feat(CD): 👷 Continuous delivery (#27)

* 👷 Add Dockerfile and Compose configuration for containerized setup

* 👷 Add workflow to build and push Docker images

* 👷 Add deployment workflow for Coolify integration

* 👷 Set explicit permissions for GitHub workflows

* 💚 Fix Coolify deployment workflow

* 👷 Update permissions for GitHub workflows

Author: Paillat-dev

.github/workflows/CI.yml

@@ -12,4 +12,21 @@ concurrency:
 
 jobs:
   quality:
+    permissions:
+      contents: read
     uses: ./.github/workflows/quality.yml
+  docker:
+    needs: quality
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    uses: ./.github/workflows/docker.yml
+  deploy:
+    permissions: {}
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    needs: docker
+    uses: ./.github/workflows/deploy.yml
+    secrets:
+      COOLIFY_WEBHOOK: ${{ secrets.COOLIFY_WEBHOOK }}
+      COOLIFY_TOKEN: ${{ secrets.COOLIFY_TOKEN }}

.github/workflows/autofix.yml

@@ -9,6 +9,8 @@ permissions:
 
 jobs:
   autofix:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

.github/workflows/deploy.yml

@@ -0,0 +1,20 @@
+name: deploy.yml
+on:
+  workflow_call:
+    secrets:
+      COOLIFY_WEBHOOK:
+        required: true
+      COOLIFY_TOKEN:
+        required: true
+
+permissions: {}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: coolify
+    name: Deploy to Coolify
+    steps:
+    - name: Deploy
+      run: |
+       curl --request GET '${{ secrets.COOLIFY_WEBHOOK }}' --header 'Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}'

.github/workflows/docker.yml

@@ -0,0 +1,54 @@
+name: Build and Push Docker Image
+
+on: workflow_call
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=ref,event=tag
+            type=sha
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/quality.yml

@@ -4,6 +4,9 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   quality:
     runs-on: ubuntu-latest

Dockerfile

@@ -0,0 +1,31 @@
+ARG PYTHON_VERSION=3.13
+FROM python:${PYTHON_VERSION}-slim-bookworm AS python-base
+
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+
+RUN pip install uv
+
+WORKDIR /app
+COPY pyproject.toml uv.lock ./
+
+ENV UV_NO_DEV=1
+RUN uv export -o requirements.txt
+
+FROM python:${PYTHON_VERSION}-bookworm AS app
+
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+
+WORKDIR /app
+
+RUN adduser -u 8192 --disabled-password --gecos "" appuser && chown -R appuser /app
+
+COPY --from=python-base --chown=appuser /app/requirements.txt ./
+COPY LICENSE ./
+RUN pip install -r requirements.txt
+
+COPY src/ ./src
+USER appuser
+
+CMD ["python", "-m", "src"]

compose.yaml

@@ -0,0 +1,4 @@
+services:
+  bot:
+    build: .
+    env_file: .env