Deploy to production #29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy to production | |
| # We only deploy to production if... we're on the main branch, and the ansible-check has passed | |
| # It is not necessary for now to add a dependency to the test pipeline because it won't | |
| # publish our images if it doesn't pass | |
| on: | |
| workflow_run: | |
| workflows: ["ansible-check"] | |
| branches: [main] | |
| types: | |
| - completed | |
| workflow_dispatch: | |
| jobs: | |
| deploy-to-prod: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/[email protected] | |
| - name: Deploy to prod | |
| # We only deploy to prod if the ansible-check was successful, or if the deployment is manual | |
| if: ${{ github.event.workflowgithub.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} | |
| # We use the ansible playbook action with our private key as well as our vault password. | |
| uses: dawidd6/action-ansible-playbook@v2 | |
| with: | |
| directory: ./ansible | |
| playbook: playbook.yml | |
| key: ${{ secrets.ANSIBLE_SSH_PRIVATE_KEY }} | |
| vault_password: ${{ secrets.VAULT_PASSWORD }} | |
| # We give the fingerprint of our servers, to avoid DNS Redirection attacks | |
| known_hosts: | | |
| medhy.dohou.takima.cloud ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOWcoyHWc8qNdZbf/+NL/faVWdYAdchHep26pjro5No | |
| options: | | |
| --inventory ./inventories/setup.yml | |
| requirements: ./requirements.yml |