name: CD on: push: branches: [master, main] pull_request: env: IMAGE_BASE: ${{ secrets.AR_LOCATION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/${{ secrets.AR_REPO }} jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 # Instala kubectl + auth plugin (gcloud já vem via setup-gcloud). # Build é feito remoto via Cloud Build (não precisa Docker no runner). - name: Install kubectl + gke-auth-plugin run: | apt-get update -qq apt-get install -y -qq apt-transport-https ca-certificates gnupg curl curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" > /etc/apt/sources.list.d/google-cloud-sdk.list apt-get update -qq apt-get install -y -qq kubectl google-cloud-cli-gke-gcloud-auth-plugin kubectl version --client=true - name: Auth GCP uses: google-github-actions/auth@v2 with: credentials_json: ${{ secrets.GCP_SA_KEY }} - name: Setup gcloud uses: google-github-actions/setup-gcloud@v2 with: project_id: ${{ secrets.GCP_PROJECT }} - name: Build & push (Cloud Build, sem Docker local) run: | set -e IMG="${IMAGE_BASE}/${{ gitea.event.repository.name }}:lab-${{ gitea.run_number }}" # --gcs-source-staging-dir: pula o auto-detect que precisa de # storage.buckets.list (project-scope). gitea-cd só tem grant # na bucket _cloudbuild, não no projeto inteiro. # --async: gcloud retorna assim que o build é enfileirado. Sem # isso, gcloud tenta streamar Cloud Logging, exige Viewer/Owner # no projeto, e --suppress-logs nessa versão do CLI ainda dá # exit != 0 quando não consegue ler. Polling abaixo é o trade. BUILD_ID=$(gcloud builds submit \ --tag "$IMG" \ --project=${{ secrets.GCP_PROJECT }} \ --timeout=30m \ --gcs-source-staging-dir="gs://${{ secrets.GCP_PROJECT }}_cloudbuild/source" \ --async \ --format="value(id)") echo "Cloud Build kicked off: $BUILD_ID" # Poll até terminar. gcloud builds describe usa cloudbuild.builds.get # (já incluído em roles/cloudbuild.builds.editor). while true; do STATUS=$(gcloud builds describe "$BUILD_ID" \ --project=${{ secrets.GCP_PROJECT }} \ --region=global \ --format="value(status)") echo "[$(date -u +%H:%M:%S)] build $BUILD_ID: $STATUS" case "$STATUS" in SUCCESS) break ;; FAILURE|INTERNAL_ERROR|TIMEOUT|CANCELLED|EXPIRED) echo "::error::Cloud Build $STATUS — ver console: https://console.cloud.google.com/cloud-build/builds/$BUILD_ID?project=${{ secrets.GCP_PROJECT }}" exit 1 ;; esac sleep 15 done echo "IMG=$IMG" >> $GITHUB_ENV - name: Deploy hml2 (apenas em push pra master/main) if: github.event_name == 'push' env: USE_GKE_GCLOUD_AUTH_PLUGIN: "True" run: | gcloud container clusters get-credentials ${{ secrets.GKE_CLUSTER }} --region ${{ secrets.GKE_REGION }} --project ${{ secrets.GCP_PROJECT }} NS=${{ secrets.K8S_NAMESPACE }} # 1) Aplica manifests (idempotente — cria PVC/Service/Ingress/Deployment se faltarem) if [ -d k8s ]; then kubectl apply -n "$NS" -f k8s/ fi # 2) Atualiza image DEPLOYMENT="${{ gitea.event.repository.name }}-deployment" if kubectl get deployment "$DEPLOYMENT" -n "$NS" >/dev/null 2>&1; then CONTAINER=$(kubectl get deployment "$DEPLOYMENT" -n "$NS" -o jsonpath='{.spec.template.spec.containers[0].name}') kubectl set image deployment/"$DEPLOYMENT" -n "$NS" "$CONTAINER=$IMG" kubectl rollout status deployment/"$DEPLOYMENT" -n "$NS" --timeout=600s else echo "Deployment $DEPLOYMENT não existe no ns $NS — pulei set image (provavelmente é o 1º deploy e o kubectl apply acabou de criar)" fi