From 1f99e4ff27b4b8afcea161bbe32ce5f3d9a859c3 Mon Sep 17 00:00:00 2001 From: Pablo Suarez Date: Sat, 30 Aug 2025 15:57:28 +0300 Subject: [PATCH 1/2] feat DEVOPS-2244 gcp production deployment --- ...yml => close-inactive-issues.yml.disabled} | 0 ...canning.yml => code-scanning.yml.disabled} | 0 .github/workflows/docker-publish.yml | 149 ++++++++---------- .github/workflows/docs-check.yml | 2 +- .github/workflows/go.yml | 5 +- .github/workflows/goreleaser.yml | 2 +- .github/workflows/license-check.yml | 2 +- .github/workflows/lint.yml | 2 +- cd/base/configmap.yaml | 8 + cd/base/deployment.yaml | 64 ++++++++ cd/base/kustomization.yaml | 6 + cd/base/namespace.yaml | 4 + cd/overlays/production/kustomization.yaml | 8 + cd/overlays/production/secrets-app.yaml | 9 ++ z.yaml | 25 +++ 15 files changed, 194 insertions(+), 92 deletions(-) rename .github/workflows/{close-inactive-issues.yml => close-inactive-issues.yml.disabled} (100%) rename .github/workflows/{code-scanning.yml => code-scanning.yml.disabled} (100%) create mode 100644 cd/base/configmap.yaml create mode 100644 cd/base/deployment.yaml create mode 100644 cd/base/kustomization.yaml create mode 100644 cd/base/namespace.yaml create mode 100644 cd/overlays/production/kustomization.yaml create mode 100644 cd/overlays/production/secrets-app.yaml create mode 100644 z.yaml diff --git a/.github/workflows/close-inactive-issues.yml b/.github/workflows/close-inactive-issues.yml.disabled similarity index 100% rename from .github/workflows/close-inactive-issues.yml rename to .github/workflows/close-inactive-issues.yml.disabled diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml.disabled similarity index 100% rename from .github/workflows/code-scanning.yml rename to .github/workflows/code-scanning.yml.disabled diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index cd2d923cb..72e8281aa 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,84 +1,34 @@ -name: Docker - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. +name: Docker push and deploy on: - schedule: - - cron: "27 0 * * *" push: - branches: ["main", "next"] - # Publish semver tags as releases. - tags: ["v*.*.*"] + branches: ["main"] pull_request: - branches: ["main", "next"] + branches: ["main"] env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} + REGISTRY: asia-docker.pkg.dev + IMAGE_NAME: asia-docker.pkg.dev/prj-p-devops-services-tvwmrf63/zilliqa-private/github-mcp-server jobs: build: - runs-on: ubuntu-latest-xl + runs-on: ubuntu-22.04 permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. id-token: write steps: - name: Checkout repository uses: actions/checkout@v4 - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 with: - cosign-release: "v2.2.4" + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=schedule - type=ref,event=branch - type=ref,event=tag - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha - type=edge - # Custom rule to prevent pre-releases from getting latest tag - type=raw,value=latest,enable=${{ github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }} - - name: Go Build Cache for Docker uses: actions/cache@v4 with: @@ -90,33 +40,64 @@ jobs: with: cache-source: go-build-cache - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + - name: Docker build and push in production + uses: Zilliqa/gh-actions-workflows/actions/ci-dockerized-app-build-push@v2 with: context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - platforms: linux/amd64,linux/arm64 + push: ${{ github.ref_name == github.event.repository.default_branch }} + tag: ${{ env.IMAGE_NAME }} + tag-length: 8 + tag-latest: ${{ github.ref_name == github.event.repository.default_branch }} + registry: ${{ env.REGISTRY }} + workload-identity-provider: "${{ secrets.GCP_PRD_GITHUB_WIF }}" + service-account: "${{ secrets.GCP_PRD_GITHUB_SA_DOCKER_REGISTRY }}" + cache-key: ${{ env.IMAGE_NAME }}-cache build-args: | VERSION=${{ github.ref_name }} - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + deploy: + needs: [build] + permissions: + id-token: write + contents: write + runs-on: ubuntu-22.04 + if: github.ref_name == github.event.repository.default_branch + strategy: + fail-fast: false + matrix: + application: + - github-mcp-server + env: + APP_NAME: ${{ matrix.application }} + Z_ENV: z.yaml + Z_SERVICE_ACCOUNT: ${{ secrets.GCP_PRD_GITHUB_SA_K8S_DEPLOY }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_PRD }} + GITHUB_PAT: ${{ secrets.GH_PAT }} + Z_IMAGE: asia-docker.pkg.dev/prj-p-devops-services-tvwmrf63/zilliqa-private/z:latest + REGISTRY: asia-docker.pkg.dev + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 + + - name: Authenticate to Google Cloud + id: google-auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa + with: + token_format: "access_token" + workload_identity_provider: "${{ secrets.GCP_PRD_GITHUB_WIF }}" + service_account: ${{ env.Z_SERVICE_ACCOUNT }} + create_credentials_file: true + + - name: Deploy application + run: | + gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://${{ env.REGISTRY }} + docker run --rm \ + -e ZQ_USER='${{ env.Z_SERVICE_ACCOUNT }}' \ + -e Z_ENV='/github-mcp-server/${{ env.Z_ENV }}' \ + -e OP_SERVICE_ACCOUNT_TOKEN='${{ env.OP_SERVICE_ACCOUNT_TOKEN }}' \ + -e GITHUB_PAT='${{ env.GITHUB_PAT }}' \ + -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/google/application_default_credentials.json' \ + -v `pwd`:/github-mcp-server \ + -v ${{ steps.google-auth.outputs.credentials_file_path }}:/google/application_default_credentials.json \ + --name z_container ${{ env.Z_IMAGE }} \ + bash -c "gcloud config set account ${{ env.Z_SERVICE_ACCOUNT }} && z /app /github-mcp-server app sync --cache-dir .cache ${{ env.APP_NAME }}" \ No newline at end of file diff --git a/.github/workflows/docs-check.yml b/.github/workflows/docs-check.yml index c28c528b2..473cf26ea 100644 --- a/.github/workflows/docs-check.yml +++ b/.github/workflows/docs-check.yml @@ -11,7 +11,7 @@ permissions: jobs: docs-check: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index e3ef25022..de1fd3f2a 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -8,10 +8,7 @@ jobs: build: strategy: fail-fast: false - matrix: - os: [ubuntu-latest, windows-latest, macos-latest] - - runs-on: ${{ matrix.os }} + runs-on: ubuntu-22.04 steps: - name: Check out code diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 263607ee1..5ea7c2909 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -10,7 +10,7 @@ permissions: jobs: release: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Check out code diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index 50f34ff60..a1330f729 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -7,7 +7,7 @@ permissions: jobs: license-check: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Check out code diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b40193e72..aca98f908 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,7 +11,7 @@ permissions: jobs: golangci: name: lint - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 diff --git a/cd/base/configmap.yaml b/cd/base/configmap.yaml new file mode 100644 index 000000000..002fa4998 --- /dev/null +++ b/cd/base/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: github-mcp-config +data: + GITHUB_TOOLSETS: "repos,issues,pull_requests,actions,code_security,notifications,context" + GITHUB_READ_ONLY: "false" + GITHUB_DYNAMIC_TOOLSETS: "false" \ No newline at end of file diff --git a/cd/base/deployment.yaml b/cd/base/deployment.yaml new file mode 100644 index 000000000..819859b53 --- /dev/null +++ b/cd/base/deployment.yaml @@ -0,0 +1,64 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: github-mcp-server + labels: + app: github-mcp-server +spec: + replicas: 1 + selector: + matchLabels: + app: github-mcp-server + template: + metadata: + labels: + app: github-mcp-server + spec: + containers: + - name: github-mcp-server + image: github-mcp-server + imagePullPolicy: Always + env: + - name: GITHUB_PERSONAL_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: github-mcp-secrets + key: GITHUB_TOKEN + - name: GITHUB_TOOLSETS + valueFrom: + configMapKeyRef: + name: github-mcp-config + key: GITHUB_TOOLSETS + - name: GITHUB_READ_ONLY + valueFrom: + configMapKeyRef: + name: github-mcp-config + key: GITHUB_READ_ONLY + - name: GITHUB_DYNAMIC_TOOLSETS + valueFrom: + configMapKeyRef: + name: github-mcp-config + key: GITHUB_DYNAMIC_TOOLSETS + resources: + requests: + memory: "256Mi" + cpu: "200m" + limits: + memory: "1Gi" + cpu: "1000m" + livenessProbe: + exec: + command: + - /bin/sh + - -c + - "echo 'Liveness check passed'" + initialDelaySeconds: 30 + periodSeconds: 60 + readinessProbe: + exec: + command: + - /bin/sh + - -c + - "echo 'Readiness check passed'" + initialDelaySeconds: 5 + periodSeconds: 30 \ No newline at end of file diff --git a/cd/base/kustomization.yaml b/cd/base/kustomization.yaml new file mode 100644 index 000000000..eef682a97 --- /dev/null +++ b/cd/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - configmap.yaml + - deployment.yaml + - namespace.yaml diff --git a/cd/base/namespace.yaml b/cd/base/namespace.yaml new file mode 100644 index 000000000..2d4e8753c --- /dev/null +++ b/cd/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: github-mcp diff --git a/cd/overlays/production/kustomization.yaml b/cd/overlays/production/kustomization.yaml new file mode 100644 index 000000000..a3e5e0100 --- /dev/null +++ b/cd/overlays/production/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + - secrets-app.yaml + +namespace: github-mcp-prd diff --git a/cd/overlays/production/secrets-app.yaml b/cd/overlays/production/secrets-app.yaml new file mode 100644 index 000000000..3ae486899 --- /dev/null +++ b/cd/overlays/production/secrets-app.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: github-mcp-secrets + annotations: + zilliqa.com/autofill: "prj-p-devops-services" +type: Opaque +data: + GITHUB_TOKEN: "github-mcp-server/GITHUB_TOKEN" \ No newline at end of file diff --git a/z.yaml b/z.yaml new file mode 100644 index 000000000..f18236a50 --- /dev/null +++ b/z.yaml @@ -0,0 +1,25 @@ +define: &project_id "prj-p-devops-services-tvwmrf63" +define: ®ion "asia-southeast1" + +global: + tf_state_bucket: "bkt-prj-p-devops-services-tvwmrf63-state" + tf_state_prefix: "terraform/github-mcp-server" + +registries: + staging: asia-docker.pkg.dev/prj-p-devops-services-tvwmrf63/zilliqa-private + production: asia-docker.pkg.dev/prj-p-devops-services-tvwmrf63/zilliqa-private + +clusters: + production: + manifests: {} + project_id: *project_id + region: *region + name: gke-p-devops-services-01-ase1 + bastion_name: vm-p-devops-services-bastion-ase1 + bastion_zone: asia-southeast1-a + apps: + github-mcp-server: + repo: https://github.com/Zilliqa/github-mcp-server + path: cd/overlays/production + track: staging + type: kustomize \ No newline at end of file From e39cb23a11d5c0bf85572b67fab17aeac54c35c6 Mon Sep 17 00:00:00 2001 From: Pablo Suarez Date: Sun, 31 Aug 2025 00:49:33 +0300 Subject: [PATCH 2/2] feat: DEVOPS-2244 keeping the deployment replicas to 0 --- cd/base/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cd/base/deployment.yaml b/cd/base/deployment.yaml index 819859b53..3890b0835 100644 --- a/cd/base/deployment.yaml +++ b/cd/base/deployment.yaml @@ -5,7 +5,7 @@ metadata: labels: app: github-mcp-server spec: - replicas: 1 + replicas: 0 selector: matchLabels: app: github-mcp-server