48 lines
1.6 KiB
YAML
48 lines
1.6 KiB
YAML
when:
|
|
- event: push
|
|
branch: main
|
|
path:
|
|
exclude: ['**']
|
|
ignore_message: '[infra]'
|
|
|
|
steps:
|
|
- name: version
|
|
image: alpine:latest
|
|
commands:
|
|
- set -euo pipefail
|
|
- apk add --no-cache git
|
|
- GIT_REV="$(git rev-parse --short HEAD)"
|
|
- BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
|
|
- APP_V="$(cat version)"
|
|
- printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\n" "$GIT_REV" "$BUILD_BRANCH" "$APP_V" | tee .env.version
|
|
|
|
- name: secrets
|
|
image: alpine:latest
|
|
depends_on: [ version ]
|
|
environment:
|
|
# CI's own AppRole creds for accessing Vault to fetch the SSH key (existing names)
|
|
VAULT_ADDR: { from_secret: VAULT_ADDR }
|
|
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE }
|
|
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
|
|
commands:
|
|
- set -euo pipefail
|
|
- apk add --no-cache bash coreutils openssh-keygen curl sed python3
|
|
- sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY
|
|
|
|
- name: deploy
|
|
image: alpine:latest
|
|
depends_on: [ secrets ]
|
|
# Reuse the SAME Woodpecker secrets to pass AppRole to the Vault Agent at runtime
|
|
environment:
|
|
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE }
|
|
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
|
|
commands:
|
|
- set -euo pipefail
|
|
- apk add --no-cache bash openssh-client rsync coreutils
|
|
- mkdir -p /root/.ssh
|
|
- install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
|
|
- . ./ci/scripts/common/runtime_env.sh
|
|
- load_runtime_env_bundle "$(resolve_runtime_env_name)"
|
|
- bash ci/prod/scripts/bootstrap/network.sh
|
|
- bash ci/prod/scripts/deploy/db.sh
|