name: Velocity-OS Deployment Pipeline on: push: branches: - master - main env: AWS_REGION: ap-south-1 DOCKER_BUILDKIT: 1 jobs: lint: runs-on: ubuntu-latest steps: - name: Checkout Repository uses: actions/checkout@v3 - name: Setup Node uses: actions/setup-node@v3 with: node-version: 20 cache: 'npm' cache-dependency-path: 'webos/package-lock.json' - name: Lint WebOS working-directory: ./webos run: | npm ci npm run type-check npm run lint - name: Setup Python uses: actions/setup-python@v4 with: python-version: '3.11' - name: Lint Core working-directory: ./core run: | pip install ruff mypy ruff check . mypy . --ignore-missing-imports build-and-push: needs: lint runs-on: ubuntu-latest permissions: contents: read id-token: write strategy: matrix: service: [core, webos, media-engine, agents] steps: - name: Checkout Repository uses: actions/checkout@v3 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 - name: Build and Push Docker Image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} SERVICE: ${{ matrix.service }} IMAGE_TAG: ${{ github.sha }} run: | # Build docker build \ --cache-from $ECR_REGISTRY/velocity-os/$SERVICE:latest \ --build-arg BUILDKIT_INLINE_CACHE=1 \ --label git.sha=${{ github.sha }} \ --label git.ref=${{ github.ref_name }} \ -t $ECR_REGISTRY/velocity-os/$SERVICE:$IMAGE_TAG \ -t $ECR_REGISTRY/velocity-os/$SERVICE:latest \ ./$SERVICE # Push docker push $ECR_REGISTRY/velocity-os/$SERVICE:$IMAGE_TAG docker push $ECR_REGISTRY/velocity-os/$SERVICE:latest sign-images: needs: build-and-push runs-on: ubuntu-latest strategy: matrix: service: [core, webos, media-engine, agents] steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 - name: Install Cosign uses: sigstore/cosign-installer@v3.1.1 with: cosign-release: 'v2.4.0' - name: Sign Image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} SERVICE: ${{ matrix.service }} IMAGE_TAG: ${{ github.sha }} run: | IMAGE="${ECR_REGISTRY}/velocity-os/${SERVICE}:${IMAGE_TAG}" DIGEST=$(aws ecr describe-images \ --repository-name velocity-os/${SERVICE} \ --image-ids imageTag=${IMAGE_TAG} \ --region ${AWS_REGION} \ --query 'imageDetails[0].imageDigest' --output text) cosign sign --yes "${ECR_REGISTRY}/velocity-os/${SERVICE}@${DIGEST}" notify-ingress: needs: sign-images runs-on: ubuntu-latest if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' steps: - name: Install SSH Client run: sudo apt-get update && sudo apt-get install -y openssh-client - name: Notify Ingress Box env: INGRESS_SSH_KEY: ${{ secrets.INGRESS_SSH_KEY }} INGRESS_BOX_IP: ${{ secrets.INGRESS_BOX_IP }} run: | echo "$INGRESS_SSH_KEY" > ingress_key.pem chmod 600 ingress_key.pem ssh -i ingress_key.pem -o StrictHostKeyChecking=no ubuntu@$INGRESS_BOX_IP "sudo systemctl start velocity-ingress-poll.service" rm -f ingress_key.pem