-
Notifications
You must be signed in to change notification settings - Fork 2
411 lines (368 loc) · 16.1 KB
/
deploy-develop.yml
File metadata and controls
411 lines (368 loc) · 16.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
name: Deploy Develop
# Required secrets:
# DEPLOY_SSH_KEY - Private SSH key (Ed25519 or RSA 4096+) for the deploy user on the Droplet
# DROPLET_IP - IP address of the DigitalOcean Droplet (e.g. 143.198.xxx.xxx)
#
# The deploy user is created by deploy/demo/provision.sh with docker group membership
# and ownership of /opt/meridian-develop/. Run provision.sh once as root to set up the server.
on:
push:
branches: [develop]
workflow_dispatch:
concurrency:
group: deploy-develop
cancel-in-progress: true
permissions:
contents: read
packages: write
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-push:
name: Build and Push Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # Required for cosign keyless signing via OIDC
outputs:
image-digest: ${{ steps.build.outputs.digest }}
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '1.26.2'
cache: true
- name: Set up buf
uses: bufbuild/buf-action@v1
with:
setup_only: true
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate protobuf files
run: buf generate
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Container Registry
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=develop
type=sha,prefix=develop-,format=short
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v7
with:
context: .
file: ./cmd/meridian/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
VERSION=${{ github.ref_name }}
COMMIT=${{ github.sha }}
BUILD_DATE=${{ github.event.head_commit.timestamp || github.event.repository.updated_at }}
- name: Install Cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
- name: Sign container image
run: |
cosign sign --yes \
ghcr.io/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
build-frontend:
name: Build Frontend
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
cache: 'npm'
cache-dependency-path: frontend/package-lock.json
- name: Set up buf
uses: bufbuild/buf-action@v1
with:
setup_only: true
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Install dependencies
working-directory: frontend
run: npm ci
- name: Generate protobuf TypeScript clients
working-directory: frontend
run: |
export PATH="$PWD/node_modules/.bin:$PATH"
buf generate --template buf.gen.yaml ../api/proto
- name: Build frontend
working-directory: frontend
env:
VITE_API_BASE_URL: https://develop.meridianhub.cloud
VITE_BASE_DOMAIN: develop.meridianhub.cloud
VITE_BUILD_VERSION: ${{ github.ref_name }}
VITE_BUILD_COMMIT: ${{ github.sha }}
run: npx vite build
- name: Upload frontend artifact
uses: actions/upload-artifact@v7
with:
name: frontend-dist-develop
path: frontend/dist/
retention-days: 1
deploy:
name: Deploy to Develop Environment
needs: [build-and-push, build-frontend]
runs-on: ubuntu-latest
environment:
name: develop
url: https://develop.meridianhub.cloud
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Install Cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
- name: Verify container image signature
run: |
cosign verify \
--certificate-identity="https://github.com/${{ github.repository }}/.github/workflows/deploy-develop.yml@refs/heads/develop" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/${{ env.IMAGE_NAME }}@${{ needs.build-and-push.outputs.image-digest }}
- name: Download frontend artifact
uses: actions/download-artifact@v8
with:
name: frontend-dist-develop
path: frontend-dist/
- name: Deploy frontend via SCP
uses: appleboy/scp-action@ff85246acaad7bdce478db94a363cd2bf7c90345 # v1.0.0
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
source: "frontend-dist/*"
target: /opt/meridian-develop/frontend/
strip_components: 1
overwrite: true
- name: Deploy config files via SCP
uses: appleboy/scp-action@ff85246acaad7bdce478db94a363cd2bf7c90345 # v1.0.0
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
source: "deploy/develop/docker-compose.develop.yml,deploy/develop/init-databases-develop.sql"
target: /opt/meridian-develop/
strip_components: 2
overwrite: true
- name: Deploy Caddyfile to demo stack
uses: appleboy/scp-action@ff85246acaad7bdce478db94a363cd2bf7c90345 # v1.0.0
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
source: "deploy/demo/Caddyfile"
target: /opt/meridian/
strip_components: 2
overwrite: true
- name: Deploy via SSH
uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
env:
IMAGE_DIGEST: ${{ needs.build-and-push.outputs.image-digest }}
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
envs: IMAGE_DIGEST
script: |
cd /opt/meridian-develop
# Pull the exact verified digest to prevent TOCTOU between verify and deploy
docker pull ghcr.io/meridianhub/meridian@${IMAGE_DIGEST}
docker tag ghcr.io/meridianhub/meridian@${IMAGE_DIGEST} ghcr.io/meridianhub/meridian:develop
docker compose -f docker-compose.develop.yml up -d --remove-orphans
# Verify all services came up (see deploy-demo.yml for rationale)
sleep 5
failed=$(docker compose -f docker-compose.develop.yml ps --status exited --format '{{.Service}}')
if [ -n "$failed" ]; then
echo "Services failed to start: $failed - retrying"
docker compose -f docker-compose.develop.yml up -d $failed
sleep 3
still_failed=$(docker compose -f docker-compose.develop.yml ps --status exited --format '{{.Service}}')
if [ -n "$still_failed" ]; then
echo "Services still down after retry: $still_failed"
exit 1
fi
fi
echo "All services running"
# Reload Caddy from the demo stack (Caddy runs there, serves both environments)
docker compose -f /opt/meridian/docker-compose.yml exec -T caddy caddy reload --config /etc/caddy/Caddyfile
docker image prune -f
- name: Ensure databases exist
uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
script: |
# Docker init scripts only run on first volume creation. When new
# databases are added to init-databases-develop.sql, existing volumes
# won't have them. Create any missing databases so the app can start.
cd /opt/meridian-develop
created=0
for db in $(grep -oP 'CREATE DATABASE \K\w+' init-databases-develop.sql); do
exists=$(docker exec postgres-develop psql -U meridian -tAc \
"SELECT 1 FROM pg_database WHERE datname = '${db}'")
if [ "$exists" != "1" ]; then
docker exec postgres-develop createdb -U meridian "${db}"
echo "Created missing database: ${db}"
created=1
fi
done
if [ "$created" = "1" ]; then
echo "New databases created - restarting app to pick up connections"
docker compose -f docker-compose.develop.yml restart meridian-develop
fi
# Wait for the container to be running (not restarting) before migrations.
# The app image is distroless - no shell utilities - so use docker inspect.
for i in $(seq 1 30); do
status=$(docker inspect --format='{{.State.Status}}' meridian-develop 2>/dev/null || echo "missing")
if [ "$status" = "running" ]; then
echo "Container is running"
exit 0
fi
echo "Waiting for container (status: $status)... ($i/30)"
sleep 2
done
echo "Container failed to start after 60s"
exit 1
- name: Run migrations
uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
script: |
docker exec meridian-develop /meridian --migrate
- name: Restart meridian-develop post-migration
uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
script: |
cd /opt/meridian-develop
# Reset tenant provisioning state and drop tenant schemas so every
# deploy re-provisions from scratch. Three states must be reconciled:
#
# 1. tenant.status - the provisioning worker polls this via
# ListByStatus(StatusProvisioningPending) (provisioning_worker.go).
# Without resetting, the worker never claims the tenant.
#
# 2. tenant_provisioning.service_schemas - the provisioner checks
# this JSONB per-service and short-circuits via "service already
# provisioned, skipping" (postgres_provisioner.go). Clearing to
# '[]' forces a full re-run of the loop.
#
# 3. Physical org_<tenant> schemas in each service database - if
# left in place they may contain partial/stale tables from a
# previous broken run, causing migrations to fail with "relation
# does not exist" when they reference objects that got renamed
# or dropped earlier. DROP SCHEMA CASCADE ensures migrations
# run against completely empty schemas, matching the E2E path
# which is known to pass.
#
# Stop meridian-develop BEFORE resetting state. The worker polls
# tenant.status every 10s, so if the app is still running when we
# flip tenants to provisioning_pending it will race with this
# script: start provisioning against half-cleaned databases and
# then get interrupted when we issue the restart. Stopping first
# eliminates the race, and starting (not restarting) afterwards
# lets the worker observe the fully-reset state on boot.
#
# Must run AFTER migrations so the provisioner uses up-to-date DDL.
docker compose -f docker-compose.develop.yml stop meridian-develop
SERVICE_DBS="meridian_party meridian_current_account meridian_position_keeping meridian_financial_accounting meridian_payment_order meridian_market_information meridian_reference_data meridian_internal_account meridian_reconciliation meridian_identity meridian_control_plane"
for DB in $SERVICE_DBS; do
docker exec postgres-develop psql -U meridian -d $DB -tA -c "
SELECT format('DROP SCHEMA IF EXISTS %I CASCADE', nspname)
FROM pg_namespace WHERE nspname LIKE 'org\_%' ESCAPE '\\'
" | while read stmt; do
[ -z "$stmt" ] && continue
docker exec postgres-develop psql -U meridian -d $DB -c "$stmt"
done
done
docker exec postgres-develop psql -U meridian -d meridian_platform -c "
UPDATE tenant SET status = 'provisioning_pending', updated_at = NOW() WHERE status != 'deprovisioned';
UPDATE tenant_provisioning SET state = 'pending', service_schemas = '[]'::jsonb, error_message = '' WHERE state != 'deprovisioned';
"
# Start the app back up with the reset state in place. The
# provisioning worker will claim the pending tenants on its first
# poll and re-run all migrations against the newly empty schemas.
docker compose -f docker-compose.develop.yml start meridian-develop
- name: Seed develop data
uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
script: |
# seed-dev has its own gateway health polling (60s timeout, 2s interval)
# so no extra wait needed between restart and seed.
docker exec meridian-develop /seed-dev \
--gateway-url=http://localhost:8090 \
--grpc-addr=localhost:50051 \
--tenant-id=volterra_energy \
--tenant-slug=volterra-energy \
--display-name='Volterra Energy' \
--subdomain=volterra-energy.develop.meridianhub.cloud \
--manifest=/app/examples/manifests/energy.json \
--with-fixtures
- name: Verify deployment health
uses: appleboy/ssh-action@0ff4204d59e8e51228ff73bce53f80d53301dee2 # v1.2.5
with:
host: ${{ secrets.DROPLET_IP }}
username: deploy
key: ${{ secrets.DEPLOY_SSH_KEY }}
script: |
max_attempts=30
attempt=0
until [ $attempt -ge $max_attempts ]; do
attempt=$((attempt+1))
echo "Health check attempt $attempt/$max_attempts"
if curl -sf http://localhost:80/healthz -H 'Host: develop.meridianhub.cloud' > /dev/null 2>&1; then
echo "Service is healthy"
exit 0
fi
sleep 5
done
echo "Health check failed after $max_attempts attempts"
cd /opt/meridian-develop && docker compose -f docker-compose.develop.yml logs --tail=50
exit 1
notify-failure:
name: Notify Deployment Failure
needs: [build-and-push, build-frontend, deploy]
if: failure()
runs-on: ubuntu-latest
permissions:
statuses: write
steps:
- name: Report deployment failure
uses: actions/github-script@v9
with:
script: |
await github.rest.repos.createCommitStatus({
owner: context.repo.owner,
repo: context.repo.repo,
sha: context.sha,
state: 'failure',
context: 'deploy/develop',
description: 'Develop environment deployment failed',
target_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
});