Merge pull request #526 from microsoft/copilot/fix-gh-nightly-build-i… #31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: "Target environment" | |
| required: true | |
| type: choice | |
| options: | |
| - staging | |
| - production | |
| image-tag: | |
| description: "Image tag to deploy (e.g. sha-abc1234)" | |
| required: false | |
| type: string | |
| env: | |
| REGISTRY: ${{ secrets.AZURE_CONTAINER_REGISTRY }} | |
| jobs: | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && !inputs.image-tag) | |
| outputs: | |
| image-tag: sha-${{ github.sha }} | |
| # OIDC token is required for the azure/login action (Constitution XIV — Managed Identity) | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Azure login (OIDC — staging managed identity) | |
| uses: azure/login@v3 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: ACR login | |
| run: az acr login --name ${{ env.REGISTRY }} | |
| - name: Build and push container image | |
| run: | | |
| IMAGE_TAG=sha-${{ github.sha }} | |
| docker build -t ${{ env.REGISTRY }}/acroyoga-web:${IMAGE_TAG} . | |
| docker push ${{ env.REGISTRY }}/acroyoga-web:${IMAGE_TAG} | |
| deploy-staging: | |
| runs-on: ubuntu-latest | |
| needs: [build-and-push] | |
| if: always() && (needs.build-and-push.result == 'success' || (github.event_name == 'workflow_dispatch' && inputs.environment == 'staging')) | |
| environment: staging | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| IMAGE_TAG: ${{ needs.build-and-push.outputs.image-tag || inputs.image-tag }} | |
| RESOURCE_GROUP: rg-acroyoga-stg | |
| APP_NAME: ca-acroyoga-web-staging | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Azure login (OIDC — staging managed identity) | |
| uses: azure/login@v3 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Deploy to staging | |
| uses: azure/container-apps-deploy-action@v2 | |
| with: | |
| containerAppName: ${{ env.APP_NAME }} | |
| resourceGroup: ${{ env.RESOURCE_GROUP }} | |
| imageToDeploy: ${{ env.REGISTRY }}/acroyoga-web:${{ env.IMAGE_TAG }} | |
| - name: Wait for readiness | |
| run: | | |
| APP_URL=$(az containerapp show --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --query properties.configuration.ingress.fqdn -o tsv) | |
| echo "Waiting for https://${APP_URL}/api/ready ..." | |
| curl --retry 10 --retry-delay 10 --retry-all-errors -sf "https://${APP_URL}/api/ready" | |
| - name: Smoke test — health | |
| run: | | |
| APP_URL=$(az containerapp show --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --query properties.configuration.ingress.fqdn -o tsv) | |
| RESPONSE=$(curl -sf "https://${APP_URL}/api/health") | |
| echo "Health response: ${RESPONSE}" | |
| echo "${RESPONSE}" | grep -q '"status":"healthy"' | |
| - name: Smoke test — home page | |
| run: | | |
| APP_URL=$(az containerapp show --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --query properties.configuration.ingress.fqdn -o tsv) | |
| curl -sf "https://${APP_URL}/" | head -20 | |
| deploy-production: | |
| runs-on: ubuntu-latest | |
| needs: [build-and-push, deploy-staging] | |
| if: always() && needs.deploy-staging.result == 'success' && (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.environment == 'production')) | |
| environment: production | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| IMAGE_TAG: ${{ needs.build-and-push.outputs.image-tag || inputs.image-tag }} | |
| RESOURCE_GROUP: rg-acroyoga-prod | |
| APP_NAME: ca-acroyoga-web-production | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Azure login (OIDC — production managed identity) | |
| uses: azure/login@v3 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID_PRODUCTION }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Deploy to production | |
| uses: azure/container-apps-deploy-action@v2 | |
| with: | |
| containerAppName: ${{ env.APP_NAME }} | |
| resourceGroup: ${{ env.RESOURCE_GROUP }} | |
| imageToDeploy: ${{ env.REGISTRY }}/acroyoga-web:${{ env.IMAGE_TAG }} | |
| - name: Wait for readiness | |
| run: | | |
| APP_URL=$(az containerapp show --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --query properties.configuration.ingress.fqdn -o tsv) | |
| echo "Waiting for https://${APP_URL}/api/ready ..." | |
| curl --retry 10 --retry-delay 10 --retry-all-errors -sf "https://${APP_URL}/api/ready" | |
| - name: Verify deployed version | |
| run: | | |
| APP_URL=$(az containerapp show --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --query properties.configuration.ingress.fqdn -o tsv) | |
| RESPONSE=$(curl -sf "https://${APP_URL}/api/health") | |
| echo "Health response: ${RESPONSE}" | |
| EXPECTED_VERSION="sha-${{ github.sha }}" | |
| echo "${RESPONSE}" | grep -q "${EXPECTED_VERSION}" || echo "Warning: version mismatch (may be using workflow_dispatch tag)" |