fix: security patch (#651) #630
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Docker Images, Push to Registry, and Deploy to Production | |
on: | |
push: | |
branches: | |
- main | |
release: | |
types: [published] | |
jobs: | |
build-push: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
service: [backend, frontend, realtime-evaluators] | |
steps: | |
- name: Check out the private Ops repo | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ secrets.GH_TOKEN }} | |
submodules: "recursive" | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
version: "lab:latest" | |
driver: cloud | |
endpoint: "lunary/lunary" | |
- name: Generate date | |
id: date | |
run: echo "date=$(date +%Y-%m-%d-%Hh%Mm%Ss)" >> $GITHUB_OUTPUT | |
- name: Get short commit hash | |
id: commit | |
run: echo "hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
- name: Remove 'v' prefix from release tag | |
id: release_tag | |
run: echo "tag=$(echo ${{ github.event.release.tag_name }} | sed 's/^v//')" >> $GITHUB_OUTPUT | |
- name: Build and push ${{ matrix.service }} | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
build-args: | | |
VERSION=${{ steps.release_tag.outputs.tag != '' && steps.release_tag.outputs.tag || format('rev-{0}-{1}', steps.date.outputs.date, steps.commit.outputs.hash) }} | |
file: ./ops/${{ matrix.service }}.Dockerfile | |
push: true | |
tags: | | |
lunary/${{ matrix.service }}:latest | |
lunary/${{ matrix.service }}:rev-${{ steps.date.outputs.date }}-${{ steps.commit.outputs.hash }} | |
${{ github.event.release.tag_name != '' && format('lunary/{0}:{1}', matrix.service, steps.release_tag.outputs.tag) || '' }} | |
platforms: linux/arm64,linux/amd64 | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-push-ml: | |
if: github.event_name == 'release' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the ML repository | |
uses: actions/checkout@v4 | |
with: | |
repository: lunary-ai/ml | |
token: ${{ secrets.GH_TOKEN }} | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
version: "lab:latest" | |
driver: cloud | |
endpoint: "lunary/lunary" | |
- name: Remove 'v' prefix from release tag | |
id: release_tag | |
run: echo "tag=$(echo ${{ github.event.release.tag_name }} | sed 's/^v//')" >> $GITHUB_OUTPUT | |
- name: Build and push ml service | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./Dockerfile | |
push: true | |
tags: | | |
lunary/ml:latest | |
${{ github.event.release.tag_name != '' && format('lunary/ml:{0}', steps.release_tag.outputs.tag) || '' }} | |
platforms: linux/arm64,linux/amd64 | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
publish-helm: | |
if: github.event_name == 'release' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the Helm repository | |
uses: actions/checkout@v4 | |
with: | |
repository: lunary-ai/helm | |
token: ${{ secrets.GH_TOKEN }} | |
- name: Set Git user identity | |
run: | | |
git config --global user.email "[email protected]" | |
git config --global user.name "hughcrt" | |
- name: Remove 'v' prefix from release tag | |
id: release_tag | |
run: echo "tag=$(echo ${{ github.event.release.tag_name }} | sed 's/^v//')" >> $GITHUB_OUTPUT | |
- name: Set up Helm | |
run: | | |
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash | |
- name: Login to Helm repository | |
run: helm registry login registry-1.docker.io -u ${{ secrets.DOCKERHUB_USERNAME }} -p ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Update Helm chart version | |
run: bash update.sh ${{ github.event.release.tag_name }} | |
- name: Publish Helm chart | |
run: bash publish.sh | |
deploy: | |
needs: build-push | |
runs-on: ubuntu-latest | |
steps: | |
- name: Deploy to Production | |
uses: appleboy/ssh-action@master | |
with: | |
host: ${{ secrets.PRODUCTION_IP_ADDRESS }} | |
username: root | |
key: ${{ secrets.SSH_PRIVATE_KEY }} | |
port: ${{ secrets.PRODUCTION_PORT }} | |
script: | | |
docker image prune -f | |
cd /opt/lunary | |
docker compose pull | |
docker compose down | |
docker compose up -d |