BankTrackerGraphQL/.github/workflows/deploy-tailscale.yml at fe145a813dcb80fec8e8d38b6beb7395b14d53a9 · PhantomDave/BankTrackerGraphQL · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Deploy via Tailscale

on:
  push:
    branches: [main]
  workflow_dispatch:

concurrency:
  group: deploy-main
  cancel-in-progress: false

env:
  DEPLOY_DIR: /opt/banktracker/BankTrackerGraphQL

jobs:
  detect-changes:
    name: Detect Changed Files
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      backend: ${{ steps.filter.outputs.backend }}
      frontend: ${{ steps.filter.outputs.frontend }}
      has_app_changes: ${{ steps.filter.outputs.backend == 'true' || steps.filter.outputs.frontend == 'true' || steps.filter.outputs.compose == 'true' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v5

      - name: Check for file changes
        uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
            backend:
              - 'PhantomDave.BankTracking.Api/**'
              - 'PhantomDave.BankTracking.Data/**'
              - 'PhantomDave.BankTracking.Library/**'
              - 'Dockerfile'
              - '.github/workflows/build-backend-image.yml'
            frontend:
              - 'frontend/**'
              - '.github/workflows/build-frontend-image.yml'
            compose:
              - 'compose.yaml'
              - 'compose.local.yaml'

  wait-for-backend:
    name: Wait for Backend Image
    runs-on: ubuntu-latest
    needs: detect-changes
    if: needs.detect-changes.outputs.backend == 'true'
    permissions:
      actions: read
    steps:
      - name: Wait for backend image build
        uses: lewagon/wait-on-check-action@v1.4.1
        with:
          ref: ${{ github.sha }}
          check-name: 'Build and Push Backend Container'
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          wait-interval: 10
          running-workflow-name: 'Deploy via Tailscale'

  wait-for-frontend:
    name: Wait for Frontend Image
    runs-on: ubuntu-latest
    needs: detect-changes
    if: needs.detect-changes.outputs.frontend == 'true'
    permissions:
      actions: read
    steps:
      - name: Wait for frontend image build
        uses: lewagon/wait-on-check-action@v1.4.1
        with:
          ref: ${{ github.sha }}
          check-name: 'Build and Push Frontend Container'
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          wait-interval: 10
          running-workflow-name: 'Deploy via Tailscale'

  deploy:
    name: Deploy to Production
    runs-on: ubuntu-latest
    needs: [detect-changes, wait-for-backend, wait-for-frontend]
    if: |
      always() && !cancelled() &&
      !contains(needs.*.result, 'failure') &&
      (needs.detect-changes.outputs.has_app_changes == 'true') &&
      (needs.wait-for-backend.result == 'success' || needs.wait-for-backend.result == 'skipped') &&
      (needs.wait-for-frontend.result == 'success' || needs.wait-for-frontend.result == 'skipped')
    permissions:
      contents: read
      packages: read

    steps:
      - name: Checkout
        uses: actions/checkout@v5

      - name: Connect to Tailscale
        uses: tailscale/github-action@v4
        with:
          oauth-client-id: ${{ secrets.TAILSCALE_OAUTH_CLIENTID }}
          oauth-secret: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
          tags: tag:ci
          hostname: banktracker-ci-${{ github.run_id }}

      - name: Configure SSH target
        id: ssh
        run: |
          TARGET="${{ secrets.TAILSCALE_SSH_TARGET }}"
          if [[ -z "$TARGET" ]]; then
            echo "::error::TAILSCALE_SSH_TARGET secret is not set"
            exit 1
          fi
          echo "target=$TARGET" >> "$GITHUB_OUTPUT"

      - name: Test connectivity
        run: |
          tailscale ssh "${{ steps.ssh.outputs.target }}" "echo 'Connected'"

      - name: Log in to GitHub Container Registry
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | tailscale ssh "${{ steps.ssh.outputs.target }}" \
            "docker login ghcr.io -u ${{ github.actor }} --password-stdin"

      - name: Clean up old Docker images
        run: |
          tailscale ssh "${{ steps.ssh.outputs.target }}" \
            "docker system prune -af --filter 'until=24h'"

      - name: Pull latest images
        run: |
          tailscale ssh "${{ steps.ssh.outputs.target }}" \
            "cd $DEPLOY_DIR && docker compose pull"

      - name: Deploy all services
        run: |
          tailscale ssh "${{ steps.ssh.outputs.target }}" \
            "cd $DEPLOY_DIR && docker compose down && docker compose up -d --wait"

      - name: Verify deployment
        if: success()
        run: |
          tailscale ssh "${{ steps.ssh.outputs.target }}" "cd $DEPLOY_DIR && docker compose ps"