Skip to content

feat(workflows): teams reuse bootstrap and deploy workflows for independence #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
amaralc merged 10 commits into from
Feb 15, 2026
Merged

feat(workflows): teams reuse bootstrap and deploy workflows for independence #252

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
35bcbce
fix(workflows): teams reuse workflows to bootstrap and deploy
amaralc Feb 14, 2026
4d673c3
docs(insights): add workflow confirmation pattern
amaralc Feb 14, 2026
309ce53
config: potential fix for code scanning alert no. 69: Workflow does n…
amaralc Feb 14, 2026
9f03b4e
fix(github-actions): scope permissions to job level for least privilege
amaralc Feb 14, 2026
8862040
fix(workflows): force job dependencies
amaralc Feb 14, 2026
a917964
fix(ci): add job dependencies
amaralc Feb 14, 2026
b3c295f
fix(ci): move workflows to .github folder
amaralc Feb 14, 2026
599aba4
fix(ci): pass secrets via environment variables for proper masking
amaralc Feb 15, 2026
de5b50e
docs: add insight on secret masking in GitHub Actions workflows
amaralc Feb 15, 2026
c584fc1
fix(ci): avoid expanding secrets in actions
amaralc Feb 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
167 changes: 0 additions & 167 deletions .github/workflows/deploy.yml
View file
Open in desktop

This file was deleted.

105 changes: 105 additions & 0 deletions .github/workflows/teams-kernel-workflows-bootstrap-team.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
name: Bootstrap Team Infrastructure (Reusable)

on:
workflow_call:
inputs:
team-name:
required: true
type: string
description: 'Team name (kernel, people, things)'
secrets:
GCP_WORKLOAD_IDENTITY_PROVIDER:
required: true
GCP_SERVICE_ACCOUNT_EMAIL:
required: true
OWNER_ACCOUNT_EMAIL:
required: true
GCP_ORGANIZATION_ID:
required: true
GCP_BILLING_ACCOUNT_ID:
required: true
DOMAIN_NAME:
required: true
GITHUB_USERNAME:
required: true
NEON_API_KEY:
required: true
NEON_PROJECT_LOCATION:
required: true
MONGODB_ATLAS_ORG_ID:
required: true
MONGODB_ATLAS_PUBLIC_KEY:
required: true
MONGODB_ATLAS_PRIVATE_KEY:
required: true
NX_CLOUD_ACCESS_TOKEN_READ_WRITE:
required: true
NX_CLOUD_ACCESS_TOKEN_READ:
required: true

jobs:
bootstrap:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write

steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}

- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2.2.1

- name: Install gh CLI
run: |
type -p curl >/dev/null || (sudo apt update && sudo apt install curl -y)
curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
&& sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
&& sudo apt update \
&& sudo apt install gh -y

- name: Run bootstrap script for ${{ inputs.team-name }}
env:
OWNER_ACCOUNT_EMAIL: ${{ secrets.OWNER_ACCOUNT_EMAIL }}
GCP_ORGANIZATION_ID: ${{ secrets.GCP_ORGANIZATION_ID }}
GCP_BILLING_ACCOUNT_ID: ${{ secrets.GCP_BILLING_ACCOUNT_ID }}
DOMAIN_NAME: ${{ secrets.DOMAIN_NAME }}
GITHUB_USERNAME: ${{ secrets.GITHUB_USERNAME }}
NEON_API_KEY: ${{ secrets.NEON_API_KEY }}
NEON_PROJECT_LOCATION: ${{ secrets.NEON_PROJECT_LOCATION }}
MONGODB_ATLAS_ORG_ID: ${{ secrets.MONGODB_ATLAS_ORG_ID }}
MONGODB_ATLAS_PUBLIC_KEY: ${{ secrets.MONGODB_ATLAS_PUBLIC_KEY }}
MONGODB_ATLAS_PRIVATE_KEY: ${{ secrets.MONGODB_ATLAS_PRIVATE_KEY }}
NX_CLOUD_ACCESS_TOKEN_READ_WRITE: ${{ secrets.NX_CLOUD_ACCESS_TOKEN_READ_WRITE }}
NX_CLOUD_ACCESS_TOKEN_READ: ${{ secrets.NX_CLOUD_ACCESS_TOKEN_READ }}
run: |
echo "Bootstrap: Starting ${{ inputs.team-name }} team infrastructure bootstrap"
sh teams/kernel/iac/bootstrap/project-setup.sh \
--owner-account-email="$OWNER_ACCOUNT_EMAIL" \
--gcp-organization-id="$GCP_ORGANIZATION_ID" \
--gcp-billing-account-id="$GCP_BILLING_ACCOUNT_ID" \
--domain-name="$DOMAIN_NAME" \
--github-username="$GITHUB_USERNAME" \
--github-repository="${{ github.repository }}" \
--neon-api-key="$NEON_API_KEY" \
--neon-project-location="$NEON_PROJECT_LOCATION" \
--mongodb-atlas-org-id="$MONGODB_ATLAS_ORG_ID" \
--mongodb-atlas-public-key="$MONGODB_ATLAS_PUBLIC_KEY" \
--mongodb-atlas-private-key="$MONGODB_ATLAS_PRIVATE_KEY" \
--nx-cloud-access-token-read-write="$NX_CLOUD_ACCESS_TOKEN_READ_WRITE" \
--nx-cloud-access-token-read="$NX_CLOUD_ACCESS_TOKEN_READ"
echo "Bootstrap: Completed ${{ inputs.team-name }} team infrastructure bootstrap"

- name: Verify bootstrap success
run: |
echo "Bootstrap: Verifying ${{ inputs.team-name }} infrastructure"
gcloud projects list --filter="name:*${{ inputs.team-name }}*" --format="table(name,projectId)"
100 changes: 100 additions & 0 deletions .github/workflows/teams-kernel-workflows-bootstrap.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
name: Bootstrap All Team Infrastructure

on:
workflow_dispatch:
inputs:
teams:
description: 'Teams to bootstrap (all, kernel, people, things, or space-separated list)'
required: false
default: 'all'

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
bootstrap-kernel:
name: Bootstrap Kernel Team
uses: ./.github/workflows/teams-kernel-workflows-bootstrap-team.yml
permissions:
contents: read
if: |
github.event.inputs.teams == 'all' ||
github.event.inputs.teams == 'kernel' ||
contains(github.event.inputs.teams, 'kernel')
secrets:
GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
OWNER_ACCOUNT_EMAIL: ${{ secrets.OWNER_ACCOUNT_EMAIL }}
GCP_ORGANIZATION_ID: ${{ secrets.GCP_ORGANIZATION_ID }}
GCP_BILLING_ACCOUNT_ID: ${{ secrets.GCP_BILLING_ACCOUNT_ID }}
DOMAIN_NAME: ${{ secrets.DOMAIN_NAME }}
GITHUB_USERNAME: ${{ secrets.GITHUB_USERNAME }}
NEON_API_KEY: ${{ secrets.NEON_API_KEY }}
NEON_PROJECT_LOCATION: ${{ secrets.NEON_PROJECT_LOCATION }}
MONGODB_ATLAS_ORG_ID: ${{ secrets.MONGODB_ATLAS_ORG_ID }}
MONGODB_ATLAS_PUBLIC_KEY: ${{ secrets.MONGODB_ATLAS_PUBLIC_KEY }}
MONGODB_ATLAS_PRIVATE_KEY: ${{ secrets.MONGODB_ATLAS_PRIVATE_KEY }}
NX_CLOUD_ACCESS_TOKEN_READ_WRITE: ${{ secrets.NX_CLOUD_ACCESS_TOKEN_READ_WRITE }}
NX_CLOUD_ACCESS_TOKEN_READ: ${{ secrets.NX_CLOUD_ACCESS_TOKEN_READ }}
with:
team-name: kernel

bootstrap-people:
name: Bootstrap People Team
uses: ./.github/workflows/teams-kernel-workflows-bootstrap-team.yml
needs: bootstrap-kernel
permissions:
contents: read
if: |
needs.bootstrap-kernel.result == 'success' && (
github.event.inputs.teams == 'all' ||
github.event.inputs.teams == 'people' ||
contains(github.event.inputs.teams, 'people')
)
secrets:
GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
OWNER_ACCOUNT_EMAIL: ${{ secrets.OWNER_ACCOUNT_EMAIL }}
GCP_ORGANIZATION_ID: ${{ secrets.GCP_ORGANIZATION_ID }}
GCP_BILLING_ACCOUNT_ID: ${{ secrets.GCP_BILLING_ACCOUNT_ID }}
DOMAIN_NAME: ${{ secrets.DOMAIN_NAME }}
GITHUB_USERNAME: ${{ secrets.GITHUB_USERNAME }}
NEON_API_KEY: ${{ secrets.NEON_API_KEY }}
NEON_PROJECT_LOCATION: ${{ secrets.NEON_PROJECT_LOCATION }}
MONGODB_ATLAS_ORG_ID: ${{ secrets.MONGODB_ATLAS_ORG_ID }}
MONGODB_ATLAS_PUBLIC_KEY: ${{ secrets.MONGODB_ATLAS_PUBLIC_KEY }}
MONGODB_ATLAS_PRIVATE_KEY: ${{ secrets.MONGODB_ATLAS_PRIVATE_KEY }}
NX_CLOUD_ACCESS_TOKEN_READ_WRITE: ${{ secrets.NX_CLOUD_ACCESS_TOKEN_READ_WRITE }}
NX_CLOUD_ACCESS_TOKEN_READ: ${{ secrets.NX_CLOUD_ACCESS_TOKEN_READ }}
with:
team-name: people

bootstrap-things:
name: Bootstrap Things Team
uses: ./.github/workflows/teams-kernel-workflows-bootstrap-team.yml
needs: bootstrap-kernel
permissions:
contents: read
if: |
needs.bootstrap-kernel.result == 'success' && (
github.event.inputs.teams == 'all' ||
github.event.inputs.teams == 'things' ||
contains(github.event.inputs.teams, 'things')
)
secrets:
GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
GCP_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
OWNER_ACCOUNT_EMAIL: ${{ secrets.OWNER_ACCOUNT_EMAIL }}
GCP_ORGANIZATION_ID: ${{ secrets.GCP_ORGANIZATION_ID }}
GCP_BILLING_ACCOUNT_ID: ${{ secrets.GCP_BILLING_ACCOUNT_ID }}
DOMAIN_NAME: ${{ secrets.DOMAIN_NAME }}
GITHUB_USERNAME: ${{ secrets.GITHUB_USERNAME }}
NEON_API_KEY: ${{ secrets.NEON_API_KEY }}
NEON_PROJECT_LOCATION: ${{ secrets.NEON_PROJECT_LOCATION }}
MONGODB_ATLAS_ORG_ID: ${{ secrets.MONGODB_ATLAS_ORG_ID }}
MONGODB_ATLAS_PUBLIC_KEY: ${{ secrets.MONGODB_ATLAS_PUBLIC_KEY }}
MONGODB_ATLAS_PRIVATE_KEY: ${{ secrets.MONGODB_ATLAS_PRIVATE_KEY }}
NX_CLOUD_ACCESS_TOKEN_READ_WRITE: ${{ secrets.NX_CLOUD_ACCESS_TOKEN_READ_WRITE }}
NX_CLOUD_ACCESS_TOKEN_READ: ${{ secrets.NX_CLOUD_ACCESS_TOKEN_READ }}
with:
team-name: things
0 .github/workflows/ci.yml → ...b/workflows/teams-kernel-workflows-ci.yml
View file
Open in desktop
File renamed without changes.
Loading
Loading