-
Notifications
You must be signed in to change notification settings - Fork 0
331 lines (309 loc) · 16.1 KB
/
deploy.yml
File metadata and controls
331 lines (309 loc) · 16.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
# ─────────────────────────────────────────────────────────────────────────────
# Deploy Workflow — VPS & AWS
# ─────────────────────────────────────────────────────────────────────────────
#
# PURPOSE
# ────────
# Builds Docker images, pushes them to GitHub Container Registry (GHCR), then
# deploys to the chosen environment via SSH (VPS) or ECS (AWS).
#
# This workflow is designed for:
# - Any Linux VPS with Docker installed (Hostinger, Hetzner, DigitalOcean, etc.)
# - AWS EC2 instances running Docker Compose
# - AWS ECS/Fargate (see the commented AWS ECS jobs at the bottom)
#
# NOT needed for:
# - Railway → uses its own native Git-push deploy pipeline
# - Render → uses its own native deploy hooks
# - Fly.io → uses `flyctl deploy` (add a separate fly.yml if needed)
#
# ── TRIGGER ────────────────────────────────────────────────────────────────────
# Auto-deploy on push is intentionally DISABLED.
# This workflow is triggered manually (workflow_dispatch) only.
#
# To enable auto-deploy on push, uncomment the `push` block below:
# on:
# push:
# branches:
# - main # → triggers production deploy
# - staging # → triggers staging deploy
# ─────────────────────────────────────────────────────────────────────────────
name: Deploy
on:
workflow_dispatch:
inputs:
environment:
description: 'Target environment'
required: true
type: choice
default: staging
options:
- staging
- production
# ─────────────────────────────────────────────────────────────────────────────
# REQUIRED GITHUB SECRETS
# ─────────────────────────────────────────────────────────────────────────────
# Set these in: GitHub repo → Settings → Secrets and variables → Actions
#
# ── Registry (GHCR) ──────────────────────────────────────────────────────────
# GHCR_TOKEN GitHub Personal Access Token with write:packages scope
# (or use ${{ secrets.GITHUB_TOKEN }} — no setup needed)
#
# ── Staging ──────────────────────────────────────────────────────────────────
# STAGING_SSH_HOST IP address or hostname of the staging server
# STAGING_SSH_USER SSH login user (e.g. ubuntu, root, deploy)
# STAGING_SSH_KEY Private SSH key — full PEM content including headers
# STAGING_APP_DIR App directory on server (e.g. /opt/app or /home/deploy/app)
# STAGING_VITE_APP_URL API URL baked into the frontend build (e.g. https://staging-api.yourdomain.com/)
# Must end with a trailing slash.
#
# ── Production ───────────────────────────────────────────────────────────────
# PROD_SSH_HOST IP address or hostname of the production server
# PROD_SSH_USER SSH login user
# PROD_SSH_KEY Private SSH key — full PEM content including headers
# PROD_APP_DIR App directory on server (e.g. /opt/app)
# PROD_VITE_APP_URL API URL baked into the frontend build (e.g. https://api.yourdomain.com/)
# Must end with a trailing slash.
#
# ── Optional: AWS ECS (only if using the ECS jobs below) ─────────────────────
# AWS_ACCESS_KEY_ID
# AWS_SECRET_ACCESS_KEY
# AWS_REGION e.g. us-east-1
# STAGING_ECR_BACKEND_URI e.g. 123456789.dkr.ecr.us-east-1.amazonaws.com/app-backend
# STAGING_ECR_FRONTEND_URI
# STAGING_ECS_CLUSTER ECS cluster name
# STAGING_ECS_SERVICE_BACKEND ECS service name for backend
# STAGING_ECS_SERVICE_FRONTEND ECS service name for frontend
# PROD_ECR_BACKEND_URI
# PROD_ECR_FRONTEND_URI
# PROD_ECS_CLUSTER
# PROD_ECS_SERVICE_BACKEND
# PROD_ECS_SERVICE_FRONTEND
# ─────────────────────────────────────────────────────────────────────────────
env:
REGISTRY: ghcr.io
BACKEND_IMAGE: ghcr.io/${{ github.repository_owner }}/app-backend
FRONTEND_STAGING_IMAGE: ghcr.io/${{ github.repository_owner }}/app-frontend-staging
FRONTEND_PRODUCTION_IMAGE: ghcr.io/${{ github.repository_owner }}/app-frontend-production
jobs:
# ─────────────────────────────────────────────────────────────────────────
# JOB 1 — Build and push all images
# Builds once per commit SHA. Both staging and production deploy from these.
# ─────────────────────────────────────────────────────────────────────────
build:
name: Build & Push Images
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
# Use GHCR_TOKEN secret for a fine-grained PAT, or
# use GITHUB_TOKEN (auto-provided, no setup needed):
password: ${{ secrets.GITHUB_TOKEN }}
# ── Backend (one image shared across all environments) ──────────────────
- name: Build and push backend
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile.backend
push: true
tags: |
${{ env.BACKEND_IMAGE }}:${{ github.sha }}
${{ env.BACKEND_IMAGE }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
# ── Frontend — Staging (VITE_APP_URL baked in at build time) ───────────
- name: Build and push frontend (staging)
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile.frontend
push: true
build-args: |
VITE_APP_URL=${{ secrets.STAGING_VITE_APP_URL }}
VITE_APP_TITLE=${{ github.event.repository.name }}
tags: |
${{ env.FRONTEND_STAGING_IMAGE }}:${{ github.sha }}
${{ env.FRONTEND_STAGING_IMAGE }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
# ── Frontend — Production (separate image, different VITE_APP_URL) ──────
- name: Build and push frontend (production)
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile.frontend
push: true
build-args: |
VITE_APP_URL=${{ secrets.PROD_VITE_APP_URL }}
VITE_APP_TITLE=${{ github.event.repository.name }}
tags: |
${{ env.FRONTEND_PRODUCTION_IMAGE }}:${{ github.sha }}
${{ env.FRONTEND_PRODUCTION_IMAGE }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
# ─────────────────────────────────────────────────────────────────────────
# JOB 2 — Deploy to Staging (VPS via SSH)
# ─────────────────────────────────────────────────────────────────────────
deploy-staging-vps:
name: Deploy → Staging (VPS)
needs: build
runs-on: ubuntu-latest
environment: staging # GitHub Environment — add protection rules in repo Settings
if: github.event.inputs.environment == 'staging'
steps:
- name: Deploy to staging VPS
uses: appleboy/ssh-action@v1
with:
host: ${{ secrets.STAGING_SSH_HOST }}
username: ${{ secrets.STAGING_SSH_USER }}
key: ${{ secrets.STAGING_SSH_KEY }}
envs: BACKEND_IMAGE,FRONTEND_STAGING_IMAGE,SHA
script: |
set -e
cd ${{ secrets.STAGING_APP_DIR }}
# Pull the new images
docker pull ${{ env.BACKEND_IMAGE }}:${{ github.sha }}
docker pull ${{ env.FRONTEND_STAGING_IMAGE }}:${{ github.sha }}
# Update the running containers (no rebuild — uses pulled images)
BACKEND_IMAGE=${{ env.BACKEND_IMAGE }}:${{ github.sha }} \
FRONTEND_IMAGE=${{ env.FRONTEND_STAGING_IMAGE }}:${{ github.sha }} \
docker compose up -d --no-build
# Remove dangling images to free disk space
docker image prune -f
# ─────────────────────────────────────────────────────────────────────────
# JOB 3 — Deploy to Production (VPS via SSH)
# Requires manual approval via GitHub Environment protection rules.
# Set up in: repo Settings → Environments → production → Required reviewers
# ─────────────────────────────────────────────────────────────────────────
deploy-production-vps:
name: Deploy → Production (VPS)
needs: build
runs-on: ubuntu-latest
environment: production # Configure required reviewers in GitHub repo settings
if: github.event.inputs.environment == 'production'
steps:
- name: Deploy to production VPS
uses: appleboy/ssh-action@v1
with:
host: ${{ secrets.PROD_SSH_HOST }}
username: ${{ secrets.PROD_SSH_USER }}
key: ${{ secrets.PROD_SSH_KEY }}
script: |
set -e
cd ${{ secrets.PROD_APP_DIR }}
# Pull the new images
docker pull ${{ env.BACKEND_IMAGE }}:${{ github.sha }}
docker pull ${{ env.FRONTEND_PRODUCTION_IMAGE }}:${{ github.sha }}
# Update the running containers (no rebuild — uses pulled images)
BACKEND_IMAGE=${{ env.BACKEND_IMAGE }}:${{ github.sha }} \
FRONTEND_IMAGE=${{ env.FRONTEND_PRODUCTION_IMAGE }}:${{ github.sha }} \
docker compose up -d --no-build
# Remove dangling images to free disk space
docker image prune -f
# ─────────────────────────────────────────────────────────────────────────────
# AWS ECS ALTERNATIVE
# ─────────────────────────────────────────────────────────────────────────────
# Replace the VPS jobs above with these ECS jobs if you are deploying to AWS ECS.
# Also change the BACKEND_IMAGE / FRONTEND_*_IMAGE env vars at the top to ECR URIs.
#
# Prerequisites:
# 1. Create ECR repositories for backend and frontend (staging + production)
# 2. Create ECS clusters + task definitions + services
# 3. Add the AWS secrets listed in the secrets section above
# 4. Change REGISTRY above to: <account-id>.dkr.ecr.<region>.amazonaws.com
#
# ─────────────────────────────────────────────────────────────────────────────
#
# deploy-staging-ecs:
# name: Deploy → Staging (ECS)
# needs: build
# runs-on: ubuntu-latest
# environment: staging
# if: github.event.inputs.environment == 'staging'
#
# steps:
# - name: Configure AWS credentials
# uses: aws-actions/configure-aws-credentials@v4
# with:
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# aws-region: ${{ secrets.AWS_REGION }}
#
# - name: Log in to Amazon ECR
# uses: aws-actions/amazon-ecr-login@v2
#
# # Re-tag and push to ECR (the build job pushed to GHCR — repush to ECR)
# # Alternatively, change REGISTRY and IMAGE vars above to ECR URIs from the start.
# - name: Force new ECS deployment (backend)
# run: |
# aws ecs update-service \
# --cluster ${{ secrets.STAGING_ECS_CLUSTER }} \
# --service ${{ secrets.STAGING_ECS_SERVICE_BACKEND }} \
# --force-new-deployment \
# --region ${{ secrets.AWS_REGION }}
#
# - name: Force new ECS deployment (frontend)
# run: |
# aws ecs update-service \
# --cluster ${{ secrets.STAGING_ECS_CLUSTER }} \
# --service ${{ secrets.STAGING_ECS_SERVICE_FRONTEND }} \
# --force-new-deployment \
# --region ${{ secrets.AWS_REGION }}
#
# - name: Wait for ECS service stability
# run: |
# aws ecs wait services-stable \
# --cluster ${{ secrets.STAGING_ECS_CLUSTER }} \
# --services ${{ secrets.STAGING_ECS_SERVICE_BACKEND }} ${{ secrets.STAGING_ECS_SERVICE_FRONTEND }} \
# --region ${{ secrets.AWS_REGION }}
#
# deploy-production-ecs:
# name: Deploy → Production (ECS)
# needs: build
# runs-on: ubuntu-latest
# environment: production
# if: github.event.inputs.environment == 'production'
#
# steps:
# - name: Configure AWS credentials
# uses: aws-actions/configure-aws-credentials@v4
# with:
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# aws-region: ${{ secrets.AWS_REGION }}
#
# - name: Log in to Amazon ECR
# uses: aws-actions/amazon-ecr-login@v2
#
# - name: Force new ECS deployment (backend)
# run: |
# aws ecs update-service \
# --cluster ${{ secrets.PROD_ECS_CLUSTER }} \
# --service ${{ secrets.PROD_ECS_SERVICE_BACKEND }} \
# --force-new-deployment \
# --region ${{ secrets.AWS_REGION }}
#
# - name: Force new ECS deployment (frontend)
# run: |
# aws ecs update-service \
# --cluster ${{ secrets.PROD_ECS_CLUSTER }} \
# --service ${{ secrets.PROD_ECS_SERVICE_FRONTEND }} \
# --force-new-deployment \
# --region ${{ secrets.AWS_REGION }}
#
# - name: Wait for ECS service stability
# run: |
# aws ecs wait services-stable \
# --cluster ${{ secrets.PROD_ECS_CLUSTER }} \
# --services ${{ secrets.PROD_ECS_SERVICE_BACKEND }} ${{ secrets.PROD_ECS_SERVICE_FRONTEND }} \
# --region ${{ secrets.AWS_REGION }}