Skip to content
CD

configure: abstract table definitions + last sync time #447

Sign in to view logs

configure: abstract table definitions + last sync time

configure: abstract table definitions + last sync time #447

Workflow file for this run

.github/workflows/cd.yaml at 3c86fb8
name: CD
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
permissions:
id-token: write
contents: read
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: f02b3ef168fe64129e9941b4fb2e4dc1
# Used when building landing
VITE_MATTRAX_CLOUD_ORIGIN: https://cloud.mattrax.app
jobs:
build-mattrax:
name: Build Mattrax
runs-on: ubuntu-latest
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::101829795063:role/mattrax-gh-actions"
aws-region: us-east-1
role-session-name: mattrax-sst-workflow
- uses: pnpm/action-setup@v4
with:
version: latest
- name: Install Cargo Zigbuild
run: pip install cargo-zigbuild
- name: Rust cache
uses: Swatinem/rust-cache@v2
- name: Setup Rust toolchain
run: rustup toolchain install stable --profile minimal
- name: Install Rust target for 'aarch64-unknown-linux-musl'
run: rustup target add aarch64-unknown-linux-musl
- name: Build & upload binary
run: |
pnpm i -g wrangler
export HASH=$(git rev-parse HEAD)
cargo zigbuild --release --target aarch64-unknown-linux-musl -p mattrax
wrangler r2 object put "static/mattrax/$HASH/aarch64-unknown-linux" --file=target/aarch64-unknown-linux-musl/release/mattrax --cache-control "public, max-age=31536000, immutable"
echo "$HASH" | wrangler r2 object put "static/nightly" --pipe
sst:
name: SST
runs-on: ubuntu-latest
# This is required to workaround the lack of wildcard for OIDC scope
# https://github.com/Azure/azure-workload-identity/issues/373
#
# I swear to god Microsoft have never tried anything they have built.
environment: production
concurrency:
group: production
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::101829795063:role/mattrax-gh-actions"
aws-region: us-east-1
role-session-name: mattrax-sst-workflow
- uses: pnpm/action-setup@v4
with:
version: latest
- name: Install SST
run: curl -fsSL https://ion.sst.dev/install | bash
- run: cd infra && sst deploy --stage brendonovich
env:
ARM_USE_OIDC: true
ARM_CLIENT_ID: a17b56f1-0b10-4029-9a89-7f703d3573f8
ARM_TENANT_ID: 22d6679c-fc23-425a-b69b-e5e604dd80db
AZURE_SUBSCRIPTION_ID: 22d6679c-fc23-425a-b69b-e5e604dd80db
OAUTH_CLIENT_ID: kXdvzkEgiN11CNTRL
OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_SECRET }}
build-web:
strategy:
matrix:
projects:
- landing
- docs
- web
name: Build ${{ matrix.projects }}
runs-on: ubuntu-latest
environment:
name: ${{ matrix.projects.name }}
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
with:
version: latest
- name: Install
run: pnpm i
- name: Build
run: pnpm run ${{ matrix.projects }} cbuild
env:
VITE_PROD_ORIGIN: https://cloud.mattrax.app
- name: Upload result
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.projects }}-dist
path: apps/${{ matrix.projects }}/dist
deploy-mattrax:
name: Deploy Mattrax
runs-on: ubuntu-latest
needs: [build-mattrax, sst]
concurrency:
group: mattrax
environment:
name: mattrax
url: https://mdm.mattrax.app
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
with:
version: latest
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::101829795063:role/mattrax-gh-actions"
aws-region: us-east-1
role-session-name: mattrax-sst-workflow
- name: Install SST
run: curl -fsSL https://ion.sst.dev/install | bash
- name: Set SST envs
run: |
cd infra && sst secret list --stage brendonovich | grep "MDM_INTERNAL_SECRET" >> $GITHUB_ENV
env:
ARM_USE_OIDC: true
ARM_CLIENT_ID: a17b56f1-0b10-4029-9a89-7f703d3573f8
ARM_TENANT_ID: 22d6679c-fc23-425a-b69b-e5e604dd80db
AZURE_SUBSCRIPTION_ID: 22d6679c-fc23-425a-b69b-e5e604dd80db
OAUTH_CLIENT_ID: kXdvzkEgiN11CNTRL
OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_SECRET }}
- name: Deploy Mattrax
run: |
curl -v "https://mdm.mattrax.app/internal/redeploy?secret=${{ env.MDM_INTERNAL_SECRET }}"
deploy-web:
strategy:
matrix:
projects:
- { name: landing, project: mattrax-landing }
- { name: docs, project: mattrax-docs }
- { name: web, project: mattrax }
name: Deploy ${{ matrix.projects.name }}
runs-on: ubuntu-latest
needs:
- sst
# This will wait for *all* projects to build, not just the one we care about.
# GitHub don't provide a better solution :(
- build-web
- deploy-mattrax
# Run regardless of if previous steps were skipped
if: ${{ !failure() && !cancelled() }}
environment:
name: ${{ matrix.projects.name }}
url: ${{ steps.result.outputs.DEPLOYMENT_URL }}
steps:
# We pull this so Wrangler can link the deploy to the commit/branch
- name: Git clone the repository
uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
with:
version: latest
- name: Download build artifact
uses: actions/download-artifact@v4
with:
name: ${{ matrix.projects.name }}-dist
path: dist
- name: Deploy
run: |
set -o pipefail
pnpm dlx wrangler pages deploy dist/ --project-name ${{ matrix.projects.project }} 2>&1 | tee -a BUILD_OUTPUT
- name: Export `DEPLOYMENT_URL`
id: result
run: echo "DEPLOYMENT_URL=$(grep -Eo 'https://[^ >]+' BUILD_OUTPUT|head -1)" >> $GITHUB_OUTPUT