configure: break table out into own file + chart #452
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CD | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
workflow_dispatch: | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
CLOUDFLARE_ACCOUNT_ID: f02b3ef168fe64129e9941b4fb2e4dc1 | |
# Used when building landing | |
VITE_MATTRAX_CLOUD_ORIGIN: https://cloud.mattrax.app | |
jobs: | |
build-mattrax: | |
name: Build Mattrax | |
runs-on: ubuntu-latest | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: "arn:aws:iam::101829795063:role/mattrax-gh-actions" | |
aws-region: us-east-1 | |
role-session-name: mattrax-sst-workflow | |
- uses: pnpm/action-setup@v4 | |
with: | |
version: latest | |
- name: Install Cargo Zigbuild | |
run: pip install cargo-zigbuild | |
- name: Rust cache | |
uses: Swatinem/rust-cache@v2 | |
- name: Setup Rust toolchain | |
run: rustup toolchain install stable --profile minimal | |
- name: Install Rust target for 'aarch64-unknown-linux-musl' | |
run: rustup target add aarch64-unknown-linux-musl | |
- name: Build & upload binary | |
run: | | |
pnpm i -g wrangler | |
export HASH=$(git rev-parse HEAD) | |
cargo zigbuild --release --target aarch64-unknown-linux-musl -p mattrax | |
wrangler r2 object put "static/mattrax/$HASH/aarch64-unknown-linux" --file=target/aarch64-unknown-linux-musl/release/mattrax --cache-control "public, max-age=31536000, immutable" | |
echo "$HASH" | wrangler r2 object put "static/nightly" --pipe | |
sst: | |
name: SST | |
runs-on: ubuntu-latest | |
# This is required to workaround the lack of wildcard for OIDC scope | |
# https://github.com/Azure/azure-workload-identity/issues/373 | |
# | |
# I swear to god Microsoft have never tried anything they have built. | |
environment: production | |
concurrency: | |
group: production | |
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: "arn:aws:iam::101829795063:role/mattrax-gh-actions" | |
aws-region: us-east-1 | |
role-session-name: mattrax-sst-workflow | |
- uses: pnpm/action-setup@v4 | |
with: | |
version: latest | |
- name: Install SST | |
run: curl -fsSL https://ion.sst.dev/install | bash | |
- run: cd infra && sst deploy --stage brendonovich | |
env: | |
ARM_USE_OIDC: true | |
ARM_CLIENT_ID: a17b56f1-0b10-4029-9a89-7f703d3573f8 | |
ARM_TENANT_ID: 22d6679c-fc23-425a-b69b-e5e604dd80db | |
AZURE_SUBSCRIPTION_ID: 22d6679c-fc23-425a-b69b-e5e604dd80db | |
OAUTH_CLIENT_ID: kXdvzkEgiN11CNTRL | |
OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_SECRET }} | |
build-web: | |
strategy: | |
matrix: | |
projects: | |
- landing | |
- docs | |
- web | |
name: Build ${{ matrix.projects }} | |
runs-on: ubuntu-latest | |
environment: | |
name: ${{ matrix.projects.name }} | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: pnpm/action-setup@v4 | |
with: | |
version: latest | |
- name: Install | |
run: pnpm i | |
- name: Build | |
run: pnpm run ${{ matrix.projects }} cbuild | |
env: | |
VITE_PROD_ORIGIN: https://cloud.mattrax.app | |
- name: Upload result | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ matrix.projects }}-dist | |
path: apps/${{ matrix.projects }}/dist | |
deploy-mattrax: | |
name: Deploy Mattrax | |
runs-on: ubuntu-latest | |
needs: [build-mattrax, sst] | |
concurrency: | |
group: mattrax | |
environment: | |
name: mattrax | |
url: https://mdm.mattrax.app | |
steps: | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: pnpm/action-setup@v4 | |
with: | |
version: latest | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: "arn:aws:iam::101829795063:role/mattrax-gh-actions" | |
aws-region: us-east-1 | |
role-session-name: mattrax-sst-workflow | |
- name: Install SST | |
run: curl -fsSL https://ion.sst.dev/install | bash | |
- name: Set SST envs | |
run: | | |
cd infra && sst secret list --stage brendonovich | grep "MDM_INTERNAL_SECRET" >> $GITHUB_ENV | |
env: | |
ARM_USE_OIDC: true | |
ARM_CLIENT_ID: a17b56f1-0b10-4029-9a89-7f703d3573f8 | |
ARM_TENANT_ID: 22d6679c-fc23-425a-b69b-e5e604dd80db | |
AZURE_SUBSCRIPTION_ID: 22d6679c-fc23-425a-b69b-e5e604dd80db | |
OAUTH_CLIENT_ID: kXdvzkEgiN11CNTRL | |
OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_SECRET }} | |
- name: Deploy Mattrax | |
run: | | |
curl -v "https://mdm.mattrax.app/internal/redeploy?secret=${{ env.MDM_INTERNAL_SECRET }}" | |
deploy-web: | |
strategy: | |
matrix: | |
projects: | |
- { name: landing, project: mattrax-landing } | |
- { name: docs, project: mattrax-docs } | |
- { name: web, project: mattrax } | |
name: Deploy ${{ matrix.projects.name }} | |
runs-on: ubuntu-latest | |
needs: | |
- sst | |
# This will wait for *all* projects to build, not just the one we care about. | |
# GitHub don't provide a better solution :( | |
- build-web | |
- deploy-mattrax | |
# Run regardless of if previous steps were skipped | |
if: ${{ !failure() && !cancelled() }} | |
environment: | |
name: ${{ matrix.projects.name }} | |
url: ${{ steps.result.outputs.DEPLOYMENT_URL }} | |
steps: | |
# We pull this so Wrangler can link the deploy to the commit/branch | |
- name: Git clone the repository | |
uses: actions/checkout@v4 | |
- uses: pnpm/action-setup@v4 | |
with: | |
version: latest | |
- name: Download build artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.projects.name }}-dist | |
path: dist | |
- name: Deploy | |
run: | | |
set -o pipefail | |
pnpm dlx wrangler pages deploy dist/ --project-name ${{ matrix.projects.project }} 2>&1 | tee -a BUILD_OUTPUT | |
- name: Export `DEPLOYMENT_URL` | |
id: result | |
run: echo "DEPLOYMENT_URL=$(grep -Eo 'https://[^ >]+' BUILD_OUTPUT|head -1)" >> $GITHUB_OUTPUT |