GitHub Actions templates for deploying code to preview Deployments on Astro
The Astronomer deploy action includes several sub-actions that can be used together to create a complete Deployment preview pipeline, a configuration that allows you to test your code changes in an ephemeral development Deployment before promoting your changes to a production Astro Deployment.
The Deployment preview templates use GitHub secrets to manage the credentials needed for GitHub to authenticate to Astro. You can specify the credentials for your secrets backend so that preview Deployments have access to secret Airflow variables or connections during tests. See Deployment preview template with secrets backend implementation.
Deployment preview templates use Astronomer’s deploy-action
to automates the deploy process, meaning it can selectively deploy parts of your project based on which files you changed. See Standard deploy templates for more information about the deploy-action
.
Prerequisites
- An Astro project hosted in a GitHub repository.
- An Astro Deployment.
- A Deployment API token, Workspace API token, or Organization API token.
- Access to GitHub Actions.
Specific templates might have additional requirements.
If you use a self-hosted runner to execute jobs from GitHub Actions, the Astro CLI’s config.yaml
file, which stores default deploy details, might be shared across your organization and hence multiple CI/CD pipelines. To reduce the risk of accidentally deploying to the wrong Deployment, ensure the following:
- Add
ASTRO_API_TOKEN
to your repository and include a check in your GitHub workflow to verify that it exists. - Use Deployment API tokens, which are scoped only to one Deployment, instead of Workspace or Organization API tokens.
- Specify
deployment-id
ordeployment-name
in your action. For example,astro deploy <deployment-id>
orastro deploy -n <deployment-name>
. - Add the command
astro logout
at the end of your workflow to ensure that your authentication token is cleared from theconfig.yaml
file.
Deployment preview template
The standard Deployment preview template uses GitHub secrets and an Astro Deployment API token to create a preview Deployment whenever you create a new feature branch off of your main branch.
Setup
- Copy and save the Deployment ID for your Astro Deployment.
<main-deployment-id>
with this Deployment ID in all the scripts created in the following steps. Even though some scripts take action on the preview Deployment, the <main-deployment-id>
should be same for each script.- Set the following GitHub secret in the repository hosting your Astro project:
- Key:
ASTRO_API_TOKEN
- Secret:
<your-token>
- In your project repository, create a new YAML file in
.github/workflows
nameddeploy-to-preview.yml
that includes the following configuration:
- In the same folder, create a new YAML file named
delete-preview-deployment.yml
that includes the following configuration:
- In the same folder, create a new YAML file named
deploy-to-main-deployment.yml
that includes the following configuration:
All three workflow files must have the same Deployment ID specified. The actions use this Deployment ID to create and delete preview Deployments based on your main Deployment.
Deployment preview template with secrets backend implementation
If you use a secrets backend to manage Airflow objects such as variables and connections, you can configure your action to grant preview Deployments access to your secrets backend. This means that dags in the preview Deployment can access your secret Airflow objects for testing purposes.
This template makes use of the AIRFLOW__SECRETS__BACKEND_KWARGS
environment variable to store information and credentials for your secrets backend.
Prerequisites
- A secrets backend, such as Hashicorp Vault.
Setup
- Copy and save the Deployment ID for your Astro deployment.
<main-deployment-id>
with this Deployment ID in all the scripts created in the following steps. Even though some scripts take action on the preview Deployment, the <main-deployment-id>
should be same for each script.- Set the following GitHub secrets in the repository hosting your Astro project. This includes your Astro API Token, so that GitHub has permissions to deploy code to your Deployments or Workspaces, and your secrets backend information stored in
AIRFLOW__SECRETS__BACKEND_KWARGS
. See Configure a secrets backend for more information about configuring your secrets backend as an environment variable.
- Key 1:
ASTRO_API_TOKEN
- Secret 1:
<your-token>
- Key 2:
AIRFLOW__SECRETS__BACKEND_KWARGS
- Secret 2:
<your-kwargs>
- In your project repository, create a new YAML file in
.github/workflows
namedcreate-deployment-preview.yml
that includes the following configuration.
- In the same folder, create a new YAML file named
deploy-to-preview.yml
that includes the following configuration:
- In the same folder, create a new YAML file named
delete-preview-deployment.yml
that includes the following configuration:
- In the same folder, create a new YAML file named
deploy-to-main-deployment.yml
that includes the following configuration:
All four workflow files must have the same Deployment ID specified. The actions use this Deployment ID to create and delete preview Deployments based on your main Deployment.