Prod Build #1384
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Prod Build | |
# NOTE! This is the *PROD* workflow. | |
# Keep in mind that much of the configuration is repeated in `stage-build.yml` | |
# and `dev-build.yml` | |
# | |
# For a complete picture of all environments, see: | |
# | |
# https://docs.google.com/spreadsheets/d/1VnnEl-iTtKYmlyN02FiEXygxZCgE4o_ZO8wSleebne4/edit?usp=sharing | |
# | |
env: | |
DEFAULT_DEPLOYMENT_PREFIX: "main" | |
DEFAULT_NOTES: "" | |
DEFAULT_LOG_EACH_SUCCESSFUL_UPLOAD: "false" | |
on: | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
- cron: "0 */24 * * *" | |
workflow_dispatch: | |
inputs: | |
notes: | |
description: "Notes" | |
required: false | |
default: ${DEFAULT_NOTES} | |
# This is very useful when combined with the "Use workflow from" | |
# feature that is built into the "Run workflow" button on | |
# https://github.com/mdn/yari/actions?query=workflow%3A%22Production+Build%22 | |
# If you override the deployment prefix to something like the name | |
# of the branch, you can deploy that entire branch to its own prefix | |
# in S3 which means that it can be fully hosted as its own site. | |
deployment_prefix: | |
description: "Deployment prefix" | |
required: false | |
default: ${DEFAULT_DEPLOYMENT_PREFIX} | |
log_each_successful_upload: | |
description: "Deployer logs each success" | |
required: false | |
default: ${DEFAULT_LOG_EACH_SUCCESSFUL_UPLOAD} | |
invalidate: | |
description: "Invalidate CDN (use only in exceptional circumstances)" | |
type: boolean | |
required: false | |
default: false | |
workflow_call: | |
secrets: | |
GCP_PROJECT_NAME: | |
required: true | |
WIP_PROJECT_ID: | |
required: true | |
permissions: | |
contents: read | |
id-token: write | |
jobs: | |
build: | |
environment: prod | |
runs-on: ubuntu-latest | |
# Only run the scheduled workflows on the main repo. | |
if: github.repository == 'mdn/yari' | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/checkout@v4 | |
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }} | |
with: | |
repository: mdn/content | |
path: mdn/content | |
# Yes, this means fetch EVERY COMMIT EVER. | |
# It's probably not sustainable in the far future (e.g. past 2021) | |
# but for now it's good enough. We'll need all the history | |
# so we can figure out each document's last-modified date. | |
fetch-depth: 0 | |
- uses: actions/checkout@v4 | |
if: ${{ ! vars.SKIP_BUILD }} | |
with: | |
repository: mdn/mdn-studio | |
path: mdn/mdn-studio | |
lfs: true | |
token: ${{ secrets.MDN_STUDIO_PAT }} | |
- uses: actions/checkout@v4 | |
if: ${{ ! vars.SKIP_BUILD }} | |
with: | |
repository: mdn/curriculum | |
path: mdn/curriculum | |
# Our usecase is a bit complicated. When the cron schedule runs this workflow, | |
# we rely on the env vars defined at the top of the file. But if it's a manual | |
# trigger we rely on the inputs and only the inputs. That way, the user can | |
# opt to type in 'false'. | |
# It's not possible to express this with GitHub Workflow syntax, so we | |
# have a dedicate set that conveniently sets these as env vars which we | |
# can refer to later in `if: ....` lines or in bash with the `run: ...` blocks. | |
- name: Merge dispatch inputs with default env vars | |
run: | | |
echo "DEPLOYER_BUCKET_PREFIX=${{ github.event.inputs.deployment_prefix || env.DEFAULT_DEPLOYMENT_PREFIX }}" >> $GITHUB_ENV | |
echo "DEPLOYER_LOG_EACH_SUCCESSFUL_UPLOAD=${{ github.event.inputs.log_each_successful_upload || env.DEFAULT_LOG_EACH_SUCCESSFUL_UPLOAD }}" >> $GITHUB_ENV | |
- uses: actions/checkout@v4 | |
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }} | |
with: | |
repository: mdn/translated-content | |
path: mdn/translated-content | |
# See matching warning for mdn/content checkout step | |
fetch-depth: 0 | |
- uses: actions/checkout@v4 | |
if: ${{ ! vars.SKIP_BUILD }} | |
with: | |
repository: mdn/mdn-contributor-spotlight | |
path: mdn/mdn-contributor-spotlight | |
- name: Setup Node.js environment | |
if: ${{ ! vars.SKIP_BUILD || ! vars.SKIP_FUNCTION }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ".nvmrc" | |
cache: yarn | |
- name: Install all yarn packages | |
if: ${{ ! vars.SKIP_BUILD }} | |
run: yarn --frozen-lockfile | |
env: | |
# https://github.com/microsoft/vscode-ripgrep#github-api-limit-note | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install Python | |
if: ${{ ! vars.SKIP_BUILD }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install Python poetry | |
if: ${{ ! vars.SKIP_BUILD }} | |
uses: snok/install-poetry@v1 | |
- name: Install deployer | |
if: ${{ ! vars.SKIP_BUILD }} | |
run: | | |
cd deployer | |
poetry install | |
- name: Display Python & Poetry version | |
if: ${{ ! vars.SKIP_BUILD }} | |
run: | | |
python --version | |
poetry --version | |
- name: Print information about build | |
run: | | |
echo "notes: ${{ github.event.inputs.notes || env.DEFAULT_NOTES }}" | |
echo "log_each_successful_upload: ${{ github.event.inputs.log_each_successful_upload || env.DEFAULT_LOG_EACH_SUCCESSFUL_UPLOAD }}" | |
echo "deployment_prefix: ${{ github.event.inputs.deployment_prefix || env.DEFAULT_DEPLOYMENT_PREFIX }}" | |
- name: Print information about CPU | |
run: cat /proc/cpuinfo | |
- name: Build everything | |
if: ${{ ! vars.SKIP_BUILD }} | |
env: | |
# Remember, the mdn/content repo got cloned into `pwd` into a | |
# sub-folder called "mdn/content" | |
CONTENT_ROOT: ${{ github.workspace }}/mdn/content/files | |
CONTENT_TRANSLATED_ROOT: ${{ github.workspace }}/mdn/translated-content/files | |
CONTRIBUTOR_SPOTLIGHT_ROOT: ${{ github.workspace }}/mdn/mdn-contributor-spotlight/contributors | |
BLOG_ROOT: ${{ github.workspace }}/mdn/mdn-studio/content/posts | |
CURRICULUM_ROOT: ${{ github.workspace }}/mdn/curriculum | |
BASE_URL: "https://developer.mozilla.org" | |
# The default for this environment variable is geared for writers | |
# (aka. local development). Usually defaults are supposed to be for | |
# secure production but this is an exception and default | |
# is not insecure. | |
BUILD_LIVE_SAMPLES_BASE_URL: https://live.mdnplay.dev | |
BUILD_LEGACY_LIVE_SAMPLES_BASE_URL: https://live.mdnplay.dev | |
# Sign key for code samples | |
BUILD_SAMPLE_SIGN_KEY: ${{ secrets.SAMPLE_SIGN_KEY }} | |
# Now is not the time to worry about flaws. | |
BUILD_FLAW_LEVELS: "*:ignore" | |
# This is the Google Analytics account ID for developer.mozilla.org | |
# If it's used on other domains (e.g. stage or dev builds), it's OK | |
# because ultimately Google Analytics will filter it out since the | |
# origin domain isn't what that account expects. | |
BUILD_GOOGLE_ANALYTICS_ACCOUNT: UA-36116321-5 | |
# This enables the MDN Plus | |
REACT_APP_ENABLE_PLUS: true | |
# This removes the ability to sign in | |
REACT_APP_DISABLE_AUTH: false | |
# The default is to always set no to robots. This deployment is the only | |
# exception in the world where we actually want to welcome robots. | |
BUILD_ALWAYS_ALLOW_ROBOTS: true | |
# Browser-compat data. | |
REACT_APP_BCD_BASE_URL: https://bcd.developer.mozilla.org | |
# Offline updates | |
REACT_APP_UPDATES_BASE_URL: https://updates.developer.mozilla.org | |
# Firefox Accounts and SubPlat settings | |
REACT_APP_FXA_SIGNIN_URL: /users/fxa/login/authenticate/ | |
REACT_APP_FXA_SETTINGS_URL: https://accounts.firefox.com/settings/?brand=mozilla | |
REACT_APP_MDN_PLUS_SUBSCRIBE_URL: https://accounts.firefox.com/subscriptions/products/prod_LKvr8fYGbBxcaZ?brand=mozilla | |
REACT_APP_FXA_MANAGE_SUBSCRIPTIONS_URL: https://subscriptions.firefox.com/subscriptions/?brand=mozilla | |
REACT_APP_MDN_PLUS_5M_PLAN: price_1KeG02JNcmPzuWtR1oBrw8o6 | |
REACT_APP_MDN_PLUS_5Y_PLAN: price_1KeG02JNcmPzuWtRslZijhQu | |
REACT_APP_MDN_PLUS_10M_PLAN: price_1KeG02JNcmPzuWtRuAnIgNHh | |
REACT_APP_MDN_PLUS_10Y_PLAN: price_1KeG02JNcmPzuWtRlrSiLTI6 | |
# Surveys. | |
REACT_APP_SURVEY_START_DISCOVERABILITY_AUG_2023: 1691409600000 # new Date("2023-08-07 12:00:00Z").getTime() | |
REACT_APP_SURVEY_END_DISCOVERABILITY_AUG_2023: 1691841600000 # new Date("2023-08-12 12:00:00Z").getTime() | |
REACT_APP_SURVEY_RATE_FROM_DISCOVERABILITY_AUG_2023: 0.0 | |
REACT_APP_SURVEY_RATE_TILL_DISCOVERABILITY_AUG_2023: 0.10 # 10% | |
# Telemetry. | |
REACT_APP_GLEAN_CHANNEL: prod | |
REACT_APP_GLEAN_ENABLED: true | |
# Newsletter | |
REACT_APP_NEWSLETTER_ENABLED: true | |
# Placement | |
REACT_APP_PLACEMENT_ENABLED: true | |
# Playground | |
REACT_APP_PLAYGROUND_BASE_HOST: mdnplay.dev | |
# Sentry. | |
SENTRY_DSN_BUILD: ${{ secrets.SENTRY_DSN_BUILD }} | |
SENTRY_ENVIRONMENT: prod | |
SENTRY_RELEASE: ${{ github.sha }} | |
# AI Help. | |
REACT_APP_AI_FEEDBACK_GITHUB_REPO: mdn/ai-feedback | |
run: | | |
# Info about which CONTENT_* environment variables were set and to what. | |
echo "CONTENT_ROOT=$CONTENT_ROOT" | |
echo "CONTENT_TRANSLATED_ROOT=$CONTENT_TRANSLATED_ROOT" | |
yarn build:sw | |
yarn build:prepare | |
yarn tool sync-translated-content | |
# Build using one process per locale. | |
# Note: We have 4 cores, but 9 processes is a reasonable number. | |
for locale in en-us es fr ja ko pt-br ru zh-cn zh-tw; do | |
yarn build --locale $locale 2>&1 | sed "s/^/[$locale] /" & | |
pids+=($!) | |
done | |
for pid in "${pids[@]}"; do | |
wait $pid | |
done | |
du -sh client/build | |
# Generate sitemap index file | |
yarn build --sitemap-index | |
# Build the blog | |
yarn build:blog | |
# Build the curriculum | |
yarn build:curriculum | |
# Generate whatsdeployed files. | |
yarn tool whatsdeployed --output client/build/_whatsdeployed/code.json | |
yarn tool whatsdeployed $CONTENT_ROOT --output client/build/_whatsdeployed/content.json | |
yarn tool whatsdeployed $CONTENT_TRANSLATED_ROOT --output client/build/_whatsdeployed/translated-content.json | |
- name: Update search index | |
if: ${{ ! vars.SKIP_BUILD }} | |
env: | |
DEPLOYER_ELASTICSEARCH_URL: ${{ secrets.DEPLOYER_PROD_ELASTICSEARCH_URL }} | |
run: | | |
cd deployer | |
poetry run deployer search-index ../client/build | |
- name: Authenticate with GCP | |
if: ${{ ! vars.SKIP_BUILD }} | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: access_token | |
service_account: deploy-prod-content@${{ secrets.GCP_PROJECT_NAME }}.iam.gserviceaccount.com | |
workload_identity_provider: projects/${{ secrets.WIP_PROJECT_ID }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions | |
- name: Setup gcloud | |
if: ${{ ! vars.SKIP_BUILD }} | |
uses: google-github-actions/setup-gcloud@v2 | |
- name: Sync build | |
if: ${{ ! vars.SKIP_BUILD }} | |
run: |- | |
gsutil -q -m -h "Cache-Control: public, max-age=3600" cp -r client/build/static gs://${{ vars.GCP_BUCKET_NAME }}/main/ | |
gsutil -q -m -h "Cache-Control: public, max-age=3600" rsync -cdrj html,json,txt -y "^static/" client/build gs://${{ vars.GCP_BUCKET_NAME }}/main | |
- name: Authenticate with GCP | |
if: ${{ ! vars.SKIP_FUNCTION }} | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: access_token | |
service_account: deploy-prod-prod-mdn-ingress@${{ secrets.GCP_PROJECT_NAME }}.iam.gserviceaccount.com | |
workload_identity_provider: projects/${{ secrets.WIP_PROJECT_ID }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions | |
- name: Setup gcloud | |
if: ${{ ! vars.SKIP_FUNCTION }} | |
uses: google-github-actions/setup-gcloud@v2 | |
with: | |
install_components: "beta" | |
- name: Generate redirects map | |
if: ${{ ! vars.SKIP_FUNCTION }} | |
working-directory: cloud-function | |
env: | |
CONTENT_ROOT: ${{ github.workspace }}/mdn/content/files | |
CONTENT_TRANSLATED_ROOT: ${{ github.workspace }}/mdn/translated-content/files | |
run: |- | |
npm ci | |
npm run build-redirects | |
- name: Deploy Function | |
if: ${{ ! vars.SKIP_FUNCTION }} | |
run: |- | |
for region in europe-west1 us-west1 asia-east1; do | |
gcloud beta functions deploy mdn-prod-prod-$region \ | |
--gen2 \ | |
--runtime=nodejs18 \ | |
--region=$region \ | |
--source=cloud-function \ | |
--trigger-http \ | |
--allow-unauthenticated \ | |
--entry-point=mdnHandler \ | |
--concurrency=100 \ | |
--min-instances=10 \ | |
--max-instances=1000 \ | |
--memory=2GB \ | |
--timeout=120s \ | |
--set-env-vars="ORIGIN_MAIN=developer.mozilla.org" \ | |
--set-env-vars="ORIGIN_LIVE_SAMPLES=live.mdnplay.dev" \ | |
--set-env-vars="ORIGIN_PLAY=mdnplay.dev" \ | |
--set-env-vars="SOURCE_CONTENT=https://storage.googleapis.com/${{ vars.GCP_BUCKET_NAME }}/main/" \ | |
--set-env-vars="SOURCE_API=https://api.developer.mozilla.org/" \ | |
--set-env-vars="BSA_ENABLED=true" \ | |
--set-env-vars="SENTRY_DSN=${{ secrets.SENTRY_DSN_CLOUD_FUNCTION }}" \ | |
--set-env-vars="SENTRY_ENVIRONMENT=prod" \ | |
--set-env-vars="SENTRY_TRACES_SAMPLE_RATE=${{ vars.SENTRY_TRACES_SAMPLE_RATE }}" \ | |
--set-env-vars="SENTRY_RELEASE=${{ github.sha }}" \ | |
--set-secrets="KEVEL_SITE_ID=projects/${{ secrets.GCP_PROJECT_NAME }}/secrets/prod-kevel-site-id/versions/latest" \ | |
--set-secrets="KEVEL_NETWORK_ID=projects/${{ secrets.GCP_PROJECT_NAME }}/secrets/prod-kevel-network-id/versions/latest" \ | |
--set-secrets="SIGN_SECRET=projects/${{ secrets.GCP_PROJECT_NAME }}/secrets/prod-sign-secret/versions/latest" \ | |
--set-secrets="BSA_ZONE_KEYS=projects/${{ secrets.GCP_PROJECT_NAME }}/secrets/prod-bsa-zone-keys/versions/latest" \ | |
2>&1 | sed "s/^/[$region] /" & | |
pids+=($!) | |
done | |
for pid in "${pids[@]}"; do | |
wait $pid | |
done | |
- name: Update AI Help index with macros | |
run: yarn ai-help-macros update-index | |
env: | |
OPENAI_KEY: ${{ secrets.OPENAI_KEY }} | |
PG_URI: ${{ secrets.PG_URI }} | |
- name: Slack Notification | |
if: failure() | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_CHANNEL: mdn-notifications | |
SLACK_COLOR: ${{ job.status }} | |
SLACK_ICON: https://avatars.slack-edge.com/2020-11-17/1513880588420_fedd7f0e9456888e69ff_96.png | |
SLACK_TITLE: ":rotating_light: Prod :rotating_light:" | |
SLACK_MESSAGE: "Build failed :collision:" | |
SLACK_FOOTER: "Powered by prod-build.yml" | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
- name: Invalidate Google Cloud CDN | |
if: ${{ github.event.inputs.invalidate }} | |
run: gcloud compute url-maps invalidate-cdn-cache ${{ secrets.GCP_LOAD_BALANCER_NAME }} --path "/*" --async |