ci.yml

# This workflow will deploy to Google Cloud Run
#
# To configure this workflow, set up the following secrets in your workspace
#
#  * `GITHUB_APP_IDENTIFIER` - GitHub App identifier
#  * `GITHUB_APP_PRIVATE_KEY` - GitHub App private key
#  * `GOOGLE_SERVICE_ACCOUNT_EMAIL` - Google service account email
#  * `GOOGLE_APPLICATION_CREDENTIALS` - Google service account private key
#  * `GITHUB_WEBHOOK_SECRET` - GitHub webhook secret to confirm that webhooks come from GitHub

name: CI

on:
  push:
    branches:
      - main
    paths:
      - '.github/workflows/ci.yml'
      - 'Dockerfile'
      - 'package.json'
      - 'src/**/*.ts'
      - 'tsconfig.json'
      - 'yarn.lock'
      - 'bin/deploy.sh'
      - 'holidays.yml'
      - 'product-owners.yml'
      - 'github-orgs.yml'
  pull_request:
    branches:
      - main

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    services:
      # Label used to access the service container
      postgres:
        # Docker Hub image
        image: postgres:12
        # Provide the password for postgres
        env:
          POSTGRES_PASSWORD: docker
        ports:
          - 5434:5432
        # Set health checks to wait until postgres has started
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Git
        run: |
          sudo apt-get update
          sudo apt-get install git -y
      - name: Set up SSH agent (for service-registry)
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.SENTRY_INTERNAL_GH_SSH_PRIVATE_KEY }}

      - name: Setup node
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: yarn install
        run: yarn install --immutable && yarn up "service-registry@git+ssh://git@github.com:getsentry/service-registry#main"

      - name: tsc
        run: yarn build
      - name: test
        run: yarn test:ci --coverage
      - name: Codecov
        uses: codecov/codecov-action@v4
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
      - name: eslint
        run: yarn lint

  docker:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    if: github.event_name == 'pull_request'

    steps:
      - uses: actions/checkout@v3

      - name: Set up SSH agent (for service-registry)
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.SENTRY_INTERNAL_GH_SSH_PRIVATE_KEY }}

      - name: Builds docker image
        run: DOCKER_BUILDKIT=1 docker build --ssh default -t ci-tooling .

  build-deploy:
    name: build and deploy
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    timeout-minutes: 10
    needs: [test]
    environment: 'production'
    env:
      VERSION: ${{ github.sha }}
      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
      SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          # for Sentry releases
          fetch-depth: 0
      - name: Install Git
        run: |
          sudo apt-get update
          sudo apt-get install git -y
      - name: Set up SSH agent (for service-registry)
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.SENTRY_INTERNAL_GH_SSH_PRIVATE_KEY }}

      - name: Setup node
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: yarn install
        run: yarn install --immutable && yarn up "service-registry@git+ssh://git@github.com:getsentry/service-registry#main"

      - name: tsc
        run: yarn build

      - id: 'auth'
        uses: 'google-github-actions/auth@v2'
        with:
          workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
          service_account: gha-eng-pipes-deploy@sac-prod-sa.iam.gserviceaccount.com

      # Setup gcloud CLI
      - name: Setup gcloud CLI
        uses: google-github-actions/setup-gcloud@v1

      # Deploy to Google Cloud Functions
      - name: Deploy
        id: deploy
        env:
          SLACK_BOT_USER_ACCESS_TOKEN: ${{ secrets.SLACK_BOT_USER_ACCESS_TOKEN }}
          SLACK_SIGNING_SECRET: ${{ secrets.SLACK_SIGNING_SECRET }}
          SLACK_BOT_APP_ID: ${{ secrets.SLACK_BOT_APP_ID }}
          DD_API_KEY: ${{ secrets.DD_API_KEY }}
          DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
          GH_APP_PRIVATE_KEY_FOR_GETSENTRY: ${{ secrets.GH_APP_PRIVATE_KEY_FOR_GETSENTRY}}
          GH_APP_PRIVATE_KEY_FOR_CODECOV: ${{ secrets.GH_APP_PRIVATE_KEY_FOR_CODECOV}}
          GH_APP_IDENTIFIER: ${{ secrets.GH_APP_IDENTIFIER }}
          GH_WEBHOOK_SECRET: ${{ secrets.GH_WEBHOOK_SECRET }}
          SENTRY_WEBPACK_WEBHOOK_SECRET: ${{ secrets.SENTRY_WEBPACK_WEBHOOK_SECRET }}
          DB_USER: ${{ secrets.DB_USER }}
          DB_NAME: ${{ secrets.DB_NAME }}
          DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
          DB_INSTANCE_CONNECTION_NAME: ${{ secrets.DB_INSTANCE_CONNECTION_NAME }}
          GH_USER_TOKEN: ${{ secrets.GH_USER_TOKEN }}
          GCP_SERVICE_ACCOUNT: ${{ vars.GCP_SERVICE_ACCOUNT }}
          PREDICT_ENDPOINT: ${{ vars.PREDICT_ENDPOINT }}
        run: |
          echo "deploy-start=$(date +%s)" >> "$GITHUB_OUTPUT"
          bin/deploy.sh

      - name: Sentry Release
        uses: getsentry/action-release@v1.4.1
        with:
          environment: 'production'
          sourcemaps: './lib'
          url_prefix: 'app:///lib/'