Initial production deploy

.github/workflows/CD_production.yml

@@ -0,0 +1,94 @@
+name: CD (Staging)
+
+on:
+  push:
+    branches: [production]
+
+permissions:
+  contents: write
+
+jobs:
+    staging-deploy:
+
+        runs-on: ubuntu-latest
+        environment: production
+
+        steps:
+        - name: Check out source repository
+          uses: actions/checkout@v4
+          with:
+            fetch-depth: 0
+
+        - name: Install uv in container
+          uses: astral-sh/setup-uv@v6
+          with:
+            version: "latest"
+
+        - name: Generate requirements.txt
+          run: |
+            uv export -o requirements.txt
+
+        - name: Authenticate to Google Cloud
+          uses: 'google-github-actions/auth@v2'
+          with:
+            credentials_json: ${{ secrets.CLOUD_DEPLOY_SERVICE_ACCOUNT_KEY }}
+
+        # Uses Google Cloud Secret Manager to store secret credentials
+        - name: Create app.yaml
+          run: |
+            echo "service: ocotillo-api" > app.yaml
+            echo "runtime: python313" >> app.yaml
+            echo "entrypoint: gunicorn -w 4 -k uvicorn.workers.UvicornWorker main:app" >> app.yaml
+            echo "instance_class: F4" >> app.yaml
+            echo "inbound_services:" >> app.yaml
+            echo "  - warmup" >> app.yaml
+            echo "automatic_scaling:" >> app.yaml
+            echo "  min_instances: 0" >> app.yaml
+            echo "  max_instances: 10" >> app.yaml
+            echo "" >> app.yaml
+            echo "env_variables:" >> app.yaml
+            echo "  MODE: \"production\"" >> app.yaml
+            echo "  DB_DRIVER: \"cloudsql\"" >> app.yaml
+            echo "  CLOUD_SQL_INSTANCE_NAME: \"${{ secrets.CLOUD_SQL_INSTANCE_NAME }}\"" >> app.yaml
+            echo "  CLOUD_SQL_DATABASE: \"${{ vars.CLOUD_SQL_DATABASE }}\"" >> app.yaml
+            echo "  CLOUD_SQL_USER: \"${{ secrets.CLOUD_SQL_USER }}\"" >> app.yaml
+            echo "  CLOUD_SQL_PASSWORD: \"${{ secrets.CLOUD_SQL_PASSWORD }}\"" >> app.yaml
+            echo "  GCS_SERVICE_ACCOUNT_KEY: \"${{ secrets.GCS_SERVICE_ACCOUNT_KEY }}\"" >> app.yaml
+            echo "  GCS_BUCKET_NAME: \"${{vars.GCS_BUCKET_NAME}}\"" >> app.yaml
+            echo "  AUTHENTIK_URL: \"${{vars.AUTHENTIK_URL}}\"" >> app.yaml
+            echo "  AUTHENTIK_CLIENT_ID: \"${{vars.AUTHENTIK_CLIENT_ID}}\"" >> app.yaml
+            echo "  AUTHENTIK_AUTHORIZE_URL: \"${{vars.AUTHENTIK_AUTHORIZE_URL}}\"" >> app.yaml
+            echo "  AUTHENTIK_TOKEN_URL: \"${{vars.AUTHENTIK_TOKEN_URL}}\"" >> app.yaml
+
+
+        - name: Deploy to Google Cloud
+          run: |
+            gcloud app deploy app.yaml --quiet --project ${{ vars.GCP_PROJECT_ID }}
+
+        # Clean up old versions - delete only the oldest version, one created and one destroyed
+        - name: Clean up oldest version
+          run: |
+            OLDEST_VERSION=$(gcloud app versions list --service=ocotillo-api --project=${{ vars.GCP_PROJECT_ID}} --format="value(id)" --sort-by="version.createTime" | head -n 1)
+            if [ ! -z "$OLDEST_VERSION" ]; then
+              echo "Deleting oldest version: $OLDEST_VERSION"
+              gcloud app versions delete $OLDEST_VERSION --service=ocotillo-api --project=${{ vars.GCP_PROJECT_ID }} --quiet
+              echo "Deleted oldest version: $OLDEST_VERSION"
+            else
+              echo "No versions to delete"
+            fi
+
+        - name: Remove app.yaml
+          run: |
+            rm app.yaml
+
+        # Use PR author's username as git user name
+        - name: Set up git user
+          run: |
+            git config --global user.name "${{ github.actor }}"
+            git config --global user.email "${{ github.actor }}@users.noreply.github.com"
+
+        # ":" are not alloed in git tags, so replace with "-"
+        - name: Tag commit
+          run: |
+            git tag -a "production-deploy-$(date -u +%Y-%m-%d)T$(date -u +%H-%M-%S%z)" -m "staging gcloud deployment: $(date -u +%Y-%m-%d)T$(date -u +%H:%M:%S%z)"
+            git push origin --tags

.github/workflows/staging_deploy.yml → .github/workflows/CD_staging.yml

@@ -2,7 +2,7 @@ name: CD (Staging)
 
 on:
   push:
-    branches: [pre-production]
+    branches: [staging]
 
 permissions:
   contents: write
@@ -50,28 +50,28 @@ jobs:
             echo "  MODE: \"production\"" >> app.yaml
             echo "  DB_DRIVER: \"cloudsql\"" >> app.yaml
             echo "  CLOUD_SQL_INSTANCE_NAME: \"${{ secrets.CLOUD_SQL_INSTANCE_NAME }}\"" >> app.yaml
-            echo "  CLOUD_SQL_DATABASE: \"${{ secrets.CLOUD_SQL_DATABASE }}\"" >> app.yaml
+            echo "  CLOUD_SQL_DATABASE: \"${{ vars.CLOUD_SQL_DATABASE }}\"" >> app.yaml
             echo "  CLOUD_SQL_USER: \"${{ secrets.CLOUD_SQL_USER }}\"" >> app.yaml
             echo "  CLOUD_SQL_PASSWORD: \"${{ secrets.CLOUD_SQL_PASSWORD }}\"" >> app.yaml
             echo "  GCS_SERVICE_ACCOUNT_KEY: \"${{ secrets.GCS_SERVICE_ACCOUNT_KEY }}\"" >> app.yaml
-            echo "  GCS_BUCKET_NAME: \"${{secrets.GCS_BUCKET_NAME}}\"" >> app.yaml
-            echo "  AUTHENTIK_URL: \"${{secrets.AUTHENTIK_URL}}\"" >> app.yaml
-            echo "  AUTHENTIK_CLIENT_ID: \"${{secrets.AUTHENTIK_CLIENT_ID}}\"" >> app.yaml
-            echo "  AUTHENTIK_AUTHORIZE_URL: \"${{secrets.AUTHENTIK_AUTHORIZE_URL}}\"" >> app.yaml
-            echo "  AUTHENTIK_TOKEN_URL: \"${{secrets.AUTHENTIK_TOKEN_URL}}\"" >> app.yaml
+            echo "  GCS_BUCKET_NAME: \"${{vars.GCS_BUCKET_NAME}}\"" >> app.yaml
+            echo "  AUTHENTIK_URL: \"${{vars.AUTHENTIK_URL}}\"" >> app.yaml
+            echo "  AUTHENTIK_CLIENT_ID: \"${{vars.AUTHENTIK_CLIENT_ID}}\"" >> app.yaml
+            echo "  AUTHENTIK_AUTHORIZE_URL: \"${{vars.AUTHENTIK_AUTHORIZE_URL}}\"" >> app.yaml
+            echo "  AUTHENTIK_TOKEN_URL: \"${{vars.AUTHENTIK_TOKEN_URL}}\"" >> app.yaml
 
 
         - name: Deploy to Google Cloud
           run: |
-            gcloud app deploy app.yaml --quiet --project ${{ secrets.GCP_PROJECT_ID }}
+            gcloud app deploy app.yaml --quiet --project ${{ vars.GCP_PROJECT_ID }}
 
         # Clean up old versions - delete only the oldest version, one created and one destroyed
         - name: Clean up oldest version
           run: |
-            OLDEST_VERSION=$(gcloud app versions list --service=ocotillo-api-staging --project=${{ secrets.GCP_PROJECT_ID}} --format="value(id)" --sort-by="version.createTime" | head -n 1)
+            OLDEST_VERSION=$(gcloud app versions list --service=ocotillo-api-staging --project=${{ vars.GCP_PROJECT_ID}} --format="value(id)" --sort-by="version.createTime" | head -n 1)
             if [ ! -z "$OLDEST_VERSION" ]; then
               echo "Deleting oldest version: $OLDEST_VERSION"
-              gcloud app versions delete $OLDEST_VERSION --service=ocotillo-api-staging --project=${{ secrets.GCP_PROJECT_ID }} --quiet
+              gcloud app versions delete $OLDEST_VERSION --service=ocotillo-api-staging --project=${{ vars.GCP_PROJECT_ID }} --quiet
               echo "Deleted oldest version: $OLDEST_VERSION"
             else
               echo "No versions to delete"

.github/workflows/tests.yml

@@ -5,7 +5,7 @@ name: Tests
 
 on:
   pull_request:
-    branches: [ "main",'pre-production']
+    branches: [ "main",'pre-production', 'transfer']
 
 permissions:
   contents: read

Procfile

@@ -0,0 +1 @@
+web: gunicorn -b :8080 transfers.entrypoint:app -k uvicorn.workers.UvicornWorker

main.py

@@ -1,6 +1,8 @@
 import os
 import sentry_sdk
 from dotenv import load_dotenv
+from starlette.middleware.base import BaseHTTPMiddleware
+from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware
 
 load_dotenv()
 

pyproject.toml

@@ -65,7 +65,7 @@ dependencies = [
     "propcache==0.3.2",
     "proto-plus==1.26.1",
     "protobuf==6.32.0",
-    "psycopg2==2.9.10",
+    "psycopg2-binary>=2.9.10",
     "pyasn1==0.6.1",
     "pyasn1-modules==0.4.2",
     "pycparser==2.22",