-
Notifications
You must be signed in to change notification settings - Fork 0
176 lines (145 loc) · 5.69 KB
/
Copy pathdeploy-mirror.yml
File metadata and controls
176 lines (145 loc) · 5.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
name: Deploy Mirror
run-name: 'Deploy mirror: ${{ github.sha }}'
concurrency:
group: deploy-mirror
cancel-in-progress: true
on:
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
permissions:
contents: read
packages: write
jobs:
deploy:
name: Deploy Mirror
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 24
- name: Install pnpm
run: corepack enable && corepack prepare pnpm@latest --activate
- name: Install and typecheck
run: |
pnpm install --frozen-lockfile
pnpm typecheck
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
target: production
push: true
provenance: false
sbom: false
cache-from: type=gha
cache-to: type=gha,mode=max
tags: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:mirror-${{ github.sha }}
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:mirror-latest
labels: ${{ steps.meta.outputs.labels }}
- name: Start SSH agent
uses: webfactory/ssh-agent@v0.9.0
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Install sops
run: |
curl -LO https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64
sudo mv sops-v3.9.4.linux.amd64 /usr/local/bin/sops
sudo chmod +x /usr/local/bin/sops
- name: Extract DEPLOY_HOST from env file
id: host
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_SECRET_KEY }}
run: |
set -euo pipefail
DEPLOY_HOST=$(sops -d --input-type dotenv --output-type dotenv .env.dev.enc | grep '^DEPLOY_HOST=' | cut -d= -f2)
if [[ -z "$DEPLOY_HOST" ]]; then
echo "::error::DEPLOY_HOST not found in .env.dev.enc"
exit 1
fi
echo "deploy_host=${DEPLOY_HOST}" >> $GITHUB_OUTPUT
- name: Add known hosts
run: |
mkdir -p ~/.ssh
ssh-keyscan -H "${{ steps.host.outputs.deploy_host }}" >> ~/.ssh/known_hosts 2>/dev/null
- name: Deploy over SSH
env:
SSH_USER: ${{ secrets.SSH_USER }}
DEPLOY_HOST: ${{ steps.host.outputs.deploy_host }}
REPO: ${{ github.repository }}
BRANCH: ${{ github.ref_name }}
GHCR_USER: ${{ secrets.GHCR_USER }}
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
IMAGE_TAG: mirror-${{ github.sha }}
run: |
ssh "${SSH_USER}@${DEPLOY_HOST}" \
"env GHCR_USER='${GHCR_USER}' GHCR_TOKEN='${GHCR_TOKEN}' IMAGE_TAG='${IMAGE_TAG}' bash -s -- '${REPO}' '${BRANCH}'" <<'EOS'
set -euo pipefail
REPO="${1:?missing repo}"
BRANCH="${2:-main}"
: "${IMAGE_TAG:?missing IMAGE_TAG}"
: "${GHCR_USER:?missing GHCR_USER}"
: "${GHCR_TOKEN:?missing GHCR_TOKEN}"
STACK_NAME="underlay-mirror"
REPO_NAME="${REPO##*/}"
APP_DIR="/srv/${REPO_NAME}-mirror"
REPO_SSH="git@github.com:${REPO}.git"
ssh-keyscan -H github.com >> ~/.ssh/known_hosts 2>/dev/null
chmod 600 ~/.ssh/known_hosts
if [[ ! -d "${APP_DIR}/.git" ]]; then
sudo mkdir -p "${APP_DIR}"
sudo chown -R "$USER:$USER" "${APP_DIR}"
git clone --branch "${BRANCH}" "${REPO_SSH}" "${APP_DIR}"
fi
cd "${APP_DIR}"
git fetch --prune --tags origin
git checkout "${BRANCH}"
git pull origin "${BRANCH}"
# Decrypt prod env to source S3 creds and API keys
umask 077
sops -d --input-type dotenv --output-type dotenv .env.prod.enc > .env
set -a
source <(grep -v '^#' .env | grep -v '^$')
set +a
# Init swarm if not already active
if ! sudo docker info --format '{{.Swarm.LocalNodeState}}' | grep -qx active; then
sudo docker swarm init
fi
echo "$GHCR_TOKEN" | sudo docker login ghcr.io -u "$GHCR_USER" --password-stdin
sudo docker pull "ghcr.io/${REPO}:${IMAGE_TAG}"
# Deploy using docker-compose.yml with mirror config.
# S3 creds and API key are sourced from prod .env above.
sudo env \
IMAGE="ghcr.io/${REPO}" IMAGE_TAG="$IMAGE_TAG" \
PORT=3002 APP_REPLICAS=1 \
UNDERLAY_MODE=mirror \
UNDERLAY_UPSTREAM="${UNDERLAY_UPSTREAM:-https://www.underlay.org}" \
UNDERLAY_NODE_NAME="${UNDERLAY_NODE_NAME:-}" \
S3_ENDPOINT="${S3_ENDPOINT:-}" S3_REGION="${S3_REGION:-auto}" \
S3_ACCESS_KEY="${S3_ACCESS_KEY:-}" S3_SECRET_KEY="${S3_SECRET_KEY:-}" \
S3_BUCKET="${S3_BUCKET:-underlay}" \
UNDERLAY_UPSTREAM_API_KEY="${UNDERLAY_UPSTREAM_API_KEY:-}" \
SESSION_SECRET="$(openssl rand -hex 32)" \
docker stack deploy -c docker-compose.yml \
--with-registry-auth --resolve-image always --prune "${STACK_NAME}"
sudo docker stack services "${STACK_NAME}"
echo "Mirror deployed as ${STACK_NAME} (image: ${IMAGE_TAG})"
EOS