feat: add GitHub Actions deployment pipeline

jonathanglasmeyer · jonathanglasmeyer · commit b786feb23f3f · 2025-10-07T22:27:15.000+02:00
diff --git a/.github/workflows/deploy-discord-bot.yml b/.github/workflows/deploy-discord-bot.yml
@@ -0,0 +1,77 @@
+name: Deploy Discord Bot to Hetzner
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'discord-server/**'
+      - 'docker-compose.yml'
+      - 'deploy.sh'
+      - '.github/workflows/deploy-discord-bot.yml'
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy to Hetzner VPS
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        working-directory: discord-server
+        run: bun install --frozen-lockfile
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.HETZNER_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          # Configure SSH host alias
+          cat >> ~/.ssh/config << EOF
+          Host hetzner
+            HostName ${{ secrets.HETZNER_HOST }}
+            User ${{ secrets.HETZNER_USER }}
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking no
+          EOF
+
+          # Add host to known_hosts
+          ssh-keyscan -H ${{ secrets.HETZNER_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Create .env from secrets
+        working-directory: discord-server
+        run: |
+          cat << EOF > .env
+          DISCORD_BOT_TOKEN=${{ secrets.DISCORD_BOT_TOKEN }}
+          DISCORD_INBOX_CHANNEL_ID=${{ secrets.DISCORD_INBOX_CHANNEL_ID }}
+          CLAUDE_CODE_OAUTH_TOKEN=${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          OBSIDIAN_VAULT_PATH=/srv/claude-jobs/obsidian-vault
+          REDIS_HOST=obsidian-redis
+          REDIS_PORT=6379
+          PORT=3001
+          NODE_ENV=production
+          EOF
+
+      - name: Run deploy.sh
+        run: |
+          # Make deploy.sh executable
+          chmod +x deploy.sh
+
+          # Run deploy script
+          ./deploy.sh
+        env:
+          CI: true
+
+      - name: Deployment summary
+        if: success()
+        run: |
+          echo "✅ Discord Bot deployment complete!"
+          echo "🤖 Bot: Internal Discord bot (no public endpoint)"
+          echo "🏥 Health: https://obsidian.quietloop.dev/health"
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -158,6 +158,57 @@ curl http://localhost:3001/health                 # Via tunnel (direct to contai
 - Next.js chat interface with AI SDK hooks
 - Professional UI for web-based interaction
 
+## Production Deployment
+
+### Automated Deployment via GitHub Actions
+
+**GitHub Actions Workflow:** `.github/workflows/deploy-discord-bot.yml`
+
+**Trigger:** Push to `main` with changes to:
+- `discord-server/**`
+- `docker-compose.yml`
+- `deploy.sh`
+- `.github/workflows/deploy-discord-bot.yml`
+
+**Deploy Flow:**
+1. Bun setup + dependency installation
+2. SSH setup via GitHub Secrets
+3. Create `.env` from GitHub Secrets
+4. Execute `deploy.sh` (CI mode)
+5. Health check + deployment summary
+
+**Manual Deploy (fallback):**
+```bash
+./deploy.sh  # Detects CI mode automatically
+```
+
+### GitHub Secrets Setup (One-Time)
+
+**Sync Secrets to GitHub:**
+```bash
+# One command syncs everything (reads discord-server/.env + SSH config)
+./scripts/sync-secrets-to-github.sh
+```
+
+**What the script does:**
+- Reads all secrets from `discord-server/.env` and syncs to GitHub
+- Auto-detects Hetzner SSH config from `~/.ssh/config` (hetzner alias)
+- Extracts SSH key, host, and user automatically
+- Validates all required secrets are configured
+
+**Required Secrets:**
+- `DISCORD_BOT_TOKEN` - Discord bot authentication
+- `DISCORD_INBOX_CHANNEL_ID` - Channel for bot messages
+- `CLAUDE_CODE_OAUTH_TOKEN` - Claude API authentication
+- `HETZNER_SSH_KEY` - SSH private key for deployment
+- `HETZNER_HOST` - VPS IP address
+- `HETZNER_USER` - SSH user (usually root)
+
+**When to Re-run:**
+- Initial setup (one-time)
+- When secrets in `discord-server/.env` change
+- When rotating credentials
+
 ## Production Infrastructure
 
 ### Clean Architecture ✅
diff --git a/deploy.sh b/deploy.sh
@@ -10,32 +10,48 @@ REMOTE_PATH="~/obsidian-bridge-server"
 PROJECT_NAME="quietloop-claude-obsidian-server"
 SERVICE_URL="https://obsidian.quietloop.dev"
 
-# Load port validation from infra repo
-INFRA_SCRIPTS="../quietloop-hetzner-infra/scripts"
-if [ -f "$INFRA_SCRIPTS/validate-local-ports.sh" ]; then
-    source "$INFRA_SCRIPTS/validate-local-ports.sh"
+# Load port validation from infra repo (skip in CI)
+if [ -z "$CI" ]; then
+    INFRA_SCRIPTS="../quietloop-hetzner-infra/scripts"
+    if [ -f "$INFRA_SCRIPTS/validate-local-ports.sh" ]; then
+        source "$INFRA_SCRIPTS/validate-local-ports.sh"
+    else
+        echo "⚠️ Port validation script not found - skipping validation"
+        validate_local_ports() { return 0; }
+    fi
 else
-    echo "⚠️ Port validation script not found - skipping validation"
+    # CI mode: Skip port validation
     validate_local_ports() { return 0; }
 fi
 
-# Load Claude token from local discord-server/.env
-if [ -f discord-server/.env ]; then
-    source discord-server/.env
-    echo "🔑 Loaded environment from discord-server/.env"
-    if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then
-        echo "🔑 Claude token found in discord-server/.env"
+# Load or verify environment variables
+if [ -z "$CI" ]; then
+    # Local deployment: Load from .env file
+    if [ -f discord-server/.env ]; then
+        source discord-server/.env
+        echo "🔑 Loaded environment from discord-server/.env"
+        if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then
+            echo "🔑 Claude token found in discord-server/.env"
+        else
+            echo "⚠️ WARNING: No CLAUDE_CODE_OAUTH_TOKEN in discord-server/.env. Bot will fail authentication."
+        fi
+        if [ -n "$DISCORD_BOT_TOKEN" ]; then
+            echo "🤖 Discord bot token found in discord-server/.env"
+        else
+            echo "⚠️ WARNING: No DISCORD_BOT_TOKEN in discord-server/.env. Bot will fail to connect."
+        fi
     else
-        echo "⚠️ WARNING: No CLAUDE_CODE_OAUTH_TOKEN in discord-server/.env. Bot will fail authentication."
+        echo "❌ ERROR: discord-server/.env file not found"
+        exit 1
     fi
-    if [ -n "$DISCORD_BOT_TOKEN" ]; then
-        echo "🤖 Discord bot token found in discord-server/.env"
+else
+    # CI deployment: .env file created by GitHub Actions
+    if [ -f discord-server/.env ]; then
+        echo "🔑 Using .env created by GitHub Actions"
     else
-        echo "⚠️ WARNING: No DISCORD_BOT_TOKEN in discord-server/.env. Bot will fail to connect."
+        echo "❌ ERROR: discord-server/.env not found (should be created by GitHub Actions)"
+        exit 1
     fi
-else
-    echo "❌ ERROR: discord-server/.env file not found"
-    exit 1
 fi
 
 # Pre-deployment validation
diff --git a/scripts/sync-secrets-to-github.sh b/scripts/sync-secrets-to-github.sh
@@ -0,0 +1,141 @@
+#!/bin/bash
+set -e
+
+# Sync discord-server/.env secrets to GitHub repository
+# Requires: gh CLI (brew install gh)
+
+echo "🔐 Syncing discord-server/.env to GitHub Secrets..."
+echo ""
+
+# Check if gh is installed
+if ! command -v gh &> /dev/null; then
+    echo "❌ gh CLI is not installed"
+    echo "Install: brew install gh"
+    exit 1
+fi
+
+# Check if authenticated
+if ! gh auth status &> /dev/null; then
+    echo "❌ Not authenticated with GitHub"
+    echo "Run: gh auth login"
+    exit 1
+fi
+
+# Check if discord-server/.env exists
+if [ ! -f "discord-server/.env" ]; then
+    echo "❌ discord-server/.env not found"
+    echo "Create it first with your production secrets"
+    exit 1
+fi
+
+# Get repository (auto-detect from git remote)
+REPO=$(gh repo view --json nameWithOwner -q .nameWithOwner 2>/dev/null || echo "")
+if [ -z "$REPO" ]; then
+    echo "❌ Could not detect GitHub repository"
+    echo "Make sure you're in a git repository with a GitHub remote"
+    exit 1
+fi
+
+echo "📦 Repository: $REPO"
+echo ""
+
+# Parse discord-server/.env and set secrets
+while IFS='=' read -r key value; do
+    # Skip empty lines and comments
+    [[ -z "$key" || "$key" =~ ^# ]] && continue
+
+    # Remove quotes from value
+    value=$(echo "$value" | sed -e 's/^"//' -e 's/"$//' -e "s/^'//" -e "s/'$//")
+
+    echo "🔑 Setting secret: $key"
+    echo "$value" | gh secret set "$key" --repo "$REPO"
+done < discord-server/.env
+
+echo ""
+echo "✅ All discord-server/.env secrets synced to GitHub!"
+echo ""
+
+# Auto-detect SSH config from 'hetzner' alias
+echo "🔍 Auto-detecting Hetzner SSH config..."
+if ssh -G hetzner &>/dev/null; then
+    HETZNER_USER=$(ssh -G hetzner 2>/dev/null | grep "^user " | awk '{print $2}')
+    HETZNER_HOST=$(ssh -G hetzner 2>/dev/null | grep "^hostname " | awk '{print $2}')
+    SSH_KEY_PATH=$(ssh -G hetzner 2>/dev/null | grep "^identityfile " | head -1 | awk '{print $2}')
+
+    # Expand ~ in path
+    SSH_KEY_PATH="${SSH_KEY_PATH/#\~/$HOME}"
+
+    echo "📦 Detected from SSH config:"
+    echo "   Host: $HETZNER_HOST"
+    echo "   User: $HETZNER_USER"
+    echo "   Key:  $SSH_KEY_PATH"
+    echo ""
+
+    # Set Hetzner secrets
+    if [ -f "$SSH_KEY_PATH" ]; then
+        echo "🔑 Setting HETZNER_SSH_KEY..."
+        cat "$SSH_KEY_PATH" | gh secret set HETZNER_SSH_KEY --repo "$REPO"
+
+        echo "🔑 Setting HETZNER_HOST..."
+        echo "$HETZNER_HOST" | gh secret set HETZNER_HOST --repo "$REPO"
+
+        echo "🔑 Setting HETZNER_USER..."
+        echo "$HETZNER_USER" | gh secret set HETZNER_USER --repo "$REPO"
+
+        echo ""
+        echo "✅ All Hetzner SSH secrets synced!"
+    else
+        echo "⚠️  SSH key not found at: $SSH_KEY_PATH"
+        echo "Set manually:"
+        echo "   cat ~/.ssh/your_key | gh secret set HETZNER_SSH_KEY --repo $REPO"
+    fi
+else
+    echo "⚠️  'hetzner' SSH alias not found in ~/.ssh/config"
+    echo ""
+    echo "📋 Set Hetzner secrets manually:"
+    echo "   cat ~/.ssh/your_deploy_key | gh secret set HETZNER_SSH_KEY --repo $REPO"
+    echo "   echo 'your.server.ip' | gh secret set HETZNER_HOST --repo $REPO"
+    echo "   echo 'root' | gh secret set HETZNER_USER --repo $REPO"
+fi
+
+echo ""
+echo "🔍 Validating all required secrets..."
+echo ""
+
+# Required secrets for Discord Bot deployment
+REQUIRED_SECRETS=(
+    "DISCORD_BOT_TOKEN"
+    "DISCORD_INBOX_CHANNEL_ID"
+    "CLAUDE_CODE_OAUTH_TOKEN"
+    "HETZNER_SSH_KEY"
+    "HETZNER_HOST"
+    "HETZNER_USER"
+)
+
+# Get list of existing secrets
+EXISTING_SECRETS=$(gh secret list --repo "$REPO" 2>/dev/null | awk '{print $1}')
+
+# Check each required secret
+MISSING_SECRETS=()
+for secret in "${REQUIRED_SECRETS[@]}"; do
+    if echo "$EXISTING_SECRETS" | grep -q "^${secret}$"; then
+        echo "✅ $secret"
+    else
+        echo "❌ $secret (MISSING)"
+        MISSING_SECRETS+=("$secret")
+    fi
+done
+
+echo ""
+if [ ${#MISSING_SECRETS[@]} -eq 0 ]; then
+    echo "🎉 All required secrets are configured!"
+    echo "✅ Ready for automated deployment via GitHub Actions"
+else
+    echo "⚠️  Missing ${#MISSING_SECRETS[@]} secret(s):"
+    for secret in "${MISSING_SECRETS[@]}"; do
+        echo "   - $secret"
+    done
+    echo ""
+    echo "Run this script again or set missing secrets manually"
+    exit 1
+fi
