Update existing GHA workflow & add the new workflows to the readme (#236

) * update this workflow * on * fix echo --------- Co-authored-by: nate nowack <[email protected]>
PrefectHQ · Jul 11, 2023 · 252409f · 252409f
1 parent 0003394
commit 252409f
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 26 deletions.
diff --git a/README.md b/README.md
@@ -178,11 +178,13 @@ What are you interested in seeing examples of? [Jot down your big idea here.](ht
 - [How to use Kubernetes with Prefect: Part 3](https://medium.com/the-prefect-blog/how-to-use-kubernetes-with-prefect-part-3-e2223ce34ba7)
 
 #### Github Actions
-- [Build flow image and Prefect deployment with storage and infra Blocks on push to branch](./devops/github-actions/general-docker-deploy.yaml)
-- [Build and Push flow docker image to Google Artifact Registry](./devops/github-actions/docker-build-push-gcp-artifact-registry.yaml)
-- [Build / Apply prefect deployment with blocks on change to python files](./devops/github-actions/minimal-prefect-deployment-build.yaml)
 - [Automate Prefect Deployments to AWS ECS Fargate Using GitHub Actions](https://github.com/anna-geller/dataflow-ops)
 - [Automate Python-Based Deployments with GitHub Actions](https://github.com/radbrt/orion_flows)
+- [Build / Apply prefect deployment with blocks on change to python files](./devops/github-actions/minimal-prefect-deployment-build.yaml)
+- [Build and Push flow docker image to Google Artifact Registry](./devops/github-actions/docker-build-push-gcp-artifact-registry.yaml)
+- [Build flow image and Prefect deployment with storage and infra Blocks on push to branch](./devops/github-actions/general-docker-deploy.yaml)
+- [Conditionally deploy Prefect flow(s) only when flow-related files have changed](./devops/github-actions/prefect-deploy-only-when-files-change-no-docker-build.yaml)
+- [Conditionally build a docker image & deploy Prefect flow(s) only when flow-related files have changed](./devops/github-actions/prefect-deploy-only-when-files-change-including-docker-build.yaml)
 
 #### Django
 - [Using Django with Prefect 2](https://github.com/abrookins/django-prefect-example)

diff --git a/devops/github-actions/docker-build-push-gcp-artifact-registry.yaml b/devops/github-actions/docker-build-push-gcp-artifact-registry.yaml
@@ -1,49 +1,53 @@
-name: "Docker build / push a flow image to Google Artifact Registry"
-on:
-  workflow_dispatch: # build new image manually
+name: Docker build / push a flow image to Google Artifact Registry
+"on":
+  workflow_dispatch: {} # build new image manually
   push: # or automatically build upon change to Dockerfile / dependencies
     branches:
-      - "main"
+      - main
     paths:
-      - "Dockerfile"
-      - "requirements.txt"
+      - Dockerfile
+      - requirements.txt
+
+# Do not grant jobs any permissions by default
+permissions: {}
 
 env:
   FLOW_IMAGE: us-docker.pkg.dev/my_gcp_project/my_repo_name/my_image_name:latest
 
-
 jobs:
-  build-docker-images:
+  build_docker_images:
     runs-on: ubuntu-latest
+    permissions:
+      # required to read from the repo
+      contents: read
+      # required to obtain Google Cloud service account credentials
+      id-token: write
+
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v3
 
       # Change the path `./Dockerfile` as needed!
       - name: Build the Docker image
         run: |
           docker build . --tag ${{ env.FLOW_IMAGE }} -f ./Dockerfile
 
-      # Generate a temporary access token from your service account's credentials
-      - id: 'auth'
-        name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/[email protected]'
+      # Generate a temporary access token from your service accounts credentials
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/[email protected]
         with:
           # This service account must have the IAM permissions to push to
-          # Google Artifact Registry and generate an access token 
-          credentials_json: '${{ secrets.PREFECT_GCP_SERVICE_ACCT_CREDENTIALS }}'
-          token_format: 'access_token'
+          # Google Artifact Registry
+          workload_identity_provider: GCP_WORKLOAD_IDENTITY
+          service_account: GCP_SERVICE_ACCOUNT
 
       # log into Google Artifact Registry with the temporary access token
-      - uses: 'docker/login-action@v1'
-        name: 'Docker login'
-        with:
-          registry: 'us-docker.pkg.dev'
-          username: 'oauth2accesstoken'
-          password: '${{ steps.auth.outputs.access_token }}'
+      - name: Configure Google Cloud credential helper
+        run: gcloud auth configure-docker --quiet us-docker.pkg.dev
 
       - name: Push to container registry
         run: |
           docker push ${{ env.FLOW_IMAGE }}
 
       - name: Output Success
-        run: echo "Successfully built and pushed ${{ env.FLOW_IMAGE }} :rocket:" >> $GITHUB_STEP_SUMMARY
+        run: echo "Successfully built and pushed ${{ env.FLOW_IMAGE }} :rocket:" >> $GITHUB_STEP_SUMMARY