mirror of
https://github.com/coder/coder.git
synced 2026-06-05 05:58:20 +00:00
dependabot[bot]
2875053b83
Bumps the github-actions group with 4 updates: [actions/cache](https://github.com/actions/cache), [fluxcd/flux2](https://github.com/fluxcd/flux2), [Mattraks/delete-workflow-runs](https://github.com/mattraks/delete-workflow-runs) and [umbrelladocs/action-linkspector](https://github.com/umbrelladocs/action-linkspector). Updates `actions/cache` from 5.0.3 to 5.0.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v5.0.4</h2> <h2>What's Changed</h2> <ul> <li>Add release instructions and update maintainer docs by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1696">actions/cache#1696</a></li> <li>Potential fix for code scanning alert no. 52: Workflow does not contain permissions by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1697">actions/cache#1697</a></li> <li>Fix workflow permissions and cleanup workflow names / formatting by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1699">actions/cache#1699</a></li> <li>docs: Update examples to use the latest version by <a href="https://github.com/XZTDean"><code>@XZTDean</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1690">actions/cache#1690</a></li> <li>Fix proxy integration tests by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1701">actions/cache#1701</a></li> <li>Fix cache key in examples.md for bun.lock by <a href="https://github.com/RyPeck"><code>@RyPeck</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1722">actions/cache#1722</a></li> <li>Update dependencies & patch security vulnerabilities by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1738">actions/cache#1738</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/XZTDean"><code>@XZTDean</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1690">actions/cache#1690</a></li> <li><a href="https://github.com/RyPeck"><code>@RyPeck</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1722">actions/cache#1722</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v5...v5.0.4">https://github.com/actions/cache/compare/v5...v5.0.4</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h2>How to prepare a release</h2> <blockquote> <p>[!NOTE]<br /> Relevant for maintainers with write access only.</p> </blockquote> <ol> <li>Switch to a new branch from <code>main</code>.</li> <li>Run <code>npm test</code> to ensure all tests are passing.</li> <li>Update the version in <a href="https://github.com/actions/cache/blob/main/package.json"><code>https://github.com/actions/cache/blob/main/package.json</code></a>.</li> <li>Run <code>npm run build</code> to update the compiled files.</li> <li>Update this <a href="https://github.com/actions/cache/blob/main/RELEASES.md"><code>https://github.com/actions/cache/blob/main/RELEASES.md</code></a> with the new version and changes in the <code>## Changelog</code> section.</li> <li>Run <code>licensed cache</code> to update the license report.</li> <li>Run <code>licensed status</code> and resolve any warnings by updating the <a href="https://github.com/actions/cache/blob/main/.licensed.yml"><code>https://github.com/actions/cache/blob/main/.licensed.yml</code></a> file with the exceptions.</li> <li>Commit your changes and push your branch upstream.</li> <li>Open a pull request against <code>main</code> and get it reviewed and merged.</li> <li>Draft a new release <a href="https://github.com/actions/cache/releases">https://github.com/actions/cache/releases</a> use the same version number used in <code>package.json</code> <ol> <li>Create a new tag with the version number.</li> <li>Auto generate release notes and update them to match the changes you made in <code>RELEASES.md</code>.</li> <li>Toggle the set as the latest release option.</li> <li>Publish the release.</li> </ol> </li> <li>Navigate to <a href="https://github.com/actions/cache/actions/workflows/release-new-action-version.yml">https://github.com/actions/cache/actions/workflows/release-new-action-version.yml</a> <ol> <li>There should be a workflow run queued with the same version number.</li> <li>Approve the run to publish the new version and update the major tags for this action.</li> </ol> </li> </ol> <h2>Changelog</h2> <h3>5.0.4</h3> <ul> <li>Bump <code>minimatch</code> to v3.1.5 (fixes ReDoS via globstar patterns)</li> <li>Bump <code>undici</code> to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)</li> <li>Bump <code>fast-xml-parser</code> to v5.5.6</li> </ul> <h3>5.0.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <h3>5.0.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.3 <a href="https://redirect.github.com/actions/cache/pull/1692">#1692</a></li> </ul> <h3>5.0.1</h3> <ul> <li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via <code>@actions/cache@5.0.1</code> <a href="https://redirect.github.com/actions/cache/pull/1685">#1685</a></li> </ul> <h3>5.0.0</h3> <blockquote> <p>[!IMPORTANT] <code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>.</p> </blockquote> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/cache/commit/668228422ae6a00e4ad889ee87cd7109ec5666a7"><code>6682284</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1738">#1738</a> from actions/prepare-v5.0.4</li> <li><a href="https://github.com/actions/cache/commit/e34039626f957d3e3e50843d15c1b20547fc90e2"><code>e340396</code></a> Update RELEASES</li> <li><a href="https://github.com/actions/cache/commit/8a671105293e81530f1af99863cdf94550aba1a6"><code>8a67110</code></a> Add licenses</li> <li><a href="https://github.com/actions/cache/commit/1865903e1b0cb750dda9bc5c58be03424cc62830"><code>1865903</code></a> Update dependencies & patch security vulnerabilities</li> <li><a href="https://github.com/actions/cache/commit/565629816435f6c0b50676926c9b05c254113c0c"><code>5656298</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1722">#1722</a> from RyPeck/patch-1</li> <li><a href="https://github.com/actions/cache/commit/4e380d19e192ace8e86f23f32ca6fdec98a673c6"><code>4e380d1</code></a> Fix cache key in examples.md for bun.lock</li> <li><a href="https://github.com/actions/cache/commit/b7e8d49f17405cc70c1c120101943203c98d3a4b"><code>b7e8d49</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1701">#1701</a> from actions/Link-/fix-proxy-integration-tests</li> <li><a href="https://github.com/actions/cache/commit/984a21b1cb176a0936f4edafb42be88978f93ef1"><code>984a21b</code></a> Add traffic sanity check step</li> <li><a href="https://github.com/actions/cache/commit/acf2f1f76affe1ef80eee8e56dfddd3b3e5f0fba"><code>acf2f1f</code></a> Fix resolution</li> <li><a href="https://github.com/actions/cache/commit/95a07c51324af6001b4d6ab8dff29f4dfadc2531"><code>95a07c5</code></a> Add wait for proxy</li> <li>Additional commits viewable in <a href="https://github.com/actions/cache/compare/cdf6c1fa76f9f475f3d7449005a359c84ca0f306...668228422ae6a00e4ad889ee87cd7109ec5666a7">compare view</a></li> </ul> </details> <br /> Updates `fluxcd/flux2` from 2.7.5 to 2.8.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fluxcd/flux2/releases">fluxcd/flux2's releases</a>.</em></p> <blockquote> <h2>v2.8.3</h2> <h2>Highlights</h2> <p>Flux v2.8.3 is a patch release that fixes a regression in helm-controller. Users are encouraged to upgrade for the best experience.</p> <p>ℹ️ Please follow the <a href="https://github.com/fluxcd/flux2/discussions/5572">Upgrade Procedure for Flux v2.7+</a> for a smooth upgrade from Flux v2.6 to the latest version.</p> <p>Fixes:</p> <ul> <li>Fix templating errors for charts that include <code>---</code> in the content, e.g. YAML separators, embedded scripts, CAs inside ConfigMaps (helm-controller)</li> </ul> <h2>Components changelog</h2> <ul> <li>helm-controller <a href="https://github.com/fluxcd/helm-controller/blob/v1.5.3/CHANGELOG.md">v1.5.3</a></li> </ul> <h2>CLI changelog</h2> <ul> <li>[release/v2.8.x] Add target branch name to update branch by <a href="https://github.com/fluxcdbot"><code>@fluxcdbot</code></a> in <a href="https://redirect.github.com/fluxcd/flux2/pull/5774">fluxcd/flux2#5774</a></li> <li>Update toolkit components by <a href="https://github.com/fluxcdbot"><code>@fluxcdbot</code></a> in <a href="https://redirect.github.com/fluxcd/flux2/pull/5779">fluxcd/flux2#5779</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/fluxcd/flux2/compare/v2.8.2...v2.8.3">https://github.com/fluxcd/flux2/compare/v2.8.2...v2.8.3</a></p> <h2>v2.8.2</h2> <h2>Highlights</h2> <p>Flux v2.8.2 is a patch release that comes with various fixes. Users are encouraged to upgrade for the best experience.</p> <p>ℹ️ Please follow the <a href="https://github.com/fluxcd/flux2/discussions/5572">Upgrade Procedure for Flux v2.7+</a> for a smooth upgrade from Flux v2.6 to the latest version.</p> <p>Fixes:</p> <ul> <li>Fix enqueuing new reconciliation requests for events on source Flux objects when they are already reconciling the revision present in the watch event (kustomize-controller, helm-controller)</li> <li>Fix the Go templates bug of YAML separator <code>---</code> getting concatenated to <code>apiVersion:</code> by updating to Helm 4.1.3 (helm-controller)</li> <li>Fix canceled HelmReleases getting stuck when they don't have a retry strategy configured by introducing a new feature gate <code>DefaultToRetryOnFailure</code> that improves the experience when the <code>CancelHealthCheckOnNewRevision</code> is enabled (helm-controller)</li> <li>Fix the auth scope for Azure Container Registry to use the ACR-specific scope (source-controller, image-reflector-controller)</li> <li>Fix potential Denial of Service (DoS) during TLS handshakes (CVE-2026-27138) by building all controllers with Go 1.26.1</li> </ul> <h2>Components changelog</h2> <ul> <li>source-controller <a href="https://github.com/fluxcd/source-controller/blob/v1.8.1/CHANGELOG.md">v1.8.1</a></li> <li>kustomize-controller <a href="https://github.com/fluxcd/kustomize-controller/blob/v1.8.2/CHANGELOG.md">v1.8.2</a></li> <li>notification-controller <a href="https://github.com/fluxcd/notification-controller/blob/v1.8.2/CHANGELOG.md">v1.8.2</a></li> <li>helm-controller <a href="https://github.com/fluxcd/helm-controller/blob/v1.5.2/CHANGELOG.md">v1.5.2</a></li> <li>image-reflector-controller <a href="https://github.com/fluxcd/image-reflector-controller/blob/v1.1.1/CHANGELOG.md">v1.1.1</a></li> <li>image-automation-controller <a href="https://github.com/fluxcd/image-automation-controller/blob/v1.1.1/CHANGELOG.md">v1.1.1</a></li> <li>source-watcher <a href="https://github.com/fluxcd/source-watcher/blob/v2.1.1/CHANGELOG.md">v2.1.1</a></li> </ul> <h2>CLI changelog</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fluxcd/flux2/commit/871be9b40d53627786d3a3835a3ddba1e3234bd2"><code>871be9b</code></a> Merge pull request <a href="https://redirect.github.com/fluxcd/flux2/issues/5779">#5779</a> from fluxcd/update-components-release/v2.8.x</li> <li><a href="https://github.com/fluxcd/flux2/commit/f7a168935dd2d777109ea189e0ef094695caeea7"><code>f7a1689</code></a> Update toolkit components</li> <li><a href="https://github.com/fluxcd/flux2/commit/bf67d7799d07eff26891a8b373601f1f07ee4411"><code>bf67d77</code></a> Merge pull request <a href="https://redirect.github.com/fluxcd/flux2/issues/5774">#5774</a> from fluxcd/backport-5773-to-release/v2.8.x</li> <li><a href="https://github.com/fluxcd/flux2/commit/5cb2208cb7dda2abc7d4bdc971458981c6be8323"><code>5cb2208</code></a> Add target branch name to update branch</li> <li><a href="https://github.com/fluxcd/flux2/commit/bfa461ed2153ae5e0cca6bce08e0845268fb3088"><code>bfa461e</code></a> Merge pull request <a href="https://redirect.github.com/fluxcd/flux2/issues/5771">#5771</a> from fluxcd/update-pkg-deps/release/v2.8.x</li> <li><a href="https://github.com/fluxcd/flux2/commit/f11a921e0cdc6c681a157c7a4777150463eaeec8"><code>f11a921</code></a> Update fluxcd/pkg dependencies</li> <li><a href="https://github.com/fluxcd/flux2/commit/b248efab1d786a27ccddf4b341a1034d67c14b3b"><code>b248efa</code></a> Merge pull request <a href="https://redirect.github.com/fluxcd/flux2/issues/5770">#5770</a> from fluxcd/backport-5769-to-release/v2.8.x</li> <li><a href="https://github.com/fluxcd/flux2/commit/4d5e044eb9067a15d1099cb9bc81147b5d4daf37"><code>4d5e044</code></a> Update toolkit components</li> <li><a href="https://github.com/fluxcd/flux2/commit/3c8917ca28a93d6ab4b97379c0c81a4144e9f7d6"><code>3c8917c</code></a> Merge pull request <a href="https://redirect.github.com/fluxcd/flux2/issues/5767">#5767</a> from fluxcd/update-pkg-deps/release/v2.8.x</li> <li><a href="https://github.com/fluxcd/flux2/commit/c1f11bcf3d6433dbbb81835eb9f8016c3067d7ef"><code>c1f11bc</code></a> Update fluxcd/pkg dependencies</li> <li>Additional commits viewable in <a href="https://github.com/fluxcd/flux2/compare/8454b02a32e48d775b9f563cb51fdcb1787b5b93...871be9b40d53627786d3a3835a3ddba1e3234bd2">compare view</a></li> </ul> </details> <br /> Updates `Mattraks/delete-workflow-runs` from 5bf9a1dac5c4d041c029f0a8370ddf0c5cb5aeb7 to b3018382ca039b53d238908238bd35d1fb14f8ee <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/mattraks/delete-workflow-runs/compare/5bf9a1dac5c4d041c029f0a8370ddf0c5cb5aeb7...5bf9a1dac5c4d041c029f0a8370ddf0c5cb5aeb7">compare view</a></li> </ul> </details> <br /> Updates `umbrelladocs/action-linkspector` from 1.4.0 to 1.4.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/umbrelladocs/action-linkspector/releases">umbrelladocs/action-linkspector's releases</a>.</em></p> <blockquote> <h2>Release v1.4.1</h2> <p>v1.4.1: PR <a href="https://redirect.github.com/umbrelladocs/action-linkspector/issues/52">#52</a> - chore: update actions/checkout to v5 across all workflows</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/UmbrellaDocs/action-linkspector/commit/37c85bcde51b30bf929936502bac6bfb7e8f0a4d"><code>37c85bc</code></a> Merge pull request <a href="https://redirect.github.com/umbrelladocs/action-linkspector/issues/52">#52</a> from UmbrellaDocs/action-v5</li> <li><a href="https://github.com/UmbrellaDocs/action-linkspector/commit/badbe56d6b5b23e1b01e0a48b02c8c42c734488c"><code>badbe56</code></a> chore: update actions/checkout to v5 across all workflows</li> <li><a href="https://github.com/UmbrellaDocs/action-linkspector/commit/e0578c9289f053a6b2ab5ff03a1ec3d507bbb790"><code>e0578c9</code></a> Merge pull request <a href="https://redirect.github.com/umbrelladocs/action-linkspector/issues/51">#51</a> from UmbrellaDocs/caching-fix-50</li> <li><a href="https://github.com/UmbrellaDocs/action-linkspector/commit/5ede5ac56a1421d000b3c6188c227bee606869ac"><code>5ede5ac</code></a> feat: enhance reviewdog setup with caching and version management</li> <li><a href="https://github.com/UmbrellaDocs/action-linkspector/commit/a73cfa2d0f04a59ec1ab98c0f00fdd36ff5a84a1"><code>a73cfa2</code></a> Merge pull request <a href="https://redirect.github.com/umbrelladocs/action-linkspector/issues/49">#49</a> from Goooler/node24</li> <li><a href="https://github.com/UmbrellaDocs/action-linkspector/commit/aee511ae2bf96aa01d6d77ae1c775f2f18909d49"><code>aee511a</code></a> Update action runtime to node 24</li> <li>See full diff in <a href="https://github.com/umbrelladocs/action-linkspector/compare/652f85bc57bb1e7d4327260decc10aa68f7694c3...37c85bcde51b30bf929936502bac6bfb7e8f0a4d">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
169 lines
6.7 KiB
YAML
169 lines
6.7 KiB
YAML
name: deploy
|
|
|
|
on:
|
|
# Via workflow_call, called from ci.yaml
|
|
workflow_call:
|
|
inputs:
|
|
image:
|
|
description: "Image and tag to potentially deploy. Current branch will be validated against should-deploy check."
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
FLY_API_TOKEN:
|
|
required: true
|
|
FLY_PARIS_CODER_PROXY_SESSION_TOKEN:
|
|
required: true
|
|
FLY_SYDNEY_CODER_PROXY_SESSION_TOKEN:
|
|
required: true
|
|
FLY_SAO_PAULO_CODER_PROXY_SESSION_TOKEN:
|
|
required: true
|
|
FLY_JNB_CODER_PROXY_SESSION_TOKEN:
|
|
required: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }} # no per-branch concurrency
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
# Determines if the given branch should be deployed to dogfood.
|
|
should-deploy:
|
|
name: should-deploy
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
verdict: ${{ steps.check.outputs.verdict }} # DEPLOY or NOOP
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: Check if deploy is enabled
|
|
id: check
|
|
run: |
|
|
set -euo pipefail
|
|
verdict="$(./scripts/should_deploy.sh)"
|
|
echo "verdict=$verdict" >> "$GITHUB_OUTPUT"
|
|
|
|
deploy:
|
|
name: "deploy"
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
needs: should-deploy
|
|
if: needs.should-deploy.outputs.verdict == 'DEPLOY'
|
|
permissions:
|
|
contents: read
|
|
id-token: write # to authenticate to EKS cluster
|
|
packages: write # to retag image as dogfood
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: GHCR Login
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Configure AWS Credentials
|
|
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
|
|
with:
|
|
role-to-assume: ${{ vars.AWS_DOGFOOD_DEPLOY_ROLE }}
|
|
aws-region: ${{ vars.AWS_DOGFOOD_DEPLOY_REGION }}
|
|
|
|
- name: Get Cluster Credentials
|
|
run: aws eks update-kubeconfig --name "$AWS_DOGFOOD_CLUSTER_NAME" --region "$AWS_DOGFOOD_DEPLOY_REGION"
|
|
env:
|
|
AWS_DOGFOOD_CLUSTER_NAME: ${{ vars.AWS_DOGFOOD_CLUSTER_NAME }}
|
|
AWS_DOGFOOD_DEPLOY_REGION: ${{ vars.AWS_DOGFOOD_DEPLOY_REGION }}
|
|
|
|
- name: Set up Flux CLI
|
|
uses: fluxcd/flux2/action@871be9b40d53627786d3a3835a3ddba1e3234bd2 # v2.8.3
|
|
with:
|
|
# Keep this and the github action up to date with the version of flux installed in dogfood cluster
|
|
version: "2.8.2"
|
|
|
|
# Retag image as dogfood while maintaining the multi-arch manifest
|
|
- name: Tag image as dogfood
|
|
run: docker buildx imagetools create --tag "ghcr.io/coder/coder-preview:dogfood" "$IMAGE"
|
|
env:
|
|
IMAGE: ${{ inputs.image }}
|
|
|
|
- name: Reconcile Flux
|
|
run: |
|
|
set -euxo pipefail
|
|
flux --namespace flux-system reconcile source git flux-system
|
|
flux --namespace flux-system reconcile source git coder-main
|
|
flux --namespace flux-system reconcile kustomization flux-system
|
|
flux --namespace flux-system reconcile kustomization coder
|
|
flux --namespace flux-system reconcile source chart coder-coder
|
|
flux --namespace flux-system reconcile source chart coder-coder-provisioner
|
|
flux --namespace coder reconcile helmrelease coder
|
|
flux --namespace coder reconcile helmrelease coder-provisioner
|
|
flux --namespace coder reconcile helmrelease coder-provisioner-tagged
|
|
flux --namespace coder reconcile helmrelease coder-provisioner-tagged-prebuilds
|
|
|
|
# Just updating Flux is usually not enough. The Helm release may get
|
|
# redeployed, but unless something causes the Deployment to update the
|
|
# pods won't be recreated. It's important that the pods get recreated,
|
|
# since we use `imagePullPolicy: Always` to ensure we're running the
|
|
# latest image.
|
|
- name: Rollout Deployment
|
|
run: |
|
|
set -euxo pipefail
|
|
kubectl --namespace coder rollout restart deployment/coder
|
|
kubectl --namespace coder rollout status deployment/coder
|
|
kubectl --namespace coder rollout restart deployment/coder-provisioner
|
|
kubectl --namespace coder rollout status deployment/coder-provisioner
|
|
kubectl --namespace coder rollout restart deployment/coder-provisioner-tagged
|
|
kubectl --namespace coder rollout status deployment/coder-provisioner-tagged
|
|
kubectl --namespace coder rollout restart deployment/coder-provisioner-tagged-prebuilds
|
|
kubectl --namespace coder rollout status deployment/coder-provisioner-tagged-prebuilds
|
|
|
|
deploy-wsproxies:
|
|
runs-on: ubuntu-latest
|
|
needs: deploy
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: Setup flyctl
|
|
uses: superfly/flyctl-actions/setup-flyctl@fc53c09e1bc3be6f54706524e3b82c4f462f77be # v1.5
|
|
|
|
- name: Deploy workspace proxies
|
|
run: |
|
|
flyctl deploy --image "$IMAGE" --app paris-coder --config ./.github/fly-wsproxies/paris-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_PARIS" --yes
|
|
flyctl deploy --image "$IMAGE" --app sydney-coder --config ./.github/fly-wsproxies/sydney-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_SYDNEY" --yes
|
|
flyctl deploy --image "$IMAGE" --app jnb-coder --config ./.github/fly-wsproxies/jnb-coder.toml --env "CODER_PROXY_SESSION_TOKEN=$TOKEN_JNB" --yes
|
|
env:
|
|
FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
|
|
IMAGE: ${{ inputs.image }}
|
|
TOKEN_PARIS: ${{ secrets.FLY_PARIS_CODER_PROXY_SESSION_TOKEN }}
|
|
TOKEN_SYDNEY: ${{ secrets.FLY_SYDNEY_CODER_PROXY_SESSION_TOKEN }}
|
|
TOKEN_JNB: ${{ secrets.FLY_JNB_CODER_PROXY_SESSION_TOKEN }}
|