Skip to content

change workflows to reusable #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dacetascien merged 1 commit into from
Mar 13, 2026
Merged

change workflows to reusable #125

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 2 additions & 132 deletions .github/workflows/deploy-prod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,136 +7,6 @@ on:
types:
- closed

# Cancel in-progress jobs for the same tag/branch.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: read
id-token: write

jobs:
deploy:
runs-on: "regular"
if: >
github.event.pull_request.merged == true &&
github.event.pull_request.base.ref == 'main' &&
startsWith(github.repository, 'deckhouse/')
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }}
submodules: recursive
fetch-depth: 0

- name: Set environment
id: env
run: |
echo "env=production" >> $GITHUB_OUTPUT

- name: Import secrets
id: secrets
uses: hashicorp/vault-action@v3
with:
url: https://seguro.flant.com
path: github
role: deckhouse-web-products
method: jwt
jwtGithubAudience: github-access-aud
secrets: |
projects/data/6db2f1ee-9b6f-4f4f-8381-2fb43060478a/github/registry_host DECKHOUSE_REGISTRY_HOST | DECKHOUSE_REGISTRY_HOST ;
projects/data/6db2f1ee-9b6f-4f4f-8381-2fb43060478a/github/registry_host DECKHOUSE_DEV_REGISTRY_HOST | DECKHOUSE_DEV_REGISTRY_HOST ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken login | DECKHOUSE_DEV_REGISTRY_USER ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/dev-registry/writetoken password | DECKHOUSE_DEV_REGISTRY_PASSWORD ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry-write/demotoken login | DECKHOUSE_REGISTRY_USER ;
projects/data/101ceaca-97cd-462f-aed5-070d9b9de175/registry-write/demotoken password | DECKHOUSE_REGISTRY_PASSWORD ;
projects/data/6db2f1ee-9b6f-4f4f-8381-2fb43060478a/github/registry_host DECKHOUSE_REGISTRY_READ_HOST | DECKHOUSE_REGISTRY_READ_HOST ;
projects/data/6db2f1ee-9b6f-4f4f-8381-2fb43060478a/github/registry_read_token login | DECKHOUSE_REGISTRY_READ_USER ;
projects/data/6db2f1ee-9b6f-4f4f-8381-2fb43060478a/github/registry_read_token password | DECKHOUSE_REGISTRY_READ_PASSWORD ;
projects/data/6db2f1ee-9b6f-4f4f-8381-2fb43060478a/github/documentation_deploy_secret KUBECONFIG_BASE64_PROD_25 | KUBECONFIG_BASE64_PROD ;

- name: Check dev registry credentials
id: check_dev_registry
env:
HOST: ${{steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi

- name: Login to dev registry
uses: docker/login-action@v3
if: ${{ steps.check_dev_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_HOST }}
username: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_USER }}
password: ${{ steps.secrets.outputs.DECKHOUSE_DEV_REGISTRY_PASSWORD }}
logout: false

- name: Check rw registry credentials
id: check_rw_registry
env:
HOST: ${{steps.secrets.outputs.DECKHOUSE_REGISTRY_HOST}}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{steps.secrets.outputs.DECKHOUSE_REGISTRY_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi

- name: Login to rw registry
uses: docker/login-action@v3
if: ${{ steps.check_rw_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_HOST }}
username: ${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_USER }}
password: ${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_PASSWORD }}
logout: false

- name: Check readonly registry credentials
id: check_readonly_registry
env:
HOST: ${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_READ_HOST }}
run: |
if [[ -n $HOST ]]; then
echo "has_credentials=true" >> $GITHUB_OUTPUT
echo "web_registry_path=${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_READ_HOST }}/deckhouse/site" >> $GITHUB_OUTPUT
fi

- name: Login to readonly registry
uses: docker/login-action@v3
if: ${{ steps.check_readonly_registry.outputs.has_credentials == 'true' }}
with:
registry: ${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_READ_HOST }}
username: ${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_READ_USER }}
password: ${{ steps.secrets.outputs.DECKHOUSE_REGISTRY_READ_PASSWORD }}
logout: false

- name: Build
id: build
uses: werf/actions/build@v2
with:
channel: beta
kube-config-base64-data: ${{ steps.secrets.outputs.KUBECONFIG_BASE64_PROD }}
env: ${{ steps.env.outputs.env }}
env:
WERF_VIRTUAL_MERGE: 0
WERF_REPO: ${{ steps.check_rw_registry.outputs.web_registry_path }}
WERF_SECONDARY_REPO: ${{ steps.check_dev_registry.outputs.web_registry_path }}
WERF_SET_URL: "global.url=deckhouse.io"
WERF_SET_URL_RU: "global.url_ru=deckhouse.ru"

- name: Deploy to ${{ steps.env.outputs.env }}
id: deploy
uses: werf/actions/converge@v2
with:
channel: beta
kube-config-base64-data: ${{ steps.secrets.outputs.KUBECONFIG_BASE64_PROD }}
env: ${{ steps.env.outputs.env }}
env:
WERF_VIRTUAL_MERGE: 0
WERF_REPO: ${{ steps.check_readonly_registry.outputs.web_registry_path }}
WERF_SET_URL: "global.url=deckhouse.io"
WERF_SET_URL_RU: "global.url_ru=deckhouse.ru"
call-reusable:
uses: deckhouse/hugo-web-product-module/.github/workflows/deploy-prod.yaml@main
Loading