-
-
Notifications
You must be signed in to change notification settings - Fork 8
165 lines (145 loc) · 6.21 KB
/
deploy-kit.yml
File metadata and controls
165 lines (145 loc) · 6.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: Kit — Verify + Deploy
# Verify on any push/PR that touches packages/kit/**; deploy only on
# push to main. The paths filter keeps this workflow off the critical
# path for unrelated package changes (apple/google/gql/docs/libraries).
on:
push:
branches: [main]
paths:
- "packages/kit/**"
- ".github/workflows/deploy-kit.yml"
- "bun.lock"
- "package.json"
pull_request:
paths:
- "packages/kit/**"
- ".github/workflows/deploy-kit.yml"
- "bun.lock"
- "package.json"
workflow_dispatch:
jobs:
verify:
name: Typecheck + Build (kit)
runs-on: ubuntu-latest
defaults:
run:
working-directory: packages/kit
steps:
- uses: actions/checkout@v6
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.13
- name: Install dependencies (workspace root)
working-directory: ${{ github.workspace }}
run: bun install --frozen-lockfile
- name: Lint (tsc + eslint)
run: bun run lint
- name: Format check
run: bunx prettier --check "src/**/*.{ts,tsx,css,json}" "server/**/*.ts" "convex/**/*.ts"
- name: Run tests (convex + server unit tests)
run: bun run test
- name: Vite build
env:
VITE_KIT_CONVEX_URL: https://placeholder-build-1.convex.cloud
run: bun run build
- name: Bun compile server
run: bun run build:server
- name: Install Playwright chromium
# smoke-browser.ts loads the SPA in headless Chromium to catch
# runtime bundle crashes that HTTP probes miss (see PR #120).
run: bunx playwright install --with-deps chromium
- name: Smoke test compiled server
run: ./scripts/smoke-server.sh
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Docker build (PR-level Dockerfile check)
# The Deploy job below also builds the Docker image, but only on
# push-to-main. Building here on PRs catches Dockerfile/Bun-image
# incompatibilities before merge (see PR #119, where bun 1.3.13
# changed --filter hoisting and broke the per-package COPY).
uses: docker/build-push-action@v7
with:
context: ${{ github.workspace }}
file: packages/kit/Dockerfile
push: false
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
VITE_KIT_CONVEX_URL=https://placeholder-build-1.convex.cloud
deploy:
name: Deploy openiap-kit to Fly.io
needs: verify
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
concurrency:
group: deploy-kit-${{ github.ref }}
cancel-in-progress: false
# Lift KIT_CONVEX_DEPLOY_KEY to the job env so step-level `if:` can
# gate on it. GitHub Actions disallows the `secrets` context in
# step `if:` expressions; reading it via env is the supported pattern.
env:
KIT_CONVEX_DEPLOY_KEY: ${{ secrets.KIT_CONVEX_DEPLOY_KEY }}
steps:
- uses: actions/checkout@v6
- name: Setup flyctl
# Pinned to the `1.6` release rather than `@master` so the action
# can't silently change under us (supply-chain risk — a future
# compromise of `master` shouldn't wedge our deploy).
uses: superfly/flyctl-actions/setup-flyctl@1.6
- name: Deploy
# Deploy from the monorepo root so the Docker build context has
# the workspace lockfile + every workspace package.json available
# to `bun install --filter @hyodotdev/openiap-kit`. Without this,
# `COPY package.json bun.lock ./` in the Dockerfile can't find
# the lockfile — it lives at root, not under packages/kit/.
env:
FLY_API_TOKEN: ${{ secrets.KIT_FLY_API_TOKEN }}
VITE_KIT_CONVEX_URL: ${{ secrets.VITE_KIT_CONVEX_URL }}
VITE_KIT_SENTRY_DSN: ${{ secrets.VITE_KIT_SENTRY_DSN }}
VITE_KIT_MIXPANEL_TOKEN: ${{ secrets.VITE_KIT_MIXPANEL_TOKEN }}
run: |
if [ -z "$FLY_API_TOKEN" ]; then
echo "::error::KIT_FLY_API_TOKEN secret not set. Add it in repo settings."
exit 1
fi
if [ -z "$VITE_KIT_CONVEX_URL" ]; then
echo "::error::VITE_KIT_CONVEX_URL secret not set (production Convex URL)."
exit 1
fi
# VITE_KIT_SENTRY_DSN / VITE_KIT_MIXPANEL_TOKEN are optional —
# if unset, the SPA skips the corresponding analytics init at
# runtime rather than failing the build.
# Mixpanel is passed as a BuildKit secret, not an ARG/ENV pair,
# so Docker's secret-name check does not flag a public SPA token.
# A short hash of the token is also passed as a build arg purely to
# bust the layer cache when the token rotates (BuildKit secret values
# are not part of the cache key).
BUILD_FLAGS=(
--build-arg "VITE_KIT_CONVEX_URL=$VITE_KIT_CONVEX_URL"
--build-arg "VITE_KIT_SENTRY_DSN=$VITE_KIT_SENTRY_DSN"
)
if [ -n "$VITE_KIT_MIXPANEL_TOKEN" ]; then
MIXPANEL_TOKEN_HASH=$(printf '%s' "$VITE_KIT_MIXPANEL_TOKEN" | sha256sum | cut -c1-16)
BUILD_FLAGS+=(--build-arg "VITE_KIT_MIXPANEL_TOKEN_HASH=$MIXPANEL_TOKEN_HASH")
BUILD_FLAGS+=(--build-secret "VITE_KIT_MIXPANEL_TOKEN=$VITE_KIT_MIXPANEL_TOKEN")
fi
flyctl deploy --remote-only \
--config packages/kit/fly.toml \
--dockerfile packages/kit/Dockerfile \
"${BUILD_FLAGS[@]}"
- name: Setup Bun (for convex deploy)
if: ${{ env.KIT_CONVEX_DEPLOY_KEY != '' }}
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.13
- name: Deploy Convex functions
if: ${{ env.KIT_CONVEX_DEPLOY_KEY != '' }}
working-directory: packages/kit
env:
CONVEX_DEPLOY_KEY: ${{ env.KIT_CONVEX_DEPLOY_KEY }}
run: |
# Convex deploy needs node_modules; install from monorepo root
# with --filter so we only pull kit's deps (skip apple/google/docs).
(cd "$GITHUB_WORKSPACE" && bun install --frozen-lockfile --filter @hyodotdev/openiap-kit)
bunx convex deploy --yes