unitone-agentgateway/.github/workflows/azure-deploy.yml at main · UnitOneAI/unitone-agentgateway · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# UnitOne AgentGateway - Azure Deployment Workflow
#
# This workflow:
# 1. Runs local tests on push/PR (no Azure required)
# 2. Builds and deploys to Azure Container Apps (requires secrets)
#
# Required GitHub Secrets (for deployment):
# - AZURE_CREDENTIALS: Azure service principal credentials (JSON)
# - ACR_NAME: Your Azure Container Registry name (e.g., myacr)
# - RESOURCE_GROUP: Your Azure resource group name
# - CONTAINER_APP_NAME: Your Container App name

name: CI/CD

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  workflow_dispatch:
    inputs:
      environment:
        description: 'Environment to deploy to'
        required: true
        default: 'dev'
        type: choice
        options:
          - dev
          - staging
          - prod

jobs:
  # Basic validation - always runs, no secrets needed
  validate:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository with submodules
        uses: actions/checkout@v4
        with:
          submodules: 'recursive'

      - name: Validate Dockerfile
        run: |
          echo "Checking Dockerfile.acr exists..."
          test -f Dockerfile.acr
          echo "✓ Dockerfile.acr found"

      - name: Validate config files
        run: |
          echo "Checking config files..."
          test -f azure-config.yaml
          echo "✓ azure-config.yaml found"
          test -f terraform/main.tf
          echo "✓ terraform/main.tf found"

      - name: Check submodule
        run: |
          echo "Checking agentgateway submodule..."
          test -f agentgateway/Cargo.toml
          echo "✓ Submodule initialized correctly"

  # Azure deployment - only runs if secrets are configured
  build-and-deploy:
    runs-on: ubuntu-latest
    needs: [validate]
    # Only run on push to main or workflow_dispatch, and only if secrets exist
    if: |
      (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
      github.event_name == 'workflow_dispatch'

    steps:
      - name: Check if Azure secrets are configured
        id: check-secrets
        run: |
          if [ -n "${{ secrets.AZURE_CREDENTIALS }}" ] && [ -n "${{ secrets.ACR_NAME }}" ]; then
            echo "has_secrets=true" >> $GITHUB_OUTPUT
          else
            echo "has_secrets=false" >> $GITHUB_OUTPUT
            echo "⚠️ Azure secrets not configured - skipping deployment"
            echo "To enable deployment, configure these repository secrets:"
            echo "  - AZURE_CREDENTIALS"
            echo "  - ACR_NAME"
            echo "  - RESOURCE_GROUP"
            echo "  - CONTAINER_APP_NAME"
          fi

      - name: Checkout repository with submodules
        if: steps.check-secrets.outputs.has_secrets == 'true'
        uses: actions/checkout@v4
        with:
          submodules: 'recursive'
          fetch-depth: 0

      - name: Determine environment and tag
        if: steps.check-secrets.outputs.has_secrets == 'true'
        id: config
        run: |
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            ENV="${{ inputs.environment }}"
          else
            ENV="dev"
          fi

          TAG="${{ github.sha }}"
          SHORT_SHA=$(echo ${TAG} | cut -c1-7)

          echo "environment=${ENV}" >> $GITHUB_OUTPUT
          echo "tag=${TAG}" >> $GITHUB_OUTPUT
          echo "short_sha=${SHORT_SHA}" >> $GITHUB_OUTPUT

      - name: Azure Login
        if: steps.check-secrets.outputs.has_secrets == 'true'
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Build and push Docker image to ACR
        if: steps.check-secrets.outputs.has_secrets == 'true'
        run: |
          az acr build \
            --registry ${{ secrets.ACR_NAME }} \
            --image unitone-agentgateway:${{ steps.config.outputs.short_sha }} \
            --image unitone-agentgateway:latest \
            --file Dockerfile.acr \
            --platform linux/amd64 \
            .

      - name: Deploy to Azure Container App
        if: steps.check-secrets.outputs.has_secrets == 'true'
        run: |
          az containerapp update \
            --name ${{ secrets.CONTAINER_APP_NAME }} \
            --resource-group ${{ secrets.RESOURCE_GROUP }} \
            --image ${{ secrets.ACR_NAME }}.azurecr.io/unitone-agentgateway:${{ steps.config.outputs.short_sha }}

      - name: Verify deployment
        if: steps.check-secrets.outputs.has_secrets == 'true'
        run: |
          sleep 30

          STATUS=$(az containerapp show \
            --name ${{ secrets.CONTAINER_APP_NAME }} \
            --resource-group ${{ secrets.RESOURCE_GROUP }} \
            --query properties.runningStatus \
            -o tsv)

          if [ "$STATUS" != "Running" ]; then
            echo "Deployment failed: status is $STATUS"
            exit 1
          fi

          URL=$(az containerapp show \
            --name ${{ secrets.CONTAINER_APP_NAME }} \
            --resource-group ${{ secrets.RESOURCE_GROUP }} \
            --query properties.configuration.ingress.fqdn \
            -o tsv)

          echo "Deployment successful!"
          echo "UI URL: https://${URL}/ui"
          echo "MCP Endpoint: https://${URL}/mcp"