/publish-${{ env.JOB }}.nomad
-
-          # wait for publish job to complete
-          timeout 300s bash -c 'until [[ "$(nomad job inspect publish-${{ env.JOB }} | jq -j '.Job.Status')" == "dead" ]]; do sleep 2; done'
-
-          readonly bindle_id="$(nomad logs -job publish-${{ env.JOB }} | sed -n 's/pushed: //p')"
-
-          # run/update the website job
           nomad run \
             -var "region=${{ secrets.AWS_REGION }}" \
             -var "production=${{ env.PRODUCTION }}" \
-            -var "bindle_id=${bindle_id}" \
-            deploy/${{ env.JOB }}.nomad
+            -var "oci_ref=${{ needs.publish.outputs.oci_ref }}" \
+            deploy/fermyon-developer.nomad
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,5 @@ node_modules
 broken_links
 final_broken
 .spin
+# The search index is generated at time of deploy
+static/data.json
diff --git a/deploy/README.md b/deploy/README.md
@@ -1,19 +1,24 @@
 # Deployments
 
-The [Developer](https://developer.fermyon.com) website is deployed via the [deploy.yaml](../.github/workflows/deploy.yml) GitHub workflow.
+The [Developer](https://developer.fermyon.com) website is deployed via the [deploy.yml](../.github/workflows/deploy.yml) GitHub workflow.
+
+## Publishing
+
+In advance of deployment, the Spin app for this website is published to an OCI registry.
+
+In the case of publishing from the `main` branch, both a mutable tag and an immutable tag is pushed: `latest` and `main-<commit sha>` respectively.
 
 ## Auto Deploys
 
 The production version of the website is deployed whenever commits are pushed to the `main` branch.
 
 ## Manual Deploys
 
-Deployments may also be [triggered manually](https://github.com/fermyon/developer/actions/workflows/deploy.yml), providing a choice of `ref`, `sha` and `environment` (eg canary or prod).
+Deployments may also be [triggered manually](https://github.com/fermyon/developer/actions/workflows/deploy.yml), providing a choice of git
+`ref`, `commit` and `environment` (eg canary or prod).
 
-## Nomad jobs
+## Nomad job
 
 We currently deploy the website via its Nomad job directly. (In the future, we envision running the website as a Fermyon Cloud app.)
 
-The [publish-fermyon-developer](./publish-fermyon-developer.nomad) Nomad job checks out this repo's source code and publishes it to Bindle.
-
-The [fermyon-developer](./fermyon-developer.nomad) Nomad job contains configuration for the running website, including the bindle ID to run from.
+The [fermyon-developer](./fermyon-developer.nomad) Nomad job contains configuration for the running website, including the OCI reference to run from.
diff --git a/deploy/fermyon-developer.nomad b/deploy/fermyon-developer.nomad
@@ -35,11 +35,10 @@ EOF
     error_message = "The Let's Encrypt env must be either 'staging' or 'prod'."
   }
 }
-
-variable "bindle_id" {
+variable "oci_ref" {
   type        = string
-  default     = "fermyon-developer/0.1.0"
-  description = "A bindle id, such as foo/bar/1.2.3"
+  default     = "fermyon/developer:latest"
+  description = "The OCI reference of the Spin app for the Fermyon Developer website"
 }
 
 locals {
@@ -99,24 +98,23 @@ job "fermyon-developer" {
       driver = "exec"
 
       artifact {
-        source = "https://github.com/fermyon/spin/releases/download/v0.10.1/spin-v0.10.1-linux-amd64.tar.gz"
+        source = "https://github.com/fermyon/spin/releases/download/v1.1.0/spin-v1.1.0-linux-amd64.tar.gz"
         options {
-          checksum = "sha256:105054335fd76b3d2a1b76a705dbdb3b83d7e4093b302a7816ce7f922893f29d"
+          checksum = "sha256:13ecd7be7fb3a054f41b72d65fd6648cd8221e5df57c6694f1a8e5532b79040d"
         }
       }
 
       env {
         RUST_LOG   = "spin=trace"
-        BINDLE_URL = "http://bindle.service.consul:3030/v1"
         BASE_URL   = "https://${local.hostname}"
       }
 
       config {
         command = "spin"
         args = [
           "up",
+          "--from", var.oci_ref,
           "--listen", "${NOMAD_IP_http}:${NOMAD_PORT_http}",
-          "--bindle", var.bindle_id,
           "--log-dir", "${NOMAD_ALLOC_DIR}/logs",
           "--temp", "${NOMAD_ALLOC_DIR}/tmp",
 

diff --git a/deploy/publish-fermyon-developer.nomad b/deploy/publish-fermyon-developer.nomad
diff --git a/static/data.json b/static/data.json