benefit-decision-toolkit/.github/workflows/deploy-library-api.yml at main · CodeForPhilly/benefit-decision-toolkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# This workflow uses devbox for dependency management and builds/deploys the library API
# to Cloud Run when a version tag is pushed (e.g., library-api-v1.0.0).

name: 'Build and Deploy Library API to Cloud Run'

on:
  push:
    tags:
      - 'library-api-v*'

env:
  PROJECT_ID: 'benefit-decision-toolkit-play'
  REGION: 'us-central1'
  SERVICE: 'benefit-decision-toolkit-play'
  API_NAME: 'library-api'
  WORKLOAD_IDENTITY_PROVIDER: 'projects/1034049717668/locations/global/workloadIdentityPools/github-actions-google-cloud/providers/github'

jobs:
  deploy:
    runs-on: 'ubuntu-latest'

    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - name: 'Checkout'
        uses: 'actions/checkout@v4'

      - name: 'Setup devbox'
        uses: ./.github/actions/devbox-setup

      # Cache Maven dependencies to speed up builds
      - name: 'Cache Maven dependencies'
        uses: 'actions/cache@v4'
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('library-api/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-

      # Extract version from pom.xml (source of truth) using Maven
      - name: 'Extract version from pom.xml'
        id: extract_version
        run: |
          # Use -f to specify the pom.xml path (devbox runs from repo root)
          VERSION=$(devbox run -q -- mvn -f library-api/pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout 2>&1 | tail -1 | xargs)

          echo "Extracted VERSION: '${VERSION}'"

          # Validate it's a semantic version
          if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "ERROR: Invalid version format: '$VERSION'"
            echo "Expected semantic version (e.g., 0.1.2)"
            exit 1
          fi

          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          # Create revision-safe version string (replace dots with dashes for Cloud Run)
          REVISION_VERSION=$(echo "${VERSION}" | tr '.' '-')
          echo "revision_version=${REVISION_VERSION}" >> "$GITHUB_OUTPUT"
          echo "Extracted version from pom.xml: ${VERSION}"
          echo "Revision version: ${REVISION_VERSION}"

      # Validate that git tag exists for this pom.xml version
      - name: 'Validate git tag matches pom.xml version'
        run: |
          devbox run -q -- bin/validate-library-api-version

      # Configure Workload Identity Federation and generate an access token
      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v2'
        with:
          workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
          service_account: cicd-build-deploy-api@benefit-decision-toolkit-play.iam.gserviceaccount.com
          project_id: ${{ env.PROJECT_ID }}

      # Configure Docker to use gcloud as a credential helper (using devbox gcloud)
      - name: 'Configure Docker'
        run: |
          devbox run -q -- gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev

      # Build the Quarkus app with Maven using devbox environment
      - name: 'Build Quarkus App'
        working-directory: library-api
        run: |
          devbox run -q build-library-api-ci

      - name: 'Build and Push Container'
        working-directory: library-api
        run: |-
          VERSION="${{ steps.extract_version.outputs.version }}"
          DOCKER_TAG_VERSIONED="${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/${{ env.API_NAME }}:v${VERSION}"
          DOCKER_TAG_LATEST="${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/${{ env.API_NAME }}:latest"

          # Build and tag with version
          docker build -f src/main/docker/Dockerfile.jvm --tag "${DOCKER_TAG_VERSIONED}" --tag "${DOCKER_TAG_LATEST}" .

          # Push both tags
          docker push "${DOCKER_TAG_VERSIONED}"
          docker push "${DOCKER_TAG_LATEST}"

          echo "Pushed images:"
          echo "  - ${DOCKER_TAG_VERSIONED}"
          echo "  - ${DOCKER_TAG_LATEST}"

      - name: 'Deploy to Cloud Run'
        id: deploy
        uses: 'google-github-actions/deploy-cloudrun@v2'
        with:
          service: '${{ env.API_NAME }}'
          region: '${{ env.REGION }}'
          image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/${{ env.API_NAME }}:v${{ steps.extract_version.outputs.version }}'
          tag: '${{ env.API_NAME }}-v${{ steps.extract_version.outputs.revision_version }}'
          flags: '--allow-unauthenticated --max-instances=2 --service-account=library-api-service-account@${{ env.PROJECT_ID }}.iam.gserviceaccount.com'

      # Show deployment output
      - name: 'Show deployment output'
        run: |
          echo "Deployment complete!"
          echo "Service URL: ${{ steps.deploy.outputs.url }}"
          echo "Version: v${{ steps.extract_version.outputs.version }}"
          echo "Revision: ${{ env.API_NAME }}-v${{ steps.extract_version.outputs.revision_version }}"

  sync-metadata:
    needs: deploy
    permissions:
      contents: read
      id-token: write
    uses: ./.github/workflows/load-library-metadata.yml
    secrets: inherit