381 lines
18 KiB
YAML
381 lines
18 KiB
YAML
name: Deploy
|
||
|
||
# Forgejo Actions equivalent of .github/workflows/deploy.yml
|
||
# Migration 2026-05-16: GitHub → Forgejo (git.gendsgn.ru)
|
||
# Builds images on Forgejo runner, pushes to ghcr.io (GitHub Container Registry),
|
||
# SSH-deploys to Beget VPS (46.173.16.127).
|
||
on:
|
||
push:
|
||
branches: [main]
|
||
paths:
|
||
- "backend/**"
|
||
- "frontend/**"
|
||
- "docker-compose.prod.yml"
|
||
- "Caddyfile"
|
||
- "caddy/**"
|
||
- ".forgejo/workflows/deploy.yml"
|
||
- "data/sql/**"
|
||
- "ops/glitchtip-auth-forwarder/**"
|
||
workflow_dispatch:
|
||
|
||
concurrency:
|
||
group: deploy-prod
|
||
cancel-in-progress: false
|
||
|
||
env:
|
||
IMAGE_BACKEND: ghcr.io/lekss361/gendesign-backend
|
||
IMAGE_WORKER: ghcr.io/lekss361/gendesign-worker
|
||
IMAGE_FRONTEND: ghcr.io/lekss361/gendesign-frontend
|
||
|
||
jobs:
|
||
changes:
|
||
runs-on: ubuntu-latest
|
||
outputs:
|
||
backend: ${{ steps.filter.outputs.backend }}
|
||
frontend: ${{ steps.filter.outputs.frontend }}
|
||
infra: ${{ steps.filter.outputs.infra }}
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
- uses: dorny/paths-filter@v3
|
||
id: filter
|
||
with:
|
||
filters: |
|
||
backend:
|
||
- 'backend/**'
|
||
- 'data/sql/**'
|
||
frontend:
|
||
- 'frontend/**'
|
||
infra:
|
||
- 'docker-compose.prod.yml'
|
||
- 'Caddyfile'
|
||
- 'caddy/**'
|
||
- '.forgejo/workflows/deploy.yml'
|
||
|
||
build-backend:
|
||
runs-on: ubuntu-latest
|
||
needs: changes
|
||
if: |
|
||
needs.changes.outputs.backend == 'true' ||
|
||
needs.changes.outputs.infra == 'true' ||
|
||
github.event_name == 'workflow_dispatch'
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Login to GHCR (shell-based — docker/login-action@v3 unreliable под Forgejo Actions)
|
||
env:
|
||
GHCR_PAT: ${{ secrets.GHCR_PAT }}
|
||
run: |
|
||
echo "$GHCR_PAT" | docker login ghcr.io -u lekss361 --password-stdin
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build & push backend (lean — без Chromium)
|
||
uses: docker/build-push-action@v6
|
||
with:
|
||
context: ./backend
|
||
target: runner
|
||
push: true
|
||
cache-from: type=registry,ref=${{ env.IMAGE_BACKEND }}:buildcache
|
||
cache-to: type=registry,ref=${{ env.IMAGE_BACKEND }}:buildcache,mode=max
|
||
tags: |
|
||
${{ env.IMAGE_BACKEND }}:latest
|
||
${{ env.IMAGE_BACKEND }}:${{ github.sha }}
|
||
|
||
build-worker:
|
||
runs-on: ubuntu-latest
|
||
needs: changes
|
||
if: |
|
||
needs.changes.outputs.backend == 'true' ||
|
||
needs.changes.outputs.infra == 'true' ||
|
||
github.event_name == 'workflow_dispatch'
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Login to GHCR (shell-based — docker/login-action@v3 unreliable под Forgejo Actions)
|
||
env:
|
||
GHCR_PAT: ${{ secrets.GHCR_PAT }}
|
||
run: |
|
||
echo "$GHCR_PAT" | docker login ghcr.io -u lekss361 --password-stdin
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build & push worker (с Chromium для Playwright)
|
||
uses: docker/build-push-action@v6
|
||
with:
|
||
context: ./backend
|
||
target: runner-with-chromium
|
||
push: true
|
||
cache-from: type=registry,ref=${{ env.IMAGE_WORKER }}:buildcache
|
||
cache-to: type=registry,ref=${{ env.IMAGE_WORKER }}:buildcache,mode=max
|
||
tags: |
|
||
${{ env.IMAGE_WORKER }}:latest
|
||
${{ env.IMAGE_WORKER }}:${{ github.sha }}
|
||
|
||
build-frontend:
|
||
runs-on: ubuntu-latest
|
||
needs: changes
|
||
if: |
|
||
needs.changes.outputs.frontend == 'true' ||
|
||
needs.changes.outputs.infra == 'true' ||
|
||
github.event_name == 'workflow_dispatch'
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Login to GHCR (shell-based — docker/login-action@v3 unreliable под Forgejo Actions)
|
||
env:
|
||
GHCR_PAT: ${{ secrets.GHCR_PAT }}
|
||
run: |
|
||
echo "$GHCR_PAT" | docker login ghcr.io -u lekss361 --password-stdin
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build & push frontend
|
||
uses: docker/build-push-action@v6
|
||
with:
|
||
context: ./frontend
|
||
push: true
|
||
build-args: |
|
||
NEXT_PUBLIC_GLITCHTIP_DSN=${{ secrets.GLITCHTIP_FRONTEND_DSN }}
|
||
NEXT_PUBLIC_ENVIRONMENT=production
|
||
cache-from: type=registry,ref=${{ env.IMAGE_FRONTEND }}:buildcache
|
||
cache-to: type=registry,ref=${{ env.IMAGE_FRONTEND }}:buildcache,mode=max
|
||
tags: |
|
||
${{ env.IMAGE_FRONTEND }}:latest
|
||
${{ env.IMAGE_FRONTEND }}:${{ github.sha }}
|
||
|
||
deploy:
|
||
runs-on: ubuntu-latest
|
||
needs: [changes, build-backend, build-worker, build-frontend]
|
||
if: |
|
||
always() &&
|
||
!cancelled() &&
|
||
needs.build-backend.result != 'failure' &&
|
||
needs.build-worker.result != 'failure' &&
|
||
needs.build-frontend.result != 'failure'
|
||
steps:
|
||
- name: Deploy to VM via SSH
|
||
uses: appleboy/ssh-action@v1.0.3
|
||
env:
|
||
IMAGE_TAG: latest
|
||
SENTRY_RELEASE_VAL: ${{ github.sha }}
|
||
GHCR_PAT: ${{ secrets.GHCR_PAT }}
|
||
GLITCHTIP_BACKEND_DSN: ${{ secrets.GLITCHTIP_BACKEND_DSN }}
|
||
OBJECTIVE_API_KEY: ${{ secrets.OBJECTIVE_API_KEY }}
|
||
# LLM chat (#960/#957): оба UNSET по умолчанию → feature dormant
|
||
# (settings.llm_enabled=False, settings.openai_api_key=None).
|
||
# OPENAI_API_KEY — sensitive → secret. LLM_ENABLED — non-sensitive
|
||
# boolean toggle → actions variable (vars.*).
|
||
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
|
||
LLM_ENABLED: ${{ vars.LLM_ENABLED }}
|
||
# OWN_DEVELOPER_IDS (#1169 §25.3): свои developer_id (companyGroup) для
|
||
# own-portfolio каннибализации. Non-sensitive (публичные id) → actions
|
||
# variable. UNSET → каннибализация отдаёт proxy (фича дормант).
|
||
OWN_DEVELOPER_IDS: ${{ vars.OWN_DEVELOPER_IDS }}
|
||
with:
|
||
host: ${{ secrets.DEPLOY_HOST }}
|
||
username: ${{ secrets.DEPLOY_USER }}
|
||
key: ${{ secrets.DEPLOY_SSH_KEY }}
|
||
port: ${{ secrets.DEPLOY_PORT }}
|
||
envs: IMAGE_TAG,SENTRY_RELEASE_VAL,GHCR_PAT,GLITCHTIP_BACKEND_DSN,OBJECTIVE_API_KEY,OPENAI_API_KEY,LLM_ENABLED,OWN_DEVELOPER_IDS
|
||
script: |
|
||
set -euo pipefail
|
||
cd /opt/gendesign
|
||
|
||
# Sync compose / Caddyfile / init scripts from the repo.
|
||
# Origin теперь Forgejo (после migration 2026-05-16) — HTTPS basic auth
|
||
# через PAT в URL не нужен т.к. repo читается через deploy key (SSH)
|
||
# ИЛИ public read-only mode. Forgejo gendesign — private, нужен auth:
|
||
# `git remote get-url origin` должен указывать на Forgejo с auth.
|
||
git fetch origin main
|
||
git reset --hard origin/main
|
||
|
||
# Re-assert +x on ops scripts (#71). These are committed 100755, so a
|
||
# reset normally preserves the bit — but this is belt-and-suspenders so
|
||
# a script that ever lands as 644 can't silently break its cron caller
|
||
# (cron `30 3 * * * bash /opt/gendesign/ops/backup.sh` is +x-independent,
|
||
# but other callers may invoke the raw path).
|
||
chmod +x ops/*.sh 2>/dev/null || true
|
||
|
||
# Full PDF report bind-source (#2259 PR-D). docker создаёт отсутствующий
|
||
# bind-source как root:root — worker пишет PDF под uid 1000 → PermissionError
|
||
# → вечный «building». Создаём каталог заранее + chown под контейнерный uid.
|
||
# chown под non-root deploy-юзером требует sudo → fallback (|| true — если и
|
||
# sudo нет, каталог уже наш и chown не нужен).
|
||
mkdir -p reports
|
||
chown 1000:1000 reports 2>/dev/null || sudo chown 1000:1000 reports 2>/dev/null || true
|
||
|
||
# Sentry release tracking
|
||
mkdir -p backend
|
||
touch backend/.env.runtime
|
||
if grep -q '^SENTRY_RELEASE=' backend/.env.runtime; then
|
||
sed -i "s|^SENTRY_RELEASE=.*|SENTRY_RELEASE=$SENTRY_RELEASE_VAL|" backend/.env.runtime
|
||
else
|
||
printf 'SENTRY_RELEASE=%s\n' "$SENTRY_RELEASE_VAL" >> backend/.env.runtime
|
||
fi
|
||
|
||
# GlitchTip wiring: убираем legacy SENTRY_DSN (auto-promote-логика в
|
||
# backend/app/core/config.py:_promote_legacy_sentry_dsn раньше брала
|
||
# его и слала события в чужой sentry.io). Устанавливаем GLITCHTIP_DSN
|
||
# из Forgejo secret. Пустой secret = no-op (SDK не инициализируется).
|
||
sed -i '/^SENTRY_DSN=/d' backend/.env.runtime
|
||
if grep -q '^GLITCHTIP_DSN=' backend/.env.runtime; then
|
||
sed -i "s|^GLITCHTIP_DSN=.*|GLITCHTIP_DSN=$GLITCHTIP_BACKEND_DSN|" backend/.env.runtime
|
||
else
|
||
printf 'GLITCHTIP_DSN=%s\n' "$GLITCHTIP_BACKEND_DSN" >> backend/.env.runtime
|
||
fi
|
||
# Objective API key — для live scraper sync_all_groups (issue #307 OBJ-1).
|
||
# Пустой secret = no-op (sync_objective_group skipped с reason=no_api_key).
|
||
if grep -q '^OBJECTIVE_API_KEY=' backend/.env.runtime; then
|
||
sed -i "s|^OBJECTIVE_API_KEY=.*|OBJECTIVE_API_KEY=$OBJECTIVE_API_KEY|" backend/.env.runtime
|
||
else
|
||
printf 'OBJECTIVE_API_KEY=%s\n' "$OBJECTIVE_API_KEY" >> backend/.env.runtime
|
||
fi
|
||
# LLM chat (#960/#957) — OpenAI key + enable toggle. В ОТЛИЧИЕ от
|
||
# OBJECTIVE_API_KEY пишем ТОЛЬКО при non-empty value: если Forgejo
|
||
# secret/var UNSET — ничего не пишем, app держит safe defaults
|
||
# (settings.llm_enabled=False, settings.openai_api_key=None) → feature
|
||
# dormant, без мусорной пустой строки `OPENAI_API_KEY=` в .env.runtime.
|
||
if [ -n "${OPENAI_API_KEY:-}" ]; then
|
||
if grep -q '^OPENAI_API_KEY=' backend/.env.runtime; then
|
||
sed -i "s|^OPENAI_API_KEY=.*|OPENAI_API_KEY=$OPENAI_API_KEY|" backend/.env.runtime
|
||
else
|
||
printf 'OPENAI_API_KEY=%s\n' "$OPENAI_API_KEY" >> backend/.env.runtime
|
||
fi
|
||
fi
|
||
if [ -n "${LLM_ENABLED:-}" ]; then
|
||
if grep -q '^LLM_ENABLED=' backend/.env.runtime; then
|
||
sed -i "s|^LLM_ENABLED=.*|LLM_ENABLED=$LLM_ENABLED|" backend/.env.runtime
|
||
else
|
||
printf 'LLM_ENABLED=%s\n' "$LLM_ENABLED" >> backend/.env.runtime
|
||
fi
|
||
fi
|
||
# OWN_DEVELOPER_IDS (#1169 §25.3 own-portfolio каннибализация). Тоже
|
||
# conditional-on-non-empty: UNSET var → не трогаем (если строка уже есть
|
||
# в .env.runtime — она переживает git reset, .gitignored — остаётся).
|
||
if [ -n "${OWN_DEVELOPER_IDS:-}" ]; then
|
||
if grep -q '^OWN_DEVELOPER_IDS=' backend/.env.runtime; then
|
||
sed -i "s|^OWN_DEVELOPER_IDS=.*|OWN_DEVELOPER_IDS=$OWN_DEVELOPER_IDS|" backend/.env.runtime
|
||
else
|
||
printf 'OWN_DEVELOPER_IDS=%s\n' "$OWN_DEVELOPER_IDS" >> backend/.env.runtime
|
||
fi
|
||
fi
|
||
chmod 600 backend/.env.runtime
|
||
|
||
# External network для Caddy + obsidian-stack share
|
||
docker network inspect gendesign_shared >/dev/null 2>&1 \
|
||
|| docker network create gendesign_shared
|
||
|
||
# Re-login to GHCR (PAT может быть rotated после initial setup)
|
||
echo "$GHCR_PAT" | docker login ghcr.io -u lekss361 --password-stdin
|
||
|
||
export IMAGE_TAG="$IMAGE_TAG"
|
||
docker compose -p gendesign -f docker-compose.prod.yml pull
|
||
|
||
# Apply pending SQL migrations
|
||
set -a; source .env; set +a
|
||
|
||
docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=on -c "
|
||
CREATE TABLE IF NOT EXISTS _schema_migrations (
|
||
filename TEXT PRIMARY KEY,
|
||
applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
|
||
);
|
||
"
|
||
|
||
for sql_file in $(ls -1 data/sql/*.sql 2>/dev/null | sort); do
|
||
fname=$(basename "$sql_file")
|
||
applied=$(docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -tAc \
|
||
"SELECT COUNT(*) FROM _schema_migrations WHERE filename='$fname'")
|
||
if [ "$applied" = "0" ]; then
|
||
echo "→ Applying migration: $fname"
|
||
docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=on \
|
||
< "$sql_file" \
|
||
|| { echo "FAILED on migration: $fname"; exit 1; }
|
||
docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c \
|
||
"INSERT INTO _schema_migrations (filename) VALUES ('$fname') ON CONFLICT DO NOTHING;"
|
||
else
|
||
echo "✓ Already applied: $fname"
|
||
fi
|
||
done
|
||
echo "All migrations applied."
|
||
|
||
# Set tradein_fdw_reader password from env (post-migration bootstrap).
|
||
# SQL migration 100_tradein_fdw_role.sql creates role passwordless;
|
||
# password lives only in /opt/gendesign/backend/.env.runtime.
|
||
# See ops/db-bootstrap/set_tradein_fdw_password.sql for the idempotent DO block.
|
||
set -a; source backend/.env.runtime; set +a
|
||
if [ -n "${GENDESIGN_FDW_PASSWORD:-}" ]; then
|
||
echo "→ Applying tradein_fdw_reader password from env"
|
||
docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=on \
|
||
-v "pw=$GENDESIGN_FDW_PASSWORD" \
|
||
< ops/db-bootstrap/set_tradein_fdw_password.sql
|
||
else
|
||
echo "⚠️ GENDESIGN_FDW_PASSWORD not set in backend/.env.runtime — skipping ALTER ROLE for tradein_fdw_reader"
|
||
fi
|
||
|
||
# Build local-only sidecar images (glitchtip-auth-forwarder).
|
||
# Эти services не в GHCR — сборка происходит на VPS на каждом deploy.
|
||
# Cache-friendly: первый build ~30s, последующие 1-3s если файлы не менялись.
|
||
docker compose -p gendesign -f docker-compose.prod.yml build glitchtip-auth-forwarder
|
||
|
||
docker compose -p gendesign -f docker-compose.prod.yml up -d
|
||
|
||
# Defense: ensure postgres is in gendesign_shared network for tradein FDW.
|
||
# `compose up -d` should detect networks: shared addition and recreate
|
||
# postgres, but in PR #493 deploy/1156 incident the bootstrap step failed
|
||
# earlier so this code path never ran. Plus compose sometimes skips
|
||
# recreate if it thinks config is "compatible enough". Verify explicitly.
|
||
if ! docker inspect gendesign-postgres-1 \
|
||
--format '{{range $k,$v := .NetworkSettings.Networks}}{{$k}} {{end}}' \
|
||
2>/dev/null | grep -q gendesign_shared; then
|
||
echo "⚠️ postgres not in gendesign_shared after compose up — force-recreating"
|
||
docker compose -p gendesign -f docker-compose.prod.yml up -d \
|
||
--force-recreate --no-deps postgres
|
||
# Brief settle window: backend will reconnect after postgres restart.
|
||
sleep 5
|
||
fi
|
||
|
||
# backend/.env.runtime изменения (SENTRY_RELEASE, GLITCHTIP_DSN)
|
||
# требуют --force-recreate — обычный `up -d` не перечитывает env_file
|
||
# если только image не сменился. На deploy где меняется только runtime
|
||
# без backend image change — без этого backend остаётся со старым DSN.
|
||
docker compose -p gendesign -f docker-compose.prod.yml up -d \
|
||
--force-recreate --no-deps backend worker beat
|
||
|
||
# Caddy: force-recreate чтобы подхватить изменения в Caddyfile
|
||
# И в особенности новые volume mounts из docker-compose.prod.yml
|
||
# (`reload` не пересоздаёт container, поэтому новые binds не появляются —
|
||
# был случай 2026-05-17 с PR #268 preview/ — потребовался manual SSH fix).
|
||
docker compose -p gendesign -f docker-compose.prod.yml up -d \
|
||
--force-recreate --no-deps caddy
|
||
|
||
# Forwarder: force-recreate чтобы новый image / новые env подхватывались.
|
||
# Без --force-recreate обычный `up -d` НЕ recreate'ит при image rebuild
|
||
# (т.к. image:latest tag не сменился — docker не видит разницы).
|
||
docker compose -p gendesign -f docker-compose.prod.yml up -d \
|
||
--force-recreate --no-deps glitchtip-auth-forwarder
|
||
|
||
# Cleanup old images
|
||
for repo in ghcr.io/lekss361/gendesign-backend \
|
||
ghcr.io/lekss361/gendesign-worker \
|
||
ghcr.io/lekss361/gendesign-frontend; do
|
||
docker images "$repo" --format '{{.Repository}}:{{.Tag}}' \
|
||
| grep -v ':latest$' \
|
||
| tail -n +3 \
|
||
| xargs -r docker rmi 2>/dev/null || true
|
||
done
|
||
docker image prune -af || true
|
||
docker builder prune -af || true
|
||
|
||
# Health check
|
||
for i in $(seq 1 30); do
|
||
curl -fsS http://localhost:8000/health && break
|
||
sleep 1
|
||
done
|