|
| 1 | +name: Deploy |
| 2 | + |
| 3 | +concurrency: |
| 4 | + group: deploy-${{ github.ref }} |
| 5 | + cancel-in-progress: true |
| 6 | + |
| 7 | +on: |
| 8 | + push: |
| 9 | + branches: [ main ] |
| 10 | + workflow_dispatch: |
| 11 | + |
| 12 | +env: |
| 13 | + REGISTRY: ghcr.io |
| 14 | + IMAGE_NAME: ${{ github.repository }} |
| 15 | + |
| 16 | +permissions: |
| 17 | + contents: read |
| 18 | + packages: write |
| 19 | + |
| 20 | +jobs: |
| 21 | + build: |
| 22 | + name: Build & Push Image |
| 23 | + runs-on: ubuntu-latest |
| 24 | + outputs: |
| 25 | + image_tag: ${{ steps.meta.outputs.version }} |
| 26 | + steps: |
| 27 | + - uses: actions/checkout@v4 |
| 28 | + |
| 29 | + - uses: docker/setup-buildx-action@v3 |
| 30 | + |
| 31 | + - uses: docker/login-action@v3 |
| 32 | + with: |
| 33 | + registry: ${{ env.REGISTRY }} |
| 34 | + username: ${{ github.actor }} |
| 35 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 36 | + |
| 37 | + - id: meta |
| 38 | + uses: docker/metadata-action@v5 |
| 39 | + with: |
| 40 | + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} |
| 41 | + tags: | |
| 42 | + type=sha,prefix= |
| 43 | + type=raw,value=latest,enable={{is_default_branch}} |
| 44 | +
|
| 45 | + - uses: docker/build-push-action@v5 |
| 46 | + with: |
| 47 | + context: . |
| 48 | + target: production |
| 49 | + push: true |
| 50 | + tags: ${{ steps.meta.outputs.tags }} |
| 51 | + labels: ${{ steps.meta.outputs.labels }} |
| 52 | + cache-from: type=gha |
| 53 | + cache-to: type=gha,mode=max |
| 54 | + |
| 55 | + deploy: |
| 56 | + name: Deploy |
| 57 | + needs: build |
| 58 | + runs-on: ubuntu-latest |
| 59 | + steps: |
| 60 | + - name: Start SSH agent |
| 61 | + uses: webfactory/ssh-agent@v0.9.0 |
| 62 | + with: |
| 63 | + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} |
| 64 | + |
| 65 | + - name: Add known hosts |
| 66 | + run: | |
| 67 | + mkdir -p ~/.ssh |
| 68 | + ssh-keyscan -H "${{ secrets.SSH_HOST }}" >> ~/.ssh/known_hosts |
| 69 | +
|
| 70 | + - name: Deploy over SSH |
| 71 | + env: |
| 72 | + SSH_USER: ${{ secrets.SSH_USER }} |
| 73 | + SSH_HOST: ${{ secrets.SSH_HOST }} |
| 74 | + REPO: ${{ github.repository }} |
| 75 | + BRANCH: ${{ github.ref_name }} |
| 76 | + GHCR_USER: ${{ secrets.GHCR_USER }} |
| 77 | + GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} |
| 78 | + IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} |
| 79 | + IMAGE_TAG: ${{ needs.build.outputs.image_tag }} |
| 80 | + ENV_FILE: ${{ vars.ENV_FILE || '.env.enc' }} |
| 81 | + DEPLOY_PATH: ${{ vars.DEPLOY_PATH || '/opt/underlay' }} |
| 82 | + run: | |
| 83 | + ssh "${SSH_USER}@${SSH_HOST}" \ |
| 84 | + "env GHCR_USER='${GHCR_USER}' GHCR_TOKEN='${GHCR_TOKEN}' IMAGE='${IMAGE}' IMAGE_TAG='${IMAGE_TAG}' ENV_FILE='${ENV_FILE}' bash -s -- '${REPO}' '${BRANCH}' '${DEPLOY_PATH}'" <<'EOS' |
| 85 | + set -euo pipefail |
| 86 | +
|
| 87 | + REPO="${1:?missing repo}" |
| 88 | + BRANCH="${2:-main}" |
| 89 | + APP_DIR="${3:-/opt/underlay}" |
| 90 | +
|
| 91 | + : "${IMAGE:?missing IMAGE}" |
| 92 | + : "${IMAGE_TAG:?missing IMAGE_TAG}" |
| 93 | + : "${GHCR_USER:?missing GHCR_USER}" |
| 94 | + : "${GHCR_TOKEN:?missing GHCR_TOKEN}" |
| 95 | +
|
| 96 | + REPO_SSH="git@github.com:${REPO}.git" |
| 97 | +
|
| 98 | + ssh-keyscan -H github.com >> ~/.ssh/known_hosts 2>/dev/null |
| 99 | + chmod 600 ~/.ssh/known_hosts |
| 100 | +
|
| 101 | + if [[ ! -d "${APP_DIR}/.git" ]]; then |
| 102 | + sudo mkdir -p "${APP_DIR}" |
| 103 | + sudo chown -R "$USER:$USER" "${APP_DIR}" |
| 104 | + git clone --branch "${BRANCH}" "${REPO_SSH}" "${APP_DIR}" |
| 105 | + fi |
| 106 | +
|
| 107 | + cd "${APP_DIR}" |
| 108 | + git fetch --prune origin |
| 109 | + git checkout "${BRANCH}" |
| 110 | + git pull origin "${BRANCH}" |
| 111 | +
|
| 112 | + : "${ENV_FILE:?missing ENV_FILE}" |
| 113 | + sops -d --input-type dotenv --output-type dotenv "$ENV_FILE" > .env |
| 114 | +
|
| 115 | + echo "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USER" --password-stdin |
| 116 | +
|
| 117 | + export IMAGE IMAGE_TAG |
| 118 | + docker compose pull |
| 119 | + docker compose up -d --remove-orphans |
| 120 | +
|
| 121 | + wait_healthy() { |
| 122 | + local timeout="${1:-120}" |
| 123 | + local end=$((SECONDS + timeout)) |
| 124 | + while (( SECONDS < end )); do |
| 125 | + if ! docker compose ps | grep -qiE 'starting|unhealthy|restarting'; then |
| 126 | + echo "All services running" |
| 127 | + docker compose ps |
| 128 | + return 0 |
| 129 | + fi |
| 130 | + echo "Waiting for services..." |
| 131 | + sleep 5 |
| 132 | + done |
| 133 | + echo "Rollout timeout" |
| 134 | + docker compose ps |
| 135 | + return 1 |
| 136 | + } |
| 137 | + wait_healthy 120 |
| 138 | +
|
| 139 | + docker image prune -a --filter "until=72h" -f |
| 140 | +
|
| 141 | + echo "Deployed to $(hostname)" |
| 142 | + EOS |
0 commit comments