Updates the CD Pipeline to add a deploy job, which goes into the repository and runs kustomize edit set image <imagename>:<git_tag_sha>, commits and pushes the following kustomize change into Github. The change is then picked up by ArgoCD which will roll out the change asynchronously.
Concerns
Currently the native github actions token doesn't allow itself to push commits into protected branches. There is no "actor" that we could add to allow for a bypass of this protection rule. Solutions range from either temporarily disabling protection rules or calling API actions to create and merge PRs instantly which are all not very clean and undesired. To get around this limitation right now, we're using the Infrastructure bot user (the old Jenkins user within Ad Hoc) via a PAT with very limited access to perform this push action. This allows us to add the Jenkins user as a user that can bypass the branch restriction but with the caveat that we're using a persistent access token to perform this job.
Closes #97
Proposed Changes
kustomize edit set image <imagename>:<git_tag_sha>
, commits and pushes the following kustomize change into Github. The change is then picked up by ArgoCD which will roll out the change asynchronously.Concerns
Currently the native github actions token doesn't allow itself to push commits into protected branches. There is no "actor" that we could add to allow for a bypass of this protection rule. Solutions range from either temporarily disabling protection rules or calling API actions to create and merge PRs instantly which are all not very clean and undesired. To get around this limitation right now, we're using the Infrastructure bot user (the old Jenkins user within Ad Hoc) via a PAT with very limited access to perform this push action. This allows us to add the Jenkins user as a user that can bypass the branch restriction but with the caveat that we're using a persistent access token to perform this job.
https://github.com/community/community/discussions/13836
Let me know if this is worth the token or if we should find another way to maintain our deployments.