app-formbricks/.github/workflows/deploy-formbricks-cloud.yml at main · code/app-formbricks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Formbricks Cloud Deployment

on:
  workflow_dispatch:
    inputs:
      VERSION:
        description: "The version of the Docker image to release (clean SemVer, e.g., 1.2.3)"
        required: true
        type: string
      REPOSITORY:
        description: "The repository to use for the Docker image"
        required: false
        type: string
        default: "ghcr.io/formbricks/formbricks"
      ENVIRONMENT:
        description: "The environment to deploy to"
        required: true
        type: choice
        options:
          - staging
          - production
  workflow_call:
    inputs:
      VERSION:
        description: "The version of the Docker image to release"
        required: true
        type: string
      REPOSITORY:
        description: "The repository to use for the Docker image"
        required: false
        type: string
        default: "ghcr.io/formbricks/formbricks"
      ENVIRONMENT:
        description: "The environment to deploy to"
        required: true
        type: string

permissions:
  id-token: write
  contents: read

jobs:
  helmfile-deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Tailscale
        uses: tailscale/github-action@84a3f23bb4d843bcf4da6cf824ec1be473daf4de # v3.2.3
        with:
          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
          tags: tag:github
          args: --accept-routes

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@f24d7193d98baebaeacc7e2227925dd47cc267f5 # v4.2.0
        with:
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          aws-region: "eu-central-1"

      - name: Setup Cluster Access
        run: |
          aws eks update-kubeconfig --name formbricks-prod-eks --region eu-central-1
        env:
          AWS_REGION: eu-central-1

      - uses: helmfile/helmfile-action@712000e3d4e28c72778ecc53857746082f555ef3 # v2.0.4
        name: Deploy Formbricks Cloud Production
        if: inputs.ENVIRONMENT == 'production'
        env:
          VERSION: ${{ inputs.VERSION }}
          REPOSITORY: ${{ inputs.REPOSITORY }}
          FORMBRICKS_S3_BUCKET: ${{ secrets.FORMBRICKS_S3_BUCKET }}
          FORMBRICKS_INGRESS_CERT_ARN: ${{ secrets.FORMBRICKS_INGRESS_CERT_ARN }}
          FORMBRICKS_ROLE_ARN: ${{ secrets.FORMBRICKS_ROLE_ARN }}
        with:
          helmfile-version: "v1.0.0"
          helm-plugins: >
            https://github.com/databus23/helm-diff,
            https://github.com/jkroepke/helm-secrets
          helmfile-args: apply -l environment=prod
          helmfile-auto-init: "false"
          helmfile-workdirectory: infra/formbricks-cloud-helm

      - uses: helmfile/helmfile-action@712000e3d4e28c72778ecc53857746082f555ef3 # v2.0.4
        name: Deploy Formbricks Cloud Staging
        if: inputs.ENVIRONMENT == 'staging'
        env:
          VERSION: ${{ inputs.VERSION }}
          REPOSITORY: ${{ inputs.REPOSITORY }}
          FORMBRICKS_INGRESS_CERT_ARN: ${{ secrets.STAGE_FORMBRICKS_INGRESS_CERT_ARN }}
          FORMBRICKS_ROLE_ARN: ${{ secrets.STAGE_FORMBRICKS_ROLE_ARN }}
        with:
          helmfile-version: "v1.0.0"
          helm-plugins: >
            https://github.com/databus23/helm-diff,
            https://github.com/jkroepke/helm-secrets
          helmfile-args: apply -l environment=stage
          helmfile-auto-init: "false"
          helmfile-workdirectory: infra/formbricks-cloud-helm

      - name: Purge Cloudflare Cache
        if: ${{ inputs.ENVIRONMENT == 'production' || inputs.ENVIRONMENT == 'staging' }}
        env:
          CF_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
          CF_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          ENVIRONMENT: ${{ inputs.ENVIRONMENT }}
        run: |
          # Set hostname based on environment
          if [[ "$ENVIRONMENT" == "production" ]]; then
            PURGE_HOST="app.formbricks.com"
          else
            PURGE_HOST="stage.app.formbricks.com"
          fi

          echo "Purging Cloudflare cache for host: $PURGE_HOST (environment: $ENVIRONMENT, zone: $CF_ZONE_ID)"

          # Prepare JSON payload for selective cache purge
          json_payload=$(cat << EOF
          {
            "hosts": ["$PURGE_HOST"]
          }
          EOF
          )

          # Make API call to Cloudflare
          response=$(curl -s -X POST \
            "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/purge_cache" \
            -H "Authorization: Bearer $CF_API_TOKEN" \
            -H "Content-Type: application/json" \
            --data "$json_payload")

          echo "Cloudflare API response: $response"

          # Verify the operation was successful
          if [[ "$(echo "$response" | jq -r .success)" == "true" ]]; then
            echo "✅ Successfully purged cache for $PURGE_HOST"
          else
            echo "❌ Cloudflare cache purge failed"
            echo "Error details: $(echo "$response" | jq -r .errors)"
            exit 1
          fi