Problem - GlitchTip Issues = 0 за всё время, хотя backend + frontend SDK интегрированы (PR #207, #208). - Старый Sentry.io продолжает получать события — user видит уведомления оттуда. Root cause - frontend/Dockerfile не имеет ARG NEXT_PUBLIC_GLITCHTIP_DSN → `npm run build` бьёт с пустым env var → Next.js инлайнит undefined → SDK init guard `if (dsn)` skips. Chrome-devtools check на prod bundle подтвердил: ни в одном из 9 chunks DSN-строка не запечена; `i.env.NEXT_PUBLIC_GLITCHTIP_DSN` evaluates to undefined. - .forgejo/workflows/deploy.yml build-frontend не передавал build-args. - На VPS backend/.env.runtime содержит legacy SENTRY_DSN=...@sentry.io/... config.py:_promote_legacy_sentry_dsn слепо промоутит его в glitchtip_dsn → SDK шлёт в чужой Sentry. GLITCHTIP_DSN там не задан. - deploy.yml SSH-скрипт никогда не редактировал SENTRY_DSN/GLITCHTIP_DSN в .env.runtime. Solution 1. frontend/Dockerfile: ARG NEXT_PUBLIC_GLITCHTIP_DSN + NEXT_PUBLIC_ENVIRONMENT с пустыми defaults, ENV-mirror перед `npm run build`. Локальный build без build-args работает по-прежнему (no-op DSN). 2. .forgejo/workflows/deploy.yml: - build-frontend: `build-args` передаёт `secrets.GLITCHTIP_FRONTEND_DSN` + NEXT_PUBLIC_ENVIRONMENT=production. Инвалидирует cache → frontend image пересоберётся (expected). - deploy step: GLITCHTIP_BACKEND_DSN через secret, в SSH-скрипте: a) `sed -i '/^SENTRY_DSN=/d' backend/.env.runtime` — снести legacy b) upsert GLITCHTIP_DSN (sed/printf) тем же паттерном что SENTRY_RELEASE c) `compose up -d --force-recreate --no-deps backend worker beat` — обычный `up -d` не перечитывает env_file без image change. 3. backend/app/core/config.py: _promote_legacy_sentry_dsn ужесточён — принимает SENTRY_DSN только если host == errors.gendsgn.ru. Для других URLs (sentry.io) выдаёт UserWarning и НЕ промоутит. Anti-regression на случай если SENTRY_DSN снова окажется в .env.runtime после ручного вмешательства. Required Forgejo secrets (Settings → Actions → Secrets) - GLITCHTIP_BACKEND_DSN = https://3d6e291003e142458957490c83559867@errors.gendsgn.ru/1 - GLITCHTIP_FRONTEND_DSN = https://5d7bc85e300c4e80a8554ccc818ff56d@errors.gendsgn.ru/2 DSNs публичны (видны в browser bundle) — secrets ради build-time injection, не для конфиденциальности. Если secrets не заданы → deploy succeeds, SDK no-op, без регрессии. Test plan - Verify Forgejo deploy.yml зелёный после merge - chrome-devtools: открыть gendsgn.ru → search bundle на DSN string → должна быть запечена строка errors.gendsgn.ru/2 - Trigger frontend error → POST к errors.gendsgn.ru/api/2/envelope/ - Backend: curl на endpoint вызывающий 500 → событие в GlitchTip backend project - GlitchTip dashboard https://errors.gendsgn.ru/gendesign/issues — Issues > 0 References - vault: meta/00_credentials.md (DSNs + incident notes 2026-05-16) - vault: decisions/Dec_GlitchTip_Frontend_Sentry_SDK.md (env contract) - vault: fixes/fixes-MOC.md (#204 backend SDK init)
271 lines
11 KiB
YAML
271 lines
11 KiB
YAML
name: Deploy
|
||
|
||
# Forgejo Actions equivalent of .github/workflows/deploy.yml
|
||
# Migration 2026-05-16: GitHub → Forgejo (git.gendsgn.ru)
|
||
# Builds images on Forgejo runner, pushes to ghcr.io (GitHub Container Registry),
|
||
# SSH-deploys to Beget VPS (46.173.16.127).
|
||
on:
|
||
push:
|
||
branches: [main]
|
||
paths:
|
||
- "backend/**"
|
||
- "frontend/**"
|
||
- "docker-compose.prod.yml"
|
||
- "Caddyfile"
|
||
- ".forgejo/workflows/deploy.yml"
|
||
- "data/sql/*.sql"
|
||
workflow_dispatch:
|
||
|
||
concurrency:
|
||
group: deploy-prod
|
||
cancel-in-progress: false
|
||
|
||
env:
|
||
IMAGE_BACKEND: ghcr.io/lekss361/gendesign-backend
|
||
IMAGE_WORKER: ghcr.io/lekss361/gendesign-worker
|
||
IMAGE_FRONTEND: ghcr.io/lekss361/gendesign-frontend
|
||
|
||
jobs:
|
||
changes:
|
||
runs-on: ubuntu-latest
|
||
outputs:
|
||
backend: ${{ steps.filter.outputs.backend }}
|
||
frontend: ${{ steps.filter.outputs.frontend }}
|
||
infra: ${{ steps.filter.outputs.infra }}
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
- uses: dorny/paths-filter@v3
|
||
id: filter
|
||
with:
|
||
filters: |
|
||
backend:
|
||
- 'backend/**'
|
||
- 'data/sql/**'
|
||
frontend:
|
||
- 'frontend/**'
|
||
infra:
|
||
- 'docker-compose.prod.yml'
|
||
- 'Caddyfile'
|
||
- '.forgejo/workflows/deploy.yml'
|
||
|
||
build-backend:
|
||
runs-on: ubuntu-latest
|
||
needs: changes
|
||
if: |
|
||
needs.changes.outputs.backend == 'true' ||
|
||
needs.changes.outputs.infra == 'true' ||
|
||
github.event_name == 'workflow_dispatch'
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Login to GHCR (shell-based — docker/login-action@v3 unreliable под Forgejo Actions)
|
||
env:
|
||
GHCR_PAT: ${{ secrets.GHCR_PAT }}
|
||
run: |
|
||
echo "$GHCR_PAT" | docker login ghcr.io -u lekss361 --password-stdin
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build & push backend (lean — без Chromium)
|
||
uses: docker/build-push-action@v6
|
||
with:
|
||
context: ./backend
|
||
target: runner
|
||
push: true
|
||
cache-from: type=registry,ref=${{ env.IMAGE_BACKEND }}:buildcache
|
||
cache-to: type=registry,ref=${{ env.IMAGE_BACKEND }}:buildcache,mode=max
|
||
tags: |
|
||
${{ env.IMAGE_BACKEND }}:latest
|
||
${{ env.IMAGE_BACKEND }}:${{ github.sha }}
|
||
|
||
build-worker:
|
||
runs-on: ubuntu-latest
|
||
needs: changes
|
||
if: |
|
||
needs.changes.outputs.backend == 'true' ||
|
||
needs.changes.outputs.infra == 'true' ||
|
||
github.event_name == 'workflow_dispatch'
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Login to GHCR (shell-based — docker/login-action@v3 unreliable под Forgejo Actions)
|
||
env:
|
||
GHCR_PAT: ${{ secrets.GHCR_PAT }}
|
||
run: |
|
||
echo "$GHCR_PAT" | docker login ghcr.io -u lekss361 --password-stdin
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build & push worker (с Chromium для Playwright)
|
||
uses: docker/build-push-action@v6
|
||
with:
|
||
context: ./backend
|
||
target: runner-with-chromium
|
||
push: true
|
||
cache-from: type=registry,ref=${{ env.IMAGE_WORKER }}:buildcache
|
||
cache-to: type=registry,ref=${{ env.IMAGE_WORKER }}:buildcache,mode=max
|
||
tags: |
|
||
${{ env.IMAGE_WORKER }}:latest
|
||
${{ env.IMAGE_WORKER }}:${{ github.sha }}
|
||
|
||
build-frontend:
|
||
runs-on: ubuntu-latest
|
||
needs: changes
|
||
if: |
|
||
needs.changes.outputs.frontend == 'true' ||
|
||
needs.changes.outputs.infra == 'true' ||
|
||
github.event_name == 'workflow_dispatch'
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Login to GHCR (shell-based — docker/login-action@v3 unreliable под Forgejo Actions)
|
||
env:
|
||
GHCR_PAT: ${{ secrets.GHCR_PAT }}
|
||
run: |
|
||
echo "$GHCR_PAT" | docker login ghcr.io -u lekss361 --password-stdin
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build & push frontend
|
||
uses: docker/build-push-action@v6
|
||
with:
|
||
context: ./frontend
|
||
push: true
|
||
build-args: |
|
||
NEXT_PUBLIC_GLITCHTIP_DSN=${{ secrets.GLITCHTIP_FRONTEND_DSN }}
|
||
NEXT_PUBLIC_ENVIRONMENT=production
|
||
cache-from: type=registry,ref=${{ env.IMAGE_FRONTEND }}:buildcache
|
||
cache-to: type=registry,ref=${{ env.IMAGE_FRONTEND }}:buildcache,mode=max
|
||
tags: |
|
||
${{ env.IMAGE_FRONTEND }}:latest
|
||
${{ env.IMAGE_FRONTEND }}:${{ github.sha }}
|
||
|
||
deploy:
|
||
runs-on: ubuntu-latest
|
||
needs: [changes, build-backend, build-worker, build-frontend]
|
||
if: |
|
||
always() &&
|
||
!cancelled() &&
|
||
needs.build-backend.result != 'failure' &&
|
||
needs.build-worker.result != 'failure' &&
|
||
needs.build-frontend.result != 'failure'
|
||
steps:
|
||
- name: Deploy to VM via SSH
|
||
uses: appleboy/ssh-action@v1.0.3
|
||
env:
|
||
IMAGE_TAG: latest
|
||
SENTRY_RELEASE_VAL: ${{ github.sha }}
|
||
GHCR_PAT: ${{ secrets.GHCR_PAT }}
|
||
GLITCHTIP_BACKEND_DSN: ${{ secrets.GLITCHTIP_BACKEND_DSN }}
|
||
with:
|
||
host: ${{ secrets.DEPLOY_HOST }}
|
||
username: ${{ secrets.DEPLOY_USER }}
|
||
key: ${{ secrets.DEPLOY_SSH_KEY }}
|
||
port: ${{ secrets.DEPLOY_PORT }}
|
||
envs: IMAGE_TAG,SENTRY_RELEASE_VAL,GHCR_PAT,GLITCHTIP_BACKEND_DSN
|
||
script: |
|
||
set -euo pipefail
|
||
cd /opt/gendesign
|
||
|
||
# Sync compose / Caddyfile / init scripts from the repo.
|
||
# Origin теперь Forgejo (после migration 2026-05-16) — HTTPS basic auth
|
||
# через PAT в URL не нужен т.к. repo читается через deploy key (SSH)
|
||
# ИЛИ public read-only mode. Forgejo gendesign — private, нужен auth:
|
||
# `git remote get-url origin` должен указывать на Forgejo с auth.
|
||
git fetch origin main
|
||
git reset --hard origin/main
|
||
|
||
# Sentry release tracking
|
||
mkdir -p backend
|
||
touch backend/.env.runtime
|
||
if grep -q '^SENTRY_RELEASE=' backend/.env.runtime; then
|
||
sed -i "s|^SENTRY_RELEASE=.*|SENTRY_RELEASE=$SENTRY_RELEASE_VAL|" backend/.env.runtime
|
||
else
|
||
printf 'SENTRY_RELEASE=%s\n' "$SENTRY_RELEASE_VAL" >> backend/.env.runtime
|
||
fi
|
||
|
||
# GlitchTip wiring: убираем legacy SENTRY_DSN (auto-promote-логика в
|
||
# backend/app/core/config.py:_promote_legacy_sentry_dsn раньше брала
|
||
# его и слала события в чужой sentry.io). Устанавливаем GLITCHTIP_DSN
|
||
# из Forgejo secret. Пустой secret = no-op (SDK не инициализируется).
|
||
sed -i '/^SENTRY_DSN=/d' backend/.env.runtime
|
||
if grep -q '^GLITCHTIP_DSN=' backend/.env.runtime; then
|
||
sed -i "s|^GLITCHTIP_DSN=.*|GLITCHTIP_DSN=$GLITCHTIP_BACKEND_DSN|" backend/.env.runtime
|
||
else
|
||
printf 'GLITCHTIP_DSN=%s\n' "$GLITCHTIP_BACKEND_DSN" >> backend/.env.runtime
|
||
fi
|
||
chmod 600 backend/.env.runtime
|
||
|
||
# External network для Caddy + obsidian-stack share
|
||
docker network inspect gendesign_shared >/dev/null 2>&1 \
|
||
|| docker network create gendesign_shared
|
||
|
||
# Re-login to GHCR (PAT может быть rotated после initial setup)
|
||
echo "$GHCR_PAT" | docker login ghcr.io -u lekss361 --password-stdin
|
||
|
||
export IMAGE_TAG="$IMAGE_TAG"
|
||
docker compose -p gendesign -f docker-compose.prod.yml pull
|
||
|
||
# Apply pending SQL migrations
|
||
set -a; source .env; set +a
|
||
|
||
docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=on -c "
|
||
CREATE TABLE IF NOT EXISTS _schema_migrations (
|
||
filename TEXT PRIMARY KEY,
|
||
applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
|
||
);
|
||
"
|
||
|
||
for sql_file in $(ls -1 data/sql/*.sql 2>/dev/null | sort); do
|
||
fname=$(basename "$sql_file")
|
||
applied=$(docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -tAc \
|
||
"SELECT COUNT(*) FROM _schema_migrations WHERE filename='$fname'")
|
||
if [ "$applied" = "0" ]; then
|
||
echo "→ Applying migration: $fname"
|
||
docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=on \
|
||
< "$sql_file" \
|
||
|| { echo "FAILED on migration: $fname"; exit 1; }
|
||
docker compose -p gendesign -f docker-compose.prod.yml exec -T postgres \
|
||
psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c \
|
||
"INSERT INTO _schema_migrations (filename) VALUES ('$fname') ON CONFLICT DO NOTHING;"
|
||
else
|
||
echo "✓ Already applied: $fname"
|
||
fi
|
||
done
|
||
echo "All migrations applied."
|
||
|
||
docker compose -p gendesign -f docker-compose.prod.yml up -d
|
||
|
||
# backend/.env.runtime изменения (SENTRY_RELEASE, GLITCHTIP_DSN)
|
||
# требуют --force-recreate — обычный `up -d` не перечитывает env_file
|
||
# если только image не сменился. На deploy где меняется только runtime
|
||
# без backend image change — без этого backend остаётся со старым DSN.
|
||
docker compose -p gendesign -f docker-compose.prod.yml up -d \
|
||
--force-recreate --no-deps backend worker beat
|
||
|
||
docker compose -p gendesign -f docker-compose.prod.yml exec -T caddy \
|
||
caddy reload --config /etc/caddy/Caddyfile || true
|
||
|
||
# Cleanup old images
|
||
for repo in ghcr.io/lekss361/gendesign-backend \
|
||
ghcr.io/lekss361/gendesign-worker \
|
||
ghcr.io/lekss361/gendesign-frontend; do
|
||
docker images "$repo" --format '{{.Repository}}:{{.Tag}}' \
|
||
| grep -v ':latest$' \
|
||
| tail -n +3 \
|
||
| xargs -r docker rmi 2>/dev/null || true
|
||
done
|
||
docker image prune -af || true
|
||
docker builder prune -af || true
|
||
|
||
# Health check
|
||
for i in $(seq 1 30); do
|
||
curl -fsS http://localhost:8000/health && break
|
||
sleep 1
|
||
done
|