name: Manual Production Deployment on: workflow_dispatch: inputs: commit_sha: description: "Git commit SHA to deploy" required: true type: string jobs: deploy-estuary: name: "Deploy to Estuary (Production)" runs-on: ubuntu-latest environment: estuary # Protection rules configured in GitHub repo settings steps: - name: 📥 Checkout specific commit uses: actions/checkout@v4 with: ref: ${{ github.event.inputs.commit_sha }} - name: 🔍 Validate commit SHA run: | echo "Deploying commit: ${{ github.event.inputs.commit_sha }}" git rev-parse --verify ${{ github.event.inputs.commit_sha }} # Download the artifacts for this specific SHA from the artifact storage - name: 🔑 Authenticate to Google Cloud uses: google-github-actions/auth@v1 with: credentials_json: ${{ secrets.GCP_SA_KEY }} - name: ⚙️ Setup Google Cloud SDK uses: google-github-actions/setup-gcloud@v1 - name: 📥 Download tarball from GCS run: | mkdir -p downloaded-artifacts gsutil cp gs://commontools-build-artifacts/workspace-artifacts/labs-${{ github.event.inputs.commit_sha }}.tar.gz downloaded-artifacts/ # Verify the tarball exists if [ ! -f downloaded-artifacts/labs-${{ github.event.inputs.commit_sha }}.tar.gz ]; then echo "::error::Artifact tarball for commit ${{ github.event.inputs.commit_sha }} not found!" echo "Make sure this commit was successfully built and artifacts were uploaded." exit 1 fi - name: 🦕 Setup Deno uses: ./.github/actions/deno-setup with: cache: false - name: 🚀 Deploy application to Estuary (Production) id: deployment uses: appleboy/ssh-action@master with: host: ${{ secrets.BASTION_HOST }} username: bastion key: ${{ secrets.BASTION_SSH_PRIVATE_KEY }} script: /opt/ct/deploy.sh ${{ vars.DEPLOYMENT_ENVIRONMENT }} ${{ github.event.inputs.commit_sha }}