feat(workflow): integrate with workflow identity pool (#4945)

* feat(workflows): add wif workflow * feat(workflows): add name of compute instance * feat(workflows): fix permissions * feat(workflows): add an OR true since github runs with -e * ci(testing-deployment): include GITHUB envs * ci(testing-deployment): move GCP information to secrets * ci(staging-deployment): wif workflow --------- Co-authored-by: Prashant Shahi <[email protected]>
SigNoz · May 10, 2024 · 7460e65 · 7460e65
1 parent 211fe4f
commit 7460e65
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 56 deletions.
diff --git a/.github/workflows/staging-deployment.yaml b/.github/workflows/staging-deployment.yaml
@@ -9,34 +9,46 @@ jobs:
  name: Deploy latest develop branch to staging
  runs-on: ubuntu-latest
  environment: staging
+ permissions:
+ contents: 'read'
+ id-token: 'write'
  steps:
- - name: Executing remote ssh commands using ssh key
- uses: appleboy/[email protected]
+ - id: 'auth'
+ uses: 'google-github-actions/auth@v2'
+ with:
+ workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+ service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+ - name: 'sdk'
+ uses: 'google-github-actions/setup-gcloud@v2'
+
+ - name: 'ssh'
+ shell: bash
  env:
- GITHUB_BRANCH: develop
+ GITHUB_BRANCH: ${{ github.head_ref || github.ref_name }}
  GITHUB_SHA: ${{ github.sha }}
- with:
- host: ${{ secrets.HOST_DNS }}
- username: ${{ secrets.USERNAME }}
-  key: ${{ secrets.SSH_KEY }}
- envs: GITHUB_BRANCH,GITHUB_SHA
- command_timeout: 60m
- script: |
-  echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
-  echo "GITHUB_SHA: ${GITHUB_SHA}"
-  export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
-  export OTELCOL_TAG="main"
-  export PATH="/usr/local/go/bin/:$PATH" # needed for Golang to work
-  docker system prune --force
-  docker pull signoz/signoz-otel-collector:main
-  docker pull signoz/signoz-schema-migrator:main
-  cd ~/signoz
-  git status
-  git add .
-  git stash push -m "stashed on $(date --iso-8601=seconds)"
-  git fetch origin
-  git checkout ${GITHUB_BRANCH}
-  git pull
-  make build-ee-query-service-amd64
-  make build-frontend-amd64
-  make run-signoz
+  GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
+ GCP_ZONE: ${{ secrets.GCP_ZONE }}
+ GCP_INSTANCE: ${{ secrets.GCP_INSTANCE }}
+ run: |
+ read -r -d '' COMMAND <<EOF || true
+ echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
+ echo "GITHUB_SHA: ${GITHUB_SHA}"
+ export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
+ export OTELCOL_TAG="main"
+ export PATH="/usr/local/go/bin/:$PATH" # needed for Golang to work
+ docker system prune --force
+ docker pull signoz/signoz-otel-collector:main
+ docker pull signoz/signoz-schema-migrator:main
+ cd ~/signoz
+ git status
+ git add .
+ git stash push -m "stashed on $(date --iso-8601=seconds)"
+ git fetch origin
+ git checkout ${GITHUB_BRANCH}
+ git pull
+ make build-ee-query-service-amd64
+ make build-frontend-amd64
+ make run-signoz
+ EOF
+ gcloud compute ssh ${GCP_INSTANCE} --zone ${GCP_ZONE} --tunnel-through-iap --project ${GCP_PROJECT} --command "${COMMAND}"
diff --git a/.github/workflows/testing-deployment.yaml b/.github/workflows/testing-deployment.yaml
@@ -9,35 +9,47 @@ jobs:
  runs-on: ubuntu-latest
  environment: testing
  if: ${{ github.event.label.name == 'testing-deploy' }}
+ permissions:
+ contents: 'read'
+ id-token: 'write'
  steps:
- - name: Executing remote ssh commands using ssh key
- uses: appleboy/[email protected]
+ - id: 'auth'
+ uses: 'google-github-actions/auth@v2'
+ with:
+ workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+ service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+ - name: 'sdk'
+ uses: 'google-github-actions/setup-gcloud@v2'
+
+ - name: 'ssh'
+ shell: bash
  env:
  GITHUB_BRANCH: ${{ github.head_ref || github.ref_name }}
  GITHUB_SHA: ${{ github.sha }}
- with:
- host: ${{ secrets.HOST_DNS }}
- username: ${{ secrets.USERNAME }}
-  key: ${{ secrets.SSH_KEY }}
- envs: GITHUB_BRANCH,GITHUB_SHA
- command_timeout: 60m
- script: |
-  echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
-  echo "GITHUB_SHA: ${GITHUB_SHA}"
-  export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
-  export DEV_BUILD="1"
-  export PATH="/usr/local/go/bin/:$PATH" # needed for Golang to work
-  docker system prune --force
-  cd ~/signoz
-  git status
-  git add .
-  git stash push -m "stashed on $(date --iso-8601=seconds)"
-  git fetch origin
-  git checkout develop
-  git pull
-  # This is added to include the scenerio when new commit in PR is force-pushed
-  git branch -D ${GITHUB_BRANCH}
-  git checkout --track origin/${GITHUB_BRANCH}
-  make build-ee-query-service-amd64
-  make build-frontend-amd64
-  make run-signoz
+  GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
+ GCP_ZONE: ${{ secrets.GCP_ZONE }}
+ GCP_INSTANCE: ${{ secrets.GCP_INSTANCE }}
+ run: |
+ read -r -d '' COMMAND <<EOF || true
+ echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
+ echo "GITHUB_SHA: ${GITHUB_SHA}"
+ export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
+ export DEV_BUILD="1"
+ export PATH="/usr/local/go/bin/:$PATH" # needed for Golang to work
+ docker system prune --force
+ cd ~/signoz
+ git status
+ git add .
+ git stash push -m "stashed on $(date --iso-8601=seconds)"
+ git fetch origin
+ git checkout develop
+ git pull
+ # This is added to include the scenerio when new commit in PR is force-pushed
+ git branch -D ${GITHUB_BRANCH}
+ git checkout --track origin/${GITHUB_BRANCH}
+ make build-ee-query-service-amd64
+ make build-frontend-amd64
+ make run-signoz
+ EOF
+ gcloud compute ssh ${GCP_INSTANCE} --zone ${GCP_ZONE} --tunnel-through-iap --project ${GCP_PROJECT} --command "${COMMAND}"