actions: test gcloud CLI via devbox

prestoncabe · prestoncabe · commit 0899cee7bb81 · 2025-10-16T11:56:08.000-04:00
diff --git a/.github/workflows/devbox-deploy-builder-api.yml b/.github/workflows/devbox-deploy-builder-api.yml
@@ -0,0 +1,86 @@
+# This workflow uses devbox for dependency management and builds/deploys the builder API
+# to Cloud Run when a commit is pushed to the "main" branch.
+
+name: 'Build and Deploy Builder API to Cloud Run'
+
+on:
+  push:
+    branches:
+      # - 157-offline-dev
+      - main
+    paths:
+      - 'builder-api/**'
+      - 'devbox.json'
+      - 'devbox.lock'
+
+env:
+  PROJECT_ID: 'benefit-decision-toolkit-play'
+  REGION: 'us-central1'
+  SERVICE: 'benefit-decision-toolkit-play'
+  API_NAME: 'builder-api'
+  WORKLOAD_IDENTITY_PROVIDER: 'projects/1034049717668/locations/global/workloadIdentityPools/github-actions-google-cloud/providers/github'
+
+jobs:
+  deploy:
+    runs-on: 'ubuntu-latest'
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@v4'
+
+      # Setup devbox which includes all our dependencies: Maven, JDK 21, Quarkus, etc.
+      - name: 'Install devbox'
+        uses: 'jetify-com/devbox-install-action@v0.12.0'
+        with:
+          enable-cache: true
+
+      # Configure Workload Identity Federation and generate an access token
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
+          service_account: cicd-build-deploy-api@benefit-decision-toolkit-play.iam.gserviceaccount.com
+          project_id: ${{ env.PROJECT_ID }}
+
+      - name: 'Set up Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@v2'
+
+      # Configure Docker to use gcloud as a credential helper
+      - name: 'Configure Docker'
+        run: |
+          gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev
+
+      # Build the Quarkus app with Maven using devbox environment
+      - name: 'Build Quarkus App'
+        working-directory: builder-api
+        run: |
+          devbox run -- ./mvnw package -DskipTests
+
+      - name: 'Build and Push Container'
+        working-directory: builder-api
+        run: |-
+          DOCKER_TAG="${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/${{ env.API_NAME }}:latest"
+          docker build -f src/main/docker/Dockerfile.jvm --tag "${DOCKER_TAG}" .
+          docker push "${DOCKER_TAG}"
+
+      - name: 'Deploy to Cloud Run'
+        uses: 'google-github-actions/deploy-cloudrun@v2'
+        with:
+          service: '${{ env.API_NAME }}'
+          region: '${{ env.REGION }}'
+          image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/${{ env.API_NAME }}:latest'
+          service_account: 'builder-api-service-account@${{ env.PROJECT_ID }}.iam.gserviceaccount.com'
+          flags: '--allow-unauthenticated --max-instances=2'
+          env_vars: |
+            QUARKUS_GOOGLE_CLOUD_PROJECT_ID=${{ env.PROJECT_ID }}
+            GCS_BUCKET_NAME=${{ env.PROJECT_ID }}.appspot.com
+
+      # If required, use the Cloud Run URL output in later steps
+      - name: 'Show output'
+        run: |
+          echo ${{ steps.deploy.outputs.url }}
diff --git a/.github/workflows/test-devbox.yml b/.github/workflows/test-devbox.yml
@@ -5,25 +5,51 @@ on:
     branches:
       - 157-offline-dev
 
+env:
+  PROJECT_ID: 'benefit-decision-toolkit-play'
+  REGION: 'us-central1'
+  SERVICE: 'benefit-decision-toolkit-play'
+  API_NAME: 'builder-api'
+  WORKLOAD_IDENTITY_PROVIDER: 'projects/1034049717668/locations/global/workloadIdentityPools/github-actions-google-cloud/providers/github'
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
-      - name: Copy .env file
-        run: cp .env.example .env
+      # - name: Create .env file
+      #   run: |-
+          # echo "QUARKUS_GOOGLE_CLOUD_PROJECT_ID=${{ secrets.QUARKUS_GOOGLE_CLOUD_PROJECT_ID }}" >> .env
+        # run: cp .env.example .env
+        # instead of copying, we need to use gh secrets to create the .env file with the "real" values
+        # e.g:
+        # echo "DB_HOST=${{ secrets.DB_HOST }}" >> .env
+        # echo "API_KEY=${{ secrets.API_KEY }}" >> .env
+        # Add other variables as needed
 
       - name: Install devbox
         uses: jetify-com/devbox-install-action@v0.12.0
         with:
           enable-cache: true
 
-      - name: Check devbox env variables
-        run: devbox run -- env
+      # Configure Workload Identity Federation and generate an access token
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
+          service_account: cicd-build-deploy-api@benefit-decision-toolkit-play.iam.gserviceaccount.com
+          project_id: ${{ env.PROJECT_ID }}
+
+      - name: 'Use gcloud CLI via Devbox?'
+        run: 'devbox run -- gcloud info'
+
+      # - name: Check devbox env variables
+      #   run: devbox run -- env
 
-      - name: Run a script called test
-        run: devbox run setup
+      # - name: Run a script called test
+      #   run: devbox run setup
 
       - name: Run arbitrary commands
         run: devbox run -- echo "done!"
