Merge pull request 'fix(ci): deploy-tradein paths-filter base = last deployed SHA (накопленный diff, fail-safe build-all)' (#1839) from fix/deploy-tradein-cumulative-base into main
Some checks failed
Deploy Trade-In / changes (push) Successful in 7s
Deploy Trade-In / build-backend (push) Has been cancelled
Deploy Trade-In / build-frontend (push) Has been cancelled
Deploy Trade-In / build-browser (push) Has been cancelled
Deploy Trade-In / deploy (push) Has been cancelled
Deploy Trade-In / test (push) Has been cancelled

Reviewed-on: #1839
This commit is contained in:
lekss361 2026-06-20 14:13:53 +00:00
commit 261f3a33e6

View file

@ -24,16 +24,82 @@ jobs:
changes: changes:
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
backend: ${{ steps.filter.outputs.backend }} backend: ${{ steps.set-all.outputs.backend || steps.filter.outputs.backend }}
frontend: ${{ steps.filter.outputs.frontend }} frontend: ${{ steps.set-all.outputs.frontend || steps.filter.outputs.frontend }}
browser: ${{ steps.filter.outputs.browser }} browser: ${{ steps.set-all.outputs.browser || steps.filter.outputs.browser }}
infra: ${{ steps.filter.outputs.infra }} infra: ${{ steps.set-all.outputs.infra || steps.filter.outputs.infra }}
scraper: ${{ steps.filter.outputs.scraper }} scraper: ${{ steps.set-all.outputs.scraper || steps.filter.outputs.scraper }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with:
fetch-depth: 0
# Resolve base SHA: read last-successfully-deployed SHA from the VPS host file.
# The file is written by the deploy job on every successful deploy.
# Fail-safe: if we cannot read the file, or the SHA is not an ancestor of HEAD,
# we leave DEPLOYED_SHA empty — the next step will then build everything.
- name: Resolve deployed base SHA
id: resolve-base
env:
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
DEPLOY_PORT: ${{ secrets.DEPLOY_PORT }}
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
# Write SSH key to a temp file
SSH_KEY_FILE=$(mktemp)
echo "$DEPLOY_SSH_KEY" > "$SSH_KEY_FILE"
chmod 600 "$SSH_KEY_FILE"
# Try to read the marker file from the VPS. Suppress errors — if host is
# unreachable or file missing, RAW_SHA will be empty.
RAW_SHA=$(ssh -i "$SSH_KEY_FILE" \
-o StrictHostKeyChecking=no \
-o ConnectTimeout=10 \
-p "${DEPLOY_PORT:-22}" \
"${DEPLOY_USER}@${DEPLOY_HOST}" \
"cat /opt/gendesign/.tradein-deployed-sha 2>/dev/null || true" \
2>/dev/null || true)
RAW_SHA=$(echo "$RAW_SHA" | tr -d '[:space:]')
rm -f "$SSH_KEY_FILE"
# Validate: non-empty, looks like a git SHA, and is an ancestor of HEAD.
DEPLOYED_SHA=""
if [ -n "$RAW_SHA" ] && echo "$RAW_SHA" | grep -qE '^[0-9a-f]{40}$'; then
if git merge-base --is-ancestor "$RAW_SHA" HEAD 2>/dev/null; then
DEPLOYED_SHA="$RAW_SHA"
echo "Resolved deployed base: $DEPLOYED_SHA"
else
echo "WARNING: stored SHA $RAW_SHA is not an ancestor of HEAD — falling back to build-all"
fi
else
echo "No valid deployed SHA found — falling back to build-all"
fi
echo "deployed_sha=$DEPLOYED_SHA" >> "$GITHUB_OUTPUT"
# FAIL-SAFE: if no valid base SHA, emit all=true and skip paths-filter.
# This covers: first run, post-force-push, VPS unreachable, corrupt marker.
# A spurious full build is always safer than a missed build.
- name: Build-all fallback (no base SHA)
id: set-all
if: steps.resolve-base.outputs.deployed_sha == ''
run: |
echo "No base SHA — enabling build-all"
echo "backend=true" >> "$GITHUB_OUTPUT"
echo "frontend=true" >> "$GITHUB_OUTPUT"
echo "browser=true" >> "$GITHUB_OUTPUT"
echo "infra=true" >> "$GITHUB_OUTPUT"
echo "scraper=true" >> "$GITHUB_OUTPUT"
# Cumulative diff: compare deployed SHA → HEAD so that a fast chain of merges
# (e.g. backend #1829 then frontend #1830) doesn't lose earlier changes.
- uses: dorny/paths-filter@v3 - uses: dorny/paths-filter@v3
id: filter id: filter
if: steps.resolve-base.outputs.deployed_sha != ''
with: with:
base: ${{ steps.resolve-base.outputs.deployed_sha }}
filters: | filters: |
backend: backend:
- 'tradein-mvp/backend/**' - 'tradein-mvp/backend/**'
@ -211,12 +277,13 @@ jobs:
IMAGE_TAG: latest IMAGE_TAG: latest
GHCR_PAT: ${{ secrets.GHCR_PAT }} GHCR_PAT: ${{ secrets.GHCR_PAT }}
SCRAPER_CHANGED: ${{ needs.changes.outputs.scraper == 'true' || needs.changes.outputs.infra == 'true' || github.event_name == 'workflow_dispatch' }} SCRAPER_CHANGED: ${{ needs.changes.outputs.scraper == 'true' || needs.changes.outputs.infra == 'true' || github.event_name == 'workflow_dispatch' }}
GITHUB_SHA: ${{ github.sha }}
with: with:
host: ${{ secrets.DEPLOY_HOST }} host: ${{ secrets.DEPLOY_HOST }}
username: ${{ secrets.DEPLOY_USER }} username: ${{ secrets.DEPLOY_USER }}
key: ${{ secrets.DEPLOY_SSH_KEY }} key: ${{ secrets.DEPLOY_SSH_KEY }}
port: ${{ secrets.DEPLOY_PORT }} port: ${{ secrets.DEPLOY_PORT }}
envs: IMAGE_TAG,GHCR_PAT,SCRAPER_CHANGED envs: IMAGE_TAG,GHCR_PAT,SCRAPER_CHANGED,GITHUB_SHA
script: | script: |
set -euo pipefail set -euo pipefail
cd /opt/gendesign cd /opt/gendesign
@ -371,3 +438,9 @@ jobs:
| xargs -r docker rmi 2>/dev/null || true | xargs -r docker rmi 2>/dev/null || true
done done
docker image prune -af || true docker image prune -af || true
# Mark this SHA as successfully deployed.
# Written LAST — only after all of the above completed without error.
# The changes job reads this file on the next run to compute cumulative diff.
echo "$GITHUB_SHA" > /opt/gendesign/.tradein-deployed-sha
echo "→ Deployed SHA marker updated: $GITHUB_SHA"