I am trying to implement a CI/CI pipeline with immutable builds. Everything is deployed to GCR and GCP Cloud Run. The way the pipeline works right now is this:
- When a PR is opened, synchronized, reopened or edited: In the workflow, a docker image is built with the checked out code, tagged with
${{github.sha}}, then pushed to GCR. Next, the cloud run service is deployed with the docker image that was just built and pushed to GCR. It is referenced by${{github.sha}}. This is all done in one project, but to thedevtarget. The trigger for this workflow:
on:
pull_request:
types:
- opened
- synchronize
- reopened
- edited
branches:
- main
This works fine, but I am having trouble figuring out how to use the same built image to deploy the service to test and prod. The main problem is the way we merge PRs. When a PR is approved and ready to be merged, we can only use the Rebase and Merge option. Every other option is disabled to make sure the commit history on main is linear and preserved.
I do have workflows for the test and prod targets. The one for prod is not an issue since it is triggered manually. The one for test is empty since I don't know what the best way to implement the explained strategy.
I have already tried referencing the same image like this in the workflow:
on:
push:
branches: main
# other steps
- name: Tag Docker image for test
run: |
gcloud container images add-tag \
gcr.io/${{ env.PROJECT_ID }}/dev-${{ matrix.app }}:$SHORT_SHA \
gcr.io/${{ env.PROJECT_ID }}/test-${{ matrix.app }}:$SHORT_SHA
$SHORT_SHA is a custom variable that simply stores the first 7 characters of the `${{github.sha}}.
This does not work, and if I understand correctly it's because when code is checked out in the workflow, it creates a merge commit sha. Since these are two different workflows, I assume the SHAs are different too, which results in a 404 since there is no container with the tag.
What should I do?