You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enhance Slack integration and database backup workflows (#21)
* Update documentation and workflows for improved Slack integration and database backups
* Enhance database backup workflow and documentation with unique object keys and improved restore instructions
* Improve database backup workflow by adding an EXIT trap to remove temporary dump files on failure; update documentation for clarity on backup processes.
Copy file name to clipboardExpand all lines: CHANGELOG.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,8 +9,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
9
9
10
10
### Added
11
11
12
+
- Post the same Slack **status** summary as the interactive command to `NOTIFICATION_CHANNEL` once when the process starts (when that channel is configured).
12
13
- Open-source hygiene: contributing guide, security policy, code of conduct, onboarding and handoff docs, pre-commit (Ruff), GitHub issue templates, Dependabot, CodeQL, CODEOWNERS template, and `.gitattributes`.
13
14
15
+
### Changed
16
+
17
+
- Documentation: deployment URLs (Slack Request URL behind nginx `/paperscout/`), clone URL in server setup, staging-style placeholders.
18
+
-`db-backup.yml`: matrix parallel backups for `staging` / `production` using environment-level SSH secrets; uploads under `gs://insights-db-backups/paperscout/<environment>/` with unique temp files and object keys (UTC timestamp + `run_id` + `run_attempt` + environment); `EXIT` trap removes temp dump on failure. `SERVER_SETUP` restore examples updated (`--no-owner`, listing/copy by object name).
Copy file name to clipboardExpand all lines: README.md
+12-10Lines changed: 12 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -113,15 +113,17 @@ python -m paperscout
113
113
Once the scout is running and reachable at a public URL:
114
114
115
115
1. Go back to **Event Subscriptions** in the Slack app config
116
-
2. Set **Request URL** to `https://your-server.com/slack/events`
117
-
3. Slack will send a challenge request -- the scout responds automatically
116
+
2. Set **Request URL** depending on how traffic reaches Bolt:
117
+
-**Reverse proxy (recommended for production/staging):** If nginx terminates TLS and proxies under a path prefix (see [`deploy/paperscout.conf`](deploy/paperscout.conf)), Slack must use that prefix. Example: `https://your-domain.example.org/paperscout/slack/events` — not `https://your-domain.example.org/slack/events`.
118
+
-**Direct to the app (local dev or ngrok without nginx):** Bolt serves `/slack/events` at the container root. Example: `https://staging.example.org/slack/events` or `https://abc123.ngrok-free.app/slack/events`.
119
+
3. Slack will send a challenge request — the scout responds automatically
118
120
4. Click **Save Changes**
119
121
120
-
For local testing with ngrok:
122
+
For local testing with ngrok (traffic straight to `PORT`, no path prefix):
121
123
122
124
```bash
123
125
ngrok http 3000
124
-
# Use the ngrok URL: https://abc123.ngrok.io/slack/events
See [`deploy/SERVER_SETUP.md`](deploy/SERVER_SETUP.md) for the full Ubuntu 22.04 provisioning guide, and [`.github/workflows/cd.yml`](.github/workflows/cd.yml) for the CD pipeline.
193
195
194
-
Database backups run daily via [`.github/workflows/db-backup.yml`](.github/workflows/db-backup.yml), uploading `pg_dump` snapshots to Google Cloud Storage.
196
+
Database backups run daily via [`.github/workflows/db-backup.yml`](.github/workflows/db-backup.yml): **matrix jobs** for **`staging`** and **`production`** run **in parallel**, each using that **GitHub Environment’s** SSH secrets (same names as CD: `SERVER_HOST`, `SERVER_USER`, `SERVER_SSH_KEY`, optional `SERVER_PORT`). Dumps are uploaded to **`gs://insights-db-backups/paperscout/<environment>/`** so staging and production stay under the shared **`paperscout`** prefix in the bucket.
195
197
196
198
## Scout Commands
197
199
@@ -331,7 +333,7 @@ paperscout/
331
333
.github/workflows/
332
334
ci.yml Test matrix on push/PR to main
333
335
cd.yml SSH deploy (git pull + build) on push to main
334
-
db-backup.yml Daily pg_dump to Google Cloud Storage
336
+
db-backup.yml Matrix pg_dump (staging + production) to GCS insights-db-backups/paperscout/<env>/
335
337
```
336
338
337
339
### PostgreSQL Schema
@@ -453,8 +455,8 @@ A `concurrency` group keyed by branch prevents overlapping deploys to the same e
453
455
454
456
The `.github/workflows/db-backup.yml` workflow runs daily at 3 AM UTC (and supports manual dispatch):
455
457
456
-
1.SSHes into the server and runs `pg_dump` on the host's PostgreSQL
457
-
2.Uploads the dump to Google Cloud Storage (`gs://paperscout-backups/`)
458
-
3.Old backups are auto-pruned by a GCS lifecycle rule (30 days)
458
+
1.Runs **two jobs in parallel** (matrix: `staging`, `production`), each bound to the matching **GitHub Environment** so SSH secrets match that tier’s server (same secret names as CD).
459
+
2.On each host, runs `pg_dump` and uploads to **`gs://insights-db-backups/paperscout/<environment>/`**, using object keys that include UTC time plus the GitHub Actions run id so backups do not collide on reruns.
460
+
3.Configure lifecycle rules on the bucket/prefixes as needed (for example, pruning objects older than 30 days).
459
461
460
-
CD secrets and variables are configured per **GitHub Environment** (`production` and `staging`); see the table in [Deployment](#deployment). Other secrets (e.g. database backups) are documented in [`deploy/SERVER_SETUP.md`](deploy/SERVER_SETUP.md#9-github-secrets-checklist).
462
+
SSH credentials for backups live under **each environment** (`staging`, `production`), not at the repository level — parallel to [Deployment](#deployment). See [`deploy/SERVER_SETUP.md`](deploy/SERVER_SETUP.md#9-github-secrets-and-environments).
If you use a **separate** staging deployment (second clone path and GitHub Environment `staging`), typical placeholders are:
232
+
233
+
- TLS / DNS: `sudo certbot --nginx -d staging.example.org` (replace with your real staging hostname when provisioning).
234
+
- Health check on the staging machine after mapping ports (see README CD table): `curl -sf http://localhost:9102/health` — use whatever port your staging compose publishes for health instead of `9102` if different.
235
+
- Slack **Request URL** when nginx proxies under `/paperscout/`: `https://staging.example.org/paperscout/slack/events`.
236
+
225
237
---
226
238
227
239
## 7. Restoring from a GCS backup (optional)
228
240
229
241
If migrating from another server with an existing database:
Object keys include the workflow run id so same-day reruns do not overwrite objects; each matrix job uses its own temp file on the host.
248
263
249
264
---
250
265
251
-
## 9. GitHub Secrets checklist
266
+
## 9. GitHub secrets and environments
267
+
268
+
**Continuous deployment** (`cd.yml`) and **database backups** (`db-backup.yml`)
269
+
both use the **`staging`** and **`production`** GitHub Environments. Configure the **same SSH secret names** in each environment (values differ per server):
252
270
253
-
Configure these in the repo under **Settings → Secrets and variables → Actions**:
|`SERVER_SSH_KEY`| Private SSH key for the deploy user |
260
-
|`SERVER_PORT`| SSH port (optional, defaults to 22) |
278
+
CD also uses **environment Variables** (`DEPLOY_PATH`, `DEPLOY_BRANCH`, `HEALTH_PORT`) — see the README Deployment table. Backup jobs only need the secrets above.
261
279
262
280
`GITHUB_TOKEN` is provided automatically by GitHub Actions.
263
-
GCS authentication uses the VM's service account — no extra secrets needed.
281
+
GCS uploads use the VM's service account (`gsutil`) — ensure each server can write to `gs://insights-db-backups/paperscout/<environment>/`.
Copy file name to clipboardExpand all lines: docs/onboarding.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -99,7 +99,7 @@ python -m paperscout
99
99
-**Slack HTTP app** listens on `PORT` (default **3000**).
100
100
-**Health** endpoint listens on `health_port` from settings (default **8080**) — `GET /health`.
101
101
102
-
For Slack Event Subscriptions you need a public URL (e.g. ngrok); see [README](../README.md#7-set-the-request-url).
102
+
For Slack Event Subscriptions you need a public URL (e.g. ngrok). With nginx and a `/paperscout/` prefix, the Request URL must include that path; see [README — Set the Request URL](../README.md#7-set-the-request-url).
0 commit comments