feat(devops): Deploy to test environments via CI

[bitdivine]

Motivation

Deploying to test environments is typically hard to get right. We would like:

• Friendly domain names:
  • https://fe1.oisy.com not some canister ID.
• Use the same identities and assets in fe{1..4} as in staging.
  • This requires staging and II configuration to be set
• Easy, reliable deployment

Changes

• Enable deploying to the test networks
• Allow refs other than main to be deployed to beta and the test networks

Configuration:

• I have configured the test_fe_{1..4} asset canisters to accept asset uploads and commits from CI.

Tests

• I have deployed fe{1..4} via CI with e.g. gh workflow run deploy-to-environment.yml --ref staging-ii --field network=test_fe_3 --field canister=frontend
• I have verified that, when I log in to the following domains, I have the same assets as on staging:
  • https://fe1.oisy.com
  • https://fe2.oisy.com
  • https://fe3.oisy.com
  • https://fe4.oisy.com

[AntonioVentilii]

maybe just a final ECHO if all checks passed for policy? as feedback for the dev

[bitdivine]

If the policy passes, the developer will see a check mark next to that step, like this:

[AntonioVentilii]

should this include the check for beta?

for example, the check could pass if the network is beta, but the ref is not main, no? am i missing something?

[bitdivine]

There is no rule that beta may have only head of main. Indeed, there is an explicit expectation that we should be able to put feature branches and release candidates (that may not be head of main) on beta.

I have proposed that we have a test environment that always holds the latest release candidate (so that would be the latest tag of the form 1.2.3-rc-4), which is effectively what beta has most of the time at the moment, however that has not been approved.

[AntonioVentilii]

this is just a "good to have", right? it will print the principal so that we have more info, that's the idea?

[bitdivine]

Correct. It is not enough for the code to be correct, we need to be able to verify that it is working correctly. It's hard to verify that the expected principal is being used when it's invisible. :-) Another point where we need better visibility for verification is the env vars, but that will be a bigger change so I didn't commit that.