|
| 1 | +name: CD |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + branches: [ main ] |
| 6 | + pull_request_target: |
| 7 | + branches: [ main ] |
| 8 | + workflow_dispatch: |
| 9 | + |
| 10 | +permissions: |
| 11 | + contents: read |
| 12 | + packages: write |
| 13 | + |
| 14 | +env: |
| 15 | + REGISTRY: ghcr.io |
| 16 | + |
| 17 | +jobs: |
| 18 | + build-and-push: |
| 19 | + runs-on: ubuntu-latest |
| 20 | + outputs: |
| 21 | + backend_image: ${{ steps.tags.outputs.backend }} |
| 22 | + frontend_image: ${{ steps.tags.outputs.frontend }} |
| 23 | + # Only run on PRs originating from this repo to avoid exposing secrets to forks |
| 24 | + if: ${{ github.event_name != 'pull_request_target' || github.event.pull_request.head.repo.full_name == github.repository }} |
| 25 | + steps: |
| 26 | + - name: Select ref |
| 27 | + run: | |
| 28 | + if [ "${{ github.event_name }}" = "pull_request_target" ]; then |
| 29 | + echo "REF=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV |
| 30 | + else |
| 31 | + echo "REF=${GITHUB_SHA}" >> $GITHUB_ENV |
| 32 | + fi |
| 33 | + - uses: actions/checkout@v4 |
| 34 | + with: |
| 35 | + ref: ${{ env.REF }} |
| 36 | + |
| 37 | + - name: Derive lowercase image repo |
| 38 | + run: | |
| 39 | + echo "IMAGE_REPO=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV |
| 40 | +
|
| 41 | + - name: Log in to GHCR |
| 42 | + uses: docker/login-action@v3 |
| 43 | + with: |
| 44 | + registry: ${{ env.REGISTRY }} |
| 45 | + username: ${{ github.actor }} |
| 46 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 47 | + |
| 48 | + - name: Set image tags |
| 49 | + id: tags |
| 50 | + run: | |
| 51 | + SHA_TAG=sha-${GITHUB_SHA::7} |
| 52 | + echo "backend=${{ env.REGISTRY }}/${IMAGE_REPO}-backend:${SHA_TAG}" >> $GITHUB_OUTPUT |
| 53 | + echo "backend_latest=${{ env.REGISTRY }}/${IMAGE_REPO}-backend:latest" >> $GITHUB_OUTPUT |
| 54 | + echo "frontend=${{ env.REGISTRY }}/${IMAGE_REPO}-frontend:${SHA_TAG}" >> $GITHUB_OUTPUT |
| 55 | + echo "frontend_latest=${{ env.REGISTRY }}/${IMAGE_REPO}-frontend:latest" >> $GITHUB_OUTPUT |
| 56 | +
|
| 57 | + - name: Build and push backend |
| 58 | + uses: docker/build-push-action@v6 |
| 59 | + with: |
| 60 | + context: . |
| 61 | + file: backend/Dockerfile |
| 62 | + push: true |
| 63 | + tags: | |
| 64 | + ${{ steps.tags.outputs.backend }} |
| 65 | + ${{ steps.tags.outputs.backend_latest }} |
| 66 | +
|
| 67 | + - name: Build and push frontend |
| 68 | + uses: docker/build-push-action@v6 |
| 69 | + with: |
| 70 | + context: frontend |
| 71 | + file: frontend/Dockerfile |
| 72 | + push: true |
| 73 | + tags: | |
| 74 | + ${{ steps.tags.outputs.frontend }} |
| 75 | + ${{ steps.tags.outputs.frontend_latest }} |
| 76 | +
|
| 77 | + - name: Show image tags |
| 78 | + run: | |
| 79 | + echo "Backend: ${{ steps.tags.outputs.backend }}" |
| 80 | + echo "Frontend: ${{ steps.tags.outputs.frontend }}" |
| 81 | +
|
| 82 | + |
| 83 | + |
| 84 | + deploy-compose: |
| 85 | + runs-on: ubuntu-latest |
| 86 | + needs: build-and-push |
| 87 | + if: ${{ secrets.SSH_HOST != '' && secrets.SSH_USER != '' && secrets.SSH_PRIVATE_KEY != '' && (github.event_name != 'pull_request_target' || github.event.pull_request.head.repo.full_name == github.repository) }} |
| 88 | + environment: production |
| 89 | + concurrency: |
| 90 | + group: prod-deploy |
| 91 | + cancel-in-progress: false |
| 92 | + steps: |
| 93 | + - name: Select ref |
| 94 | + run: | |
| 95 | + if [ "${{ github.event_name }}" = "pull_request_target" ]; then |
| 96 | + echo "REF=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV |
| 97 | + else |
| 98 | + echo "REF=${GITHUB_SHA}" >> $GITHUB_ENV |
| 99 | + fi |
| 100 | + - uses: actions/checkout@v4 |
| 101 | + with: |
| 102 | + ref: ${{ env.REF }} |
| 103 | + |
| 104 | + - name: Upload docker-compose file |
| 105 | + uses: appleboy/scp-action@v0.1.7 |
| 106 | + with: |
| 107 | + host: ${{ secrets.SSH_HOST }} |
| 108 | + username: ${{ secrets.SSH_USER }} |
| 109 | + key: ${{ secrets.SSH_PRIVATE_KEY }} |
| 110 | + source: "docker-compose.prod.yml" |
| 111 | + target: "/opt/edgeflow/docker-compose.yml" |
| 112 | + strip_components: 0 |
| 113 | + |
| 114 | + - name: Deploy via SSH |
| 115 | + uses: appleboy/ssh-action@v1.0.3 |
| 116 | + with: |
| 117 | + host: ${{ secrets.SSH_HOST }} |
| 118 | + username: ${{ secrets.SSH_USER }} |
| 119 | + key: ${{ secrets.SSH_PRIVATE_KEY }} |
| 120 | + script: | |
| 121 | + set -euo pipefail |
| 122 | + APP_DIR=/opt/edgeflow |
| 123 | + sudo mkdir -p ${APP_DIR} |
| 124 | + cd ${APP_DIR} |
| 125 | + # Write .env with image tags |
| 126 | + cat > .env << 'EOF' |
| 127 | + BACKEND_IMAGE=${{ needs.build-and-push.outputs.backend_image }} |
| 128 | + FRONTEND_IMAGE=${{ needs.build-and-push.outputs.frontend_image }} |
| 129 | + EOF |
| 130 | + # Login to GHCR if credentials provided |
| 131 | + if [ -n "${{ secrets.GHCR_USERNAME }}" ] && [ -n "${{ secrets.GHCR_TOKEN }}" ]; then |
| 132 | + echo "${{ secrets.GHCR_TOKEN }}" | docker login ghcr.io -u "${{ secrets.GHCR_USERNAME }}" --password-stdin |
| 133 | + fi |
| 134 | + # Ensure docker compose is available |
| 135 | + (docker compose version || docker-compose version) |
| 136 | + # Pull and run |
| 137 | + (docker compose --env-file .env -f docker-compose.yml pull || docker-compose --env-file .env -f docker-compose.yml pull) |
| 138 | + (docker compose --env-file .env -f docker-compose.yml up -d || docker-compose --env-file .env -f docker-compose.yml up -d) |
| 139 | + docker image prune -f || true |
| 140 | + # Basic health checks |
| 141 | + curl -fsS http://localhost:8000/api/health || (echo 'Backend health failed' && exit 1) |
| 142 | + curl -fsS http://localhost:3000/ || (echo 'Frontend health failed' && exit 1) |
0 commit comments