Azalea/.github/workflows/cd.yml at main · Rodis-Infrastructure/Azalea · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: CD
on:
  workflow_run:
    workflows: [CI]
    types: [completed]
    branches: [main, master]

permissions:
  contents: read

concurrency:
  group: cd-${{ github.event.workflow_run.head_branch }}
  cancel-in-progress: false

jobs:
  deploy:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    steps:
      - name: Deploy
        uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
        with:
          host: ${{ secrets.SSH_HOST }}
          port: ${{ secrets.SSH_PORT }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_KEY }}
          script: |
            set -e
            cd Projects/azalea
            git pull origin main
            bash scripts/deploy.sh

      - name: Checkout source for Sentry release
        # Read package.json + commit history. The release ID must match
        # `Sentry.init`'s `release` value (name@version) so issues link
        # back to the deploy that introduced them. Checkout is cheap, so
        # always run; the actual release step no-ops if Sentry is unset.
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.workflow_run.head_sha }}
          fetch-depth: 0

      - name: Sentry release
        # Becomes a no-op silently when SENTRY_AUTH_TOKEN is unset, which
        # makes the release step fully opt-in. Failures are non-fatal —
        # the deploy already succeeded; release tagging is best-effort.
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          SENTRY_ORG: ${{ vars.SENTRY_ORG }}
          SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
        run: |
          if [ -z "$SENTRY_AUTH_TOKEN" ]; then
            echo "SENTRY_AUTH_TOKEN not set; skipping Sentry release."
            exit 0
          fi

          NAME="$(node -p "require('./package.json').name")"
          VERSION="$(node -p "require('./package.json').version")"
          RELEASE="${NAME}@${VERSION}"

          curl -sL https://sentry.io/get-cli/ | bash
          sentry-cli releases new "$RELEASE"
          sentry-cli releases set-commits "$RELEASE" --auto || true
          sentry-cli releases finalize "$RELEASE"
          sentry-cli releases deploys "$RELEASE" new --env "${SENTRY_ENVIRONMENT:-production}"

      - name: Notify Discord
        # Always runs so failures are reported too. Becomes a no-op
        # silently when the DISCORD_WEBHOOK_URL secret is unset, which
        # makes the notification fully opt-in.
        if: always()
        env:
          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
          STATUS: ${{ job.status }}
          REPO: ${{ github.repository }}
          SHA: ${{ github.event.workflow_run.head_sha }}
          BRANCH: ${{ github.event.workflow_run.head_branch }}
          MESSAGE: ${{ github.event.workflow_run.head_commit.message }}
          ACTOR: ${{ github.event.workflow_run.actor.login }}
          RUN_URL: ${{ github.event.workflow_run.html_url }}
        run: |
          if [ -z "$DISCORD_WEBHOOK_URL" ]; then
            echo "DISCORD_WEBHOOK_URL not set; skipping notification."
            exit 0
          fi

          case "$STATUS" in
            success)   COLOR=3066993;  TITLE="✅ azalea deploy succeeded";;
            failure)   COLOR=15158332; TITLE="❌ azalea deploy failed";;
            cancelled) COLOR=10070709; TITLE="🟤 azalea deploy cancelled";;
            *)         COLOR=10070709; TITLE="ℹ️ azalea deploy ${STATUS}";;
          esac

          SHORT_SHA="${SHA:0:7}"
          FIRST_LINE="$(printf '%s' "$MESSAGE" | head -1)"

          jq -n \
            --arg title "$TITLE" \
            --argjson color "$COLOR" \
            --arg description "$FIRST_LINE" \
            --arg repo "$REPO" \
            --arg branch "$BRANCH" \
            --arg short_sha "$SHORT_SHA" \
            --arg full_sha "$SHA" \
            --arg actor "$ACTOR" \
            --arg run_url "$RUN_URL" \
            '{
               embeds: [{
                 title: $title,
                 url: $run_url,
                 color: $color,
                 description: $description,
                 fields: [
                   { name: "Repo",   value: $repo,                                                                   inline: true },
                   { name: "Branch", value: $branch,                                                                 inline: true },
                   { name: "Commit", value: ("[`" + $short_sha + "`](https://github.com/" + $repo + "/commit/" + $full_sha + ")"), inline: true },
                   { name: "Actor",  value: $actor,                                                                  inline: true }
                 ],
                 timestamp: (now | todate)
               }]
             }' \
          | curl -fsS -X POST -H "Content-Type: application/json" --data-binary @- "$DISCORD_WEBHOOK_URL"