Skip to content

Commit 77a216a

Browse files
authored
feat(ci): Add deployment workflow for staging and production (#95)
* feat(ci): Add deployment workflow for staging and production - Add deploy.yml workflow with SSH-based deployment - Staging: Auto-deploys on push to main (after tests pass) - Production: Deploys on GitHub releases or manual trigger - Quality gates: Requires test.yml to pass before deployment - Security: Uses ssh-agent for secure key handling - Add workflow_call trigger to test.yml for reusability - Include pre-deployment backups for production - Add health check verification post-deployment Triggers: - Push to main → staging - GitHub Release → production - Manual workflow_dispatch → either Required secrets: HOST, USER, SSH_KEY, PROJECT_PATH * fix(ci): Use PM2 instead of systemd for service management - Replace systemctl commands with PM2 restart/start - Update health check port from 8080 to 14200 (staging backend port) - Add logs directory creation before PM2 start - Support optional ecosystem.production.config.js for production - Add PM2 save after restart to persist process list * feat(ci): Generate .env files from GitHub secrets during deployment - Add environment file creation step for staging and production - Create .env.staging/.env.production from GitHub secrets - Set proper file permissions (600) for security - Document new required secrets: ANTHROPIC_API_KEY, OPENAI_API_KEY, CORS_ORIGINS, API_URL, WS_URL New secrets needed in staging environment: - ANTHROPIC_API_KEY - OPENAI_API_KEY (optional) - CORS_ORIGINS - API_URL - WS_URL * fix(ci): Enable DEBUG and HOT_RELOAD for staging environment * refactor(ci): Pull all env vars from GitHub secrets All environment variables now come from GitHub secrets so they can be configured per-environment (staging vs production) in GitHub settings. Secrets required per environment: - ANTHROPIC_API_KEY, OPENAI_API_KEY - DATABASE_PATH, API_HOST, API_PORT - CORS_ORIGINS, API_URL, WS_URL - LOG_LEVEL, LOG_FILE - ENVIRONMENT, DEBUG, HOT_RELOAD * fix(ci): Use explicit PM2 process names per environment - Staging: ecosystem.staging.config.js, check for codeframe-staging-backend - Production: ecosystem.production.config.js, check for codeframe-production-backend - Use pm2 describe instead of grep for reliable process detection * feat(ci): Improve production backup with retention and compression - Move backups from /tmp to PROJECT_PATH/backups for persistence - Create timestamped compressed tar.gz archives - Include: database, .codeframe configs, .env files, ecosystem configs, logs - Record git commit info in archive - Implement retention policy (keep last 10 backups) - Use atomic operations (create in /tmp, mv to final location) - Set proper permissions (700 dir, 600 archives) - Abort deployment if backup fails - Report backup size and count after completion * fix(ci): Add retry loop to health checks with proper failure handling - Replace one-liner health check with retry loop (12 attempts, 5s apart) - Exit 0 immediately on success - Exit 1 after all attempts fail (fails the workflow) - Show progress on each attempt - Applied to both staging and production deployments * fix(ci): Target specific PM2 processes instead of entire ecosystem - Use pm2 jlist with grep for robust process existence check - Restart individual processes by name when they exist - Start with --only flag when processes don't exist - Handle backend and frontend processes separately - Applied to both staging and production deployments * security(ci): Fix command injection vulnerability in env file creation - Use printf with %s to build env content (no shell interpretation) - Base64 encode content before transfer to prevent injection - Decode safely on remote server - Write to .tmp file first, then atomic mv to final location - Verify file was created and is non-empty before proceeding - Exit with error if creation fails This prevents command injection if secrets contain shell metacharacters like backticks, $(), or other special characters.
1 parent 6274e97 commit 77a216a

3 files changed

Lines changed: 634 additions & 59 deletions

File tree

0 commit comments

Comments
 (0)