name: Deploy k8s Bootstrap on: workflow_dispatch: push: branches: - main paths: - 'k8s-bootstrap/**' - '.gitea/workflows/deploy-k8s-bootstrap.yaml' pull_request: branches: - main paths: - 'k8s-bootstrap/**' - '.gitea/workflows/deploy-k8s-bootstrap.yaml' jobs: preview: name: Pulumi Preview runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Checkout Code uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '24' - name: Restore Stack Config run: echo "${{ secrets.K8S_BOOTSTRAP_DEV_YAML }}" | base64 -d > k8s-bootstrap/Pulumi.dev.yaml - name: Install Dependencies run: npm install working-directory: k8s-bootstrap - name: Preview uses: pulumi/actions@v5 with: command: preview stack-name: dev work-dir: k8s-bootstrap cloud-url: ${{ secrets.PULUMI_BACKEND_URL }} env: PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }} deploy: name: Bootstrap k3s Cluster runs-on: ubuntu-latest if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' steps: - name: Checkout Code uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '24' - name: Restore Stack Config run: echo "${{ secrets.K8S_BOOTSTRAP_DEV_YAML }}" | base64 -d > k8s-bootstrap/Pulumi.dev.yaml - name: Install Dependencies run: npm install working-directory: k8s-bootstrap - name: Refresh State uses: pulumi/actions@v5 with: command: refresh stack-name: dev work-dir: k8s-bootstrap cloud-url: ${{ secrets.PULUMI_BACKEND_URL }} env: PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }} - name: Deploy uses: pulumi/actions@v5 with: command: up stack-name: dev work-dir: k8s-bootstrap cloud-url: ${{ secrets.PULUMI_BACKEND_URL }} env: PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }} # Propagate kubeconfig to the downstream stacks so their next deploy picks it up - name: Propagate kubeconfig to k8s-infra run: | echo "${{ secrets.K8S_INFRA_DEV_YAML }}" | base64 -d > k8s-infra/Pulumi.dev.yaml cd k8s-infra && npm install KUBECONFIG=$(cd ../k8s-bootstrap && pulumi stack output kubeconfig --show-secrets \ --cloud-url "${{ secrets.PULUMI_BACKEND_URL }}" -s dev) pulumi config set --secret kubeconfig "$KUBECONFIG" \ --cloud-url "${{ secrets.PULUMI_BACKEND_URL }}" -s dev # Re-encode updated config for the secret (update manually in Gitea after first run) base64 -w 0 Pulumi.dev.yaml working-directory: . env: PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }} - name: Propagate kubeconfig to k8s-apps run: | echo "${{ secrets.K8S_APPS_DEV_YAML }}" | base64 -d > k8s-apps/Pulumi.dev.yaml cd k8s-apps && npm install KUBECONFIG=$(cd ../k8s-bootstrap && pulumi stack output kubeconfig --show-secrets \ --cloud-url "${{ secrets.PULUMI_BACKEND_URL }}" -s dev) pulumi config set --secret kubeconfig "$KUBECONFIG" \ --cloud-url "${{ secrets.PULUMI_BACKEND_URL }}" -s dev base64 -w 0 Pulumi.dev.yaml working-directory: . env: PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}