-
Notifications
You must be signed in to change notification settings - Fork 0
115 lines (100 loc) · 3.56 KB
/
Copy pathinvoke-cloud-run.yml
File metadata and controls
115 lines (100 loc) · 3.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
name: Invoke Cloud Run
on:
workflow_dispatch:
inputs:
environment:
description: "GitHub Environment to invoke"
required: true
default: "longbridge-sg"
type: choice
options:
- longbridge-hk
- longbridge-paper
- longbridge-sg
path:
description: "HTTP path to call"
required: false
default: "/"
type: string
env:
GCP_PROJECT_ID: longbridgequant
GCP_WORKLOAD_IDENTITY_PROVIDER: projects/252919773759/locations/global/workloadIdentityPools/github-actions/providers/github-main
GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT: longbridge-platform-deploy@longbridgequant.iam.gserviceaccount.com
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: false
jobs:
invoke:
name: Invoke ${{ inputs.environment }} Cloud Run
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
id-token: write
environment: ${{ inputs.environment }}
env:
CLOUD_RUN_REGION: ${{ vars.CLOUD_RUN_REGION }}
CLOUD_RUN_SERVICE: ${{ vars.CLOUD_RUN_SERVICE }}
steps:
- name: Validate inputs
run: |
set -euo pipefail
case "${{ inputs.environment }}" in
longbridge-hk|longbridge-paper|longbridge-sg) ;;
*)
echo "Unsupported environment: ${{ inputs.environment }}" >&2
exit 1
;;
esac
if [ -z "${CLOUD_RUN_REGION:-}" ] || [ -z "${CLOUD_RUN_SERVICE:-}" ]; then
echo "CLOUD_RUN_REGION and CLOUD_RUN_SERVICE are required on ${{ inputs.environment }}." >&2
exit 1
fi
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v3
with:
workload_identity_provider: ${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT }}
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v3
with:
project_id: ${{ env.GCP_PROJECT_ID }}
version: ">= 416.0.0"
- name: Resolve service URL
id: service
run: |
set -euo pipefail
raw_path="${{ inputs.path }}"
if [ -z "${raw_path}" ]; then
raw_path="/"
fi
if [[ "${raw_path}" != /* ]]; then
raw_path="/${raw_path}"
fi
service_url="$(
gcloud run services describe "${CLOUD_RUN_SERVICE}" \
--region "${CLOUD_RUN_REGION}" \
--format='value(status.url)'
)"
if [ -z "${service_url}" ]; then
echo "Unable to resolve Cloud Run service URL." >&2
exit 1
fi
echo "url=${service_url}" >> "$GITHUB_OUTPUT"
echo "path=${raw_path}" >> "$GITHUB_OUTPUT"
- name: Authenticate for service invocation
id: invoke-auth
uses: google-github-actions/auth@v3
with:
workload_identity_provider: ${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT }}
token_format: id_token
id_token_audience: ${{ steps.service.outputs.url }}
id_token_include_email: true
- name: Invoke service
run: |
set -euo pipefail
curl --fail-with-body --show-error --silent \
--request POST \
--header "Authorization: Bearer ${{ steps.invoke-auth.outputs.id_token }}" \
"${{ steps.service.outputs.url }}${{ steps.service.outputs.path }}"