This document details the GitHub Actions workflow for automating releases, versioning, and deployments using secrets from HashiCorp Vault. The workflow is triggered on specific branches and handles changelog generation, and deployment to different environments accordingly.
The workflow is activated on pushes to the following branches:
mainreleases/prod/* (for production environment)releases/qa/* (for QA environment)
-
Generate Changelog
- Uses:
TriPSs/conventional-changelog-action@v5 - Inputs:
github-token:${{ secrets.GITHUB_TOKEN }}
- Generates a changelog based on conventional commits.
- Uses:
-
Create Release
- Uses:
actions/create-release@v1 - Runs if the changelog generation was successful.
- Inputs:
tag_name:${{ steps.changelog.outputs.tag }}release_name:${{ steps.changelog.outputs.tag }}body:${{ steps.changelog.outputs.clean_changelog }}
- Creates a GitHub release.
- Uses:
-
Retrieve Secrets from Vault
- Uses:
hashicorp/vault-action@v2 - Runs if a release is created.
- Inputs:
url:${{ secrets.VAULT_ADDR }}method:"token"token:${{ secrets.VAULT_TOKEN }}secrets: Retrieves multiple secrets including Docker credentials and deployment hooks.
- Uses:
-
Use the Retrieved Secrets
- Runs a script to display the retrieved Docker username and password (for verification).
-
Log in to Docker Hub (if needed)
- Uses Docker credentials to log in via CLI.
-
Trigger Deployment
- Uses cURL to POST to deployment hooks based on the branch.
- Conditions:
mainbranch: UsesMAIN_DEPLOY_HOOK.releases/qa/*branch: UsesQA_DEPLOY_HOOK.releases/prod/*branch: UsesPROD_DEPLOY_HOOK.
- Conventional Commits:
- Vault Integration: Secrets are securely retrieved from HashiCorp Vault. Ensure Vault URL and token are correctly set in GitHub Secrets.
- Deployment: Deployment hooks are triggered based on the branch. Each environment (main, QA, prod) has its own hook.
- Failed Changelog: Check that commits follow the conventional format.
- Vault Access Issues: Verify Vault URL and token.