Yubico · DennisDyallo · Mar 18, 2025 · Mar 4, 2025 · Mar 14, 2025 · Mar 17, 2025
diff --git a/.github/scripts/commit-and-push.sh b/.github/scripts/commit-and-push.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ -z "${GITOPS_BRANCH:-}" ]]; then
+  echo "GITOPS_BRANCH must be set."
+  exit 1
+fi
+
+if [[ -z "${IMAGE_TAG:-}" ]]; then
+  echo "IMAGE_TAG must be set."
+  exit 1
+fi
+
+kustomization_path="k8s/yesdk/kustomization.yaml"
+
+commit_msg=$(
+cat <<EOF
+Update $kustomization_path
+
+Using image tag $IMAGE_TAG
+
+Triggered by workflow: https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}
+Triggered by actor: ${GITHUB_ACTOR}
+EOF
+)
+
+if git diff --exit-code --quiet; then
+  echo "Nothing to commit. Skipped git commit/push."
+  exit 0
+fi
+
+git add "$kustomization_path"
+git commit --message "$commit_msg"
+
+max_retries=10
+retry_count=0
+while [ $retry_count -lt $max_retries ]; do
+  git fetch origin "$GITOPS_BRANCH"
+  git rebase "origin/$GITOPS_BRANCH"
+
+  if git push; then
+    echo "Push successful"
+    break
+  else
+    ((retry_count += 1))
+    if [ $retry_count -ge $max_retries ]; then
+      echo "Max retries reached. Exiting with failure."
+      exit 1
+    fi
+
+    echo "Failed to push. Retrying..."
+    sleep 5
+  fi
+done
diff --git a/.github/scripts/configure-git-pgp.sh b/.github/scripts/configure-git-pgp.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ -z "${PGP_KEY:-}" ]]; then
+  echo "PGP_KEY must be set."
+  exit 1
+fi
+
+echo "$PGP_KEY" | gpg --import
+
+key_id=$(gpg --list-secret-keys --with-colons | awk -F: '$1 == "sec" {print $5}')
+git config --global commit.gpgsign "true"
+git config --global user.signingKey "${key_id}"
+echo "Using PGP key for git commit signing: ${key_id}"
+
+pgp_user_id=$(gpg --list-keys --with-colons "$key_id" | awk -F: '$1 == "uid" {print $10}')
+pgp_name=$(echo "$pgp_user_id" | cut --delimiter '<' --fields 1)
+pgp_email=$(echo "$pgp_user_id" | cut --delimiter '<' --fields 2 | cut --delimiter '>' --fields 1)
+git config --global user.name "${pgp_name}"
+git config --global user.email "${pgp_email}"
+
+echo "Git name: ${pgp_name}"
+echo "Git email: ${pgp_email}"
diff --git a/.github/scripts/wait-for-commit-status.sh b/.github/scripts/wait-for-commit-status.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ -z "${GITHUB_TOKEN:-}" ]]; then
+  echo "GITHUB_TOKEN must be set."
+  exit 1
+fi
+
+if [[ -z "${REF:-}" ]]; then
+  echo "REF must be set."
+  exit 1
+fi
+
+ORG=${ORG:-Yubico}
+REPO=${REPO:-docs-gitops}
+KUSTOMIZATION_NAME=${KUSTOMIZATION_NAME:-docs}
+
+timeout_minutes=15
+end_time=$(date -ud "+$timeout_minutes minutes" +%s)
+
+echo "Looking for status:"
+echo "  Repo: $ORG/$REPO"
+echo "  Ref: $REF"
+echo "  Status context: kustomization/$KUSTOMIZATION_NAME"
+echo
+
+state=""
+message_printed=false
+while [[ -z "$state" ]]; do
+  state=$(gh api "/repos/$ORG/$REPO/commits/$REF/status" | jq -r ".statuses[] | select(.context | startswith(\"kustomization/$KUSTOMIZATION_NAME/\")).state")
+
+  if [[ -n "$state" ]]; then
+    echo "Status: $state"
+    break
+  fi
+
+  if [[ $(date -u +%s) -ge $end_time ]]; then
+    echo "Deployment was not complete after $timeout_minutes minutes."
+    exit 1
+  fi
+
+  if [[ "$message_printed" == "false" ]]; then
+    echo "Waiting for deployment to complete (timeout: $timeout_minutes minutes)..."
+    message_printed=true
+  fi
+  sleep 10
+done
+
+if [[ "$state" != "success" ]]; then
+  exit 1
+fi
+
+exit 0
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
@@ -0,0 +1,119 @@
+name: Deploy documentation
+
+on:
+  workflow_dispatch:
+    inputs:
+      gitops-branch:
+        type: choice
+        description: Environment to deploy to
+        required: true
+        options:
+          - dev
+          - stage
+          - prod
+      image-tag:
+        type: string
+        description: Image tag to deploy
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy docs
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out current repo
+        uses: actions/checkout@v4
+        with:
+          path: self
+
+      - id: auth
+        name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.GLOBAL_GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: [email protected]
+
+      - name: Generate GitHub App token
+        id: generate_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: 800408 # Yubico Docs
+          owner: Yubico
+          repositories: docs-gitops
+          private-key: ${{ secrets.GH_APP_YUBICO_DOCS_PRIVATE_KEY }}
+
+      - name: Check out docs-gitops repo (${{ inputs.gitops-branch }} branch)
+        uses: actions/checkout@v4
+        with:
+          repository: Yubico/docs-gitops
+          ref: ${{ inputs.gitops-branch }}
+          token: ${{ steps.generate_token.outputs.token }}
+          path: gitops
+
+      - name: Update GitOps resources
+        run: sed -i "s#/yesdk/yesdk-docserver:.*\$#/yesdk/yesdk-docserver:$IMAGE_TAG#" ./k8s/yesdk/kustomization.yaml
+        working-directory: ./gitops
+        env:
+          IMAGE_TAG: "${{ inputs.image-tag }}"
+
+      - name: Set up commit signing
+        run: .github/scripts/configure-git-pgp.sh
+        env:
+          PGP_KEY: ${{ secrets.DOCS_GITOPS_PGP_KEY }}
+        working-directory: ./self
+
+      - name: Push changes to GitOps repo
+        run: ${{ github.workspace }}/self/.github/scripts/commit-and-push.sh
+        working-directory: ./gitops
+        env:
+          GITOPS_BRANCH: ${{ inputs.gitops-branch }}
+          IMAGE_TAG: "${{ inputs.image-tag }}"
+
+  verify:
+    name: Verify deployment completion
+    runs-on: ubuntu-latest
+    needs: deploy
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Authenticate to Google Cloud to read commit status
+      uses: google-github-actions/auth@v2
+      with:
+        workload_identity_provider: ${{ vars.GLOBAL_GCP_WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: github-commit-status-reader@prod-docs-403900.iam.gserviceaccount.com
+
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: 260767 # Yubico Commit Status Reader
+        owner: Yubico
+        repositories: docs-gitops
+        private-key: ${{ secrets.GH_APP_YUBICO_COMMIT_STATUS_READER_PRIVATE_KEY }}
+
+    - name: Wait for deployment to complete
+      run: ./.github/scripts/wait-for-commit-status.sh
+      env:
+        GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+        ORG: yubico
+        REPO: docs-gitops
+        REF: ${{ inputs.gitops-branch }}
+        KUSTOMIZATION_NAME: docs
+
+    - name: Purge Fastly cache
+      run: >-
+        curl
+        -X POST
+        -H "Accept: application/json"
+        -H "Fastly-Key: ${{ secrets.FASTLY_API_KEY }}"
+        "https://api.fastly.com/service/${{ secrets.FASTLY_SERVICE_ID }}/purge_all"
+
+    - name: Wait 30 seconds for Fastly cache to purge
+      run: sleep 30