agrc · stdavis · Oct 1, 2024 · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024
diff --git a/.github/actions/deploy-cloudrun/action.yml b/.github/actions/deploy-cloudrun/action.yml
@@ -0,0 +1,125 @@
+name: Deploy
+description: Deploy to GCP
+inputs:
+  project_id:
+    description: 'The GCP project ID'
+    required: true
+  identity_provider:
+    description: 'The identity provider for the workload identity'
+    required: true
+  service_account_email:
+    description: 'The service account email'
+    required: true
+  pause_schedule_job:
+    description: 'Pause the scheduler job'
+    required: false
+    default: 'no'
+  github_token:
+    description: 'The GitHub token'
+    required: true
+  agol_org:
+    description: 'The ArcGIS Online organization'
+    required: true
+  tag_name:
+    description: 'The tag name'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Set globals
+      id: globals
+      shell: bash
+      run: |
+        echo "TOPIC_NAME=backup-topic" >> "${GITHUB_OUTPUT}"
+        echo "CRON=0 4 * * *" >> "${GITHUB_OUTPUT}"
+        echo "JOB_NAME=nightly" >> "${GITHUB_OUTPUT}"
+        echo "JOB_DESCRIPTION=Trigger the backup job every evening at 10 PM MDT" >> "${GITHUB_OUTPUT}"
+
+    - name: 🗝️ Authenticate to Google Cloud
+      id: auth
+      uses: google-github-actions/auth@v2
+      with:
+        token_format: access_token
+        workload_identity_provider: ${{ inputs.identity_provider }}
+        service_account: ${{ inputs.service_account_email }}
+
+    - name: 🐳 Set up Docker Buildx
+      id: builder
+      uses: docker/setup-buildx-action@v3
+
+    - name: 🗝️ Authenticate Docker to Google Cloud
+      uses: docker/login-action@v3
+      with:
+        registry: us-central1-docker.pkg.dev
+        username: oauth2accesstoken
+        password: ${{ steps.auth.outputs.access_token }}
+
+    - name: 🏷️ Extract tags from GitHub
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        github-token: ${{ inputs.github_token }}
+        images: us-central1-docker.pkg.dev/${{ inputs.project_id }}/images/job
+        tags: |
+          type=ref,suffix=-{{sha}},event=branch
+          type=ref,prefix=pr-,suffix=-{{sha}},event=pr
+          type=semver,pattern={{version}}
+          latest
+
+    - name: 📦 Build and push image
+      uses: docker/build-push-action@v6
+      with:
+        builder: ${{ steps.builder.outputs.name }}
+        tags: ${{ steps.meta.outputs.tags }}
+        context: '{{defaultContext}}:jobs'
+        file: ./Dockerfile
+        push: true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        provenance: false
+
+    - name: 🚀 Deploy Main Cloud Run Job
+      id: deploy
+      uses: google-github-actions/deploy-cloudrun@v2
+      with:
+        job: ${{ steps.globals.outputs.JOB_NAME }}
+        image: us-central1-docker.pkg.dev/${{ inputs.project_id }}/images/job:latest
+        timeout: 60m
+        secrets: |
+          /secrets/app/secrets.json=secrets:latest
+        env_vars: |-
+          AGOL_ORG=${{ inputs.agol_org }}
+          TAG_NAME=${{ inputs.tag_name }}
+        flags: |
+          --memory=512Mi
+          --service-account=cloud-run-sa@${{ inputs.project_id }}.iam.gserviceaccount.com
+
+    - name: 🕰️ Create Main Cloud Scheduler
+      shell: bash
+      run: |
+        if [ ! "$(gcloud scheduler jobs list --location=us-central1 | grep ${{ steps.globals.outputs.JOB_NAME }})" ]; then
+          gcloud scheduler jobs create http "${{ steps.globals.outputs.JOB_NAME }}" \
+            --description="${{ steps.globals.outputs.JOB_DESCRIPTION }}" \
+            --schedule="${{ steps.globals.outputs.CRON }}" \
+            --time-zone=America/Denver \
+            --location=us-central1 \
+            --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ inputs.project_id }}/jobs/${{ steps.globals.outputs.JOB_NAME }}:run" \
+            --oauth-service-account-email=scheduler-sa@${{ inputs.project_id }}.iam.gserviceaccount.com \
+            --quiet
+        else
+          gcloud scheduler jobs update http "${{ steps.globals.outputs.JOB_NAME }}" \
+            --description="${{ steps.globals.outputs.JOB_DESCRIPTION }}" \
+            --schedule="${{ steps.globals.outputs.CRON }}" \
+            --time-zone=America/Denver \
+            --location=us-central1 \
+            --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ inputs.project_id }}/jobs/${{ steps.globals.outputs.JOB_NAME }}:run" \
+            --oauth-service-account-email=scheduler-sa@${{ inputs.project_id }}.iam.gserviceaccount.com \
+            --quiet
+        fi
+
+    - name: 🙅 Pause Scheduler Job
+      shell: bash
+      if: inputs.pause_schedule_job != 'no'
+      run: |
+        gcloud scheduler jobs pause "${{ steps.globals.outputs.JOB_NAME }}" --location=us-central1 --quiet
diff --git a/.github/actions/deploy-firebase/action.yml b/.github/actions/deploy-firebase/action.yml
@@ -34,6 +34,13 @@ runs:
         cache: pip
         cache-dependency-path: ./functions/requirements.txt
 
+    # this is a requirement for the arcgis package: https://github.com/Esri/arcgis-python-api/issues/1299#issuecomment-1185375010
+    - name: Install libkrb5 for Kerberos
+      shell: bash
+      run: |
+        sudo apt install -y libkrb5-dev
+        pip install requests-kerberos
+
     - name: 🚀 Deploy Firebase
       uses: agrc/firebase-website-deploy-composite-action@v1
       with:

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -68,7 +68,7 @@ jobs:
     name: Firebase preview
     runs-on: ubuntu-latest
     needs: [test-unit-ui, test-unit-python]
-    if: ${{ github.event.sender.type == 'User' }}
+    if: ${{ github.event.sender.type == 'User' && github.head_ref != 'dev' }}
     environment:
       name: dev
 

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -54,102 +54,30 @@ jobs:
           firebase_config: ${{ secrets.FIREBASE_CONFIG }}
           build_command: npm run build -- --mode dev
 
-  deploy-python-dev:
-    name: Deploy python to staging
+  deploy-cloudrun-dev:
+    name: Deploy Cloud Run to dev
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/dev'
+    if: github.ref_name == 'dev'
     environment:
       name: dev
     permissions:
       id-token: write
       contents: read
 
     steps:
-      - name: ⬇️ Checkout code
+      - name: ⬇️ Set up code
         uses: actions/checkout@v4
         with:
           show-progress: false
 
-      - name: 🗝️ Authenticate to Google Cloud
-        id: auth
-        uses: google-github-actions/auth@v2
-        with:
-          workload_identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
-          token_format: 'access_token'
-
-      - name: 🐳 Set up Docker Buildx
-        id: builder
-        uses: docker/setup-buildx-action@v3
-
-      - name: 🗝️ Authenticate Docker to Google Cloud
-        uses: docker/login-action@v3
-        with:
-          registry: us-central1-docker.pkg.dev
-          username: oauth2accesstoken
-          password: ${{ steps.auth.outputs.access_token }}
-
-      - name: 🏷️ Extract tags from GitHub
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          images: us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job
-          tags: |
-            type=ref,suffix=-{{sha}},event=branch
-            type=ref,prefix=pr-,suffix=-{{sha}},event=pr
-            type=semver,pattern={{version}}
-            latest
-
-      - name: 📦 Build and push image
-        uses: docker/build-push-action@v6
-        with:
-          builder: ${{ steps.builder.outputs.name }}
-          tags: ${{ steps.meta.outputs.tags }}
-          context: .
-          file: ./Dockerfile
-          push: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          provenance: false
-
-      - name: ☁️ Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@v2
-
-      - name: 🚀 Deploy to Cloud Run Job
-        uses: google-github-actions/deploy-cloudrun@v2
+      - name: 🚀 Deploy
+        uses: ./.github/actions/deploy-cloudrun
+        timeout-minutes: 15
         with:
-          project_id: secrets.PROJECT_ID
-          region: us-central1
-          image: us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/images/job:latest
-          job: default
-          secrets: /secrets/app/secrets.json=skid-secrets:latest
-          timeout: 3h
-          flags: >
-            '--cpu=1
-            --memory=3Gi
-            --service-account=cloud-run-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
-            --timeout=3h
-            --max-instances=1
-            --max-retries=0
-            --parallelism=0'
-
-      - name: 🕰️ Create Cloud Scheduler
-        run: |
-          if [ ! "$(gcloud scheduler jobs list --location=us-central1 | grep saturday-evening)" ]; then
-            gcloud scheduler jobs create http saturday-evening \
-              --description="Trigger the nfhl-skid bot once a week on saturday evening" \
-              --schedule="0 3 * * 6" \
-              --time-zone=America/Denver \
-              --location=us-central1 \
-              --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
-              --oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
-          else
-            gcloud scheduler jobs update http saturday-evening \
-              --description="Trigger the nfhl-skid bot once a week on saturday evening" \
-              --schedule="0 3 * * 6" \
-              --time-zone=America/Denver \
-              --location=us-central1 \
-              --uri="https://us-central1-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${{ secrets.PROJECT_ID }}/jobs/default:run" \
-              --oauth-service-account-email=scheduler-sa@${{ secrets.PROJECT_ID }}.iam.gserviceaccount.com
-          fi
+          project_id: ${{ secrets.PROJECT_ID }}
+          identity_provider: ${{ secrets.IDENTITY_PROVIDER }}
+          service_account_email: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
+          pause_schedule_job: 'yes'
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          agol_org: ${{ vars.AGOL_ORG }}
+          tag_name: ${{ vars.TAG_NAME }}