michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: update ci-cd.yml

Browse Source
This commit is contained in:
Michael Schiemer
2025-07-17 21:49:56 +02:00
parent 625d5c9a7e
commit 42a634d467
1 changed files with 33 additions and 262 deletions
Download Patch File Download Diff File Expand all files Collapse all files

295
.gitea/workflows/ci-cd.yml
View File

@@ -7,15 +7,12 @@ on:
branches: [ main ] branches: [ main ]
env: env:
REGISTRY_URL: docker-registry:5000 # Internal network name for Gitea runner REGISTRY_URL: localhost:5000 # Host network allows access to localhost
IMAGE_NAME: michaelschiemer IMAGE_NAME: michaelschiemer
PHP_VERSION: "8.4"
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container:
image: node:18-bullseye
services: services:
redis: redis:
image: redis:8-alpine image: redis:8-alpine
@@ -30,117 +27,40 @@ jobs:
- 3306:3306 - 3306:3306
steps: steps:
- name: Install System Dependencies
run: |
apt-get update
apt-get install -y git curl wget gnupg2 software-properties-common lsb-release ca-certificates apt-transport-https
- name: Debug Environment
run: |
echo "=== Environment Debug ==="
echo "PWD: $(pwd)"
echo "USER: $(whoami)"
echo "PATH: $PATH"
echo "Available commands:"
which git || echo "git not found"
which node || echo "node not found"
which npm || echo "npm not found"
echo "Node version: $(node --version)"
echo "NPM version: $(npm --version)"
echo "OS Info:"
cat /etc/os-release || echo "os-release not found"
echo "=== End Debug ==="
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Setup PHP - name: Setup Node.js
run: | uses: actions/setup-node@v4
# Install PHP 8.4
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
apt-get update
apt-get install -y php8.4-cli php8.4-common php8.4-curl php8.4-zip php8.4-gd php8.4-mysql php8.4-xml php8.4-mbstring php8.4-json php8.4-intl php8.4-bcmath php8.4-redis
- name: Install Composer
run: |
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer
chmod +x /usr/local/bin/composer
- name: Cache Composer Dependencies
uses: actions/cache@v4
with: with:
path: ~/.composer/cache node-version: '18'
key: composer-${{ hashFiles('**/composer.lock') }}
restore-keys: composer- - name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.4'
extensions: gd, zip, pdo, pdo_mysql, opcache, pcntl, posix, shmop, redis
tools: composer
- name: Install Dependencies - name: Install Dependencies
run: | run: composer install --no-progress --prefer-dist --optimize-autoloader
composer install --no-progress --prefer-dist --optimize-autoloader
- name: Build Frontend Assets - name: Build Frontend Assets
run: npm install && npm run build run: npm install && npm run build
- name: Run PHP CS Fixer (Check)
run: |
composer cs
- name: Run Tests - name: Run Tests
run: | run: ./vendor/bin/pest
./vendor/bin/pest
env: env:
DB_HOST: mariadb DB_HOST: localhost
DB_PORT: 3306 DB_PORT: 3306
DB_DATABASE: test DB_DATABASE: test
DB_USERNAME: root DB_USERNAME: root
DB_PASSWORD: test DB_PASSWORD: test
REDIS_HOST: redis REDIS_HOST: localhost
REDIS_PORT: 6379 REDIS_PORT: 6379
security-scan:
runs-on: ubuntu-latest
container:
image: node:18-bullseye
needs: test
steps:
- name: Install System Dependencies
run: |
apt-get update
apt-get install -y git curl wget gnupg2 software-properties-common lsb-release ca-certificates apt-transport-https
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup PHP
run: |
# Install PHP 8.4
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
apt-get update
apt-get install -y php8.4-cli php8.4-common php8.4-curl php8.4-zip php8.4-gd php8.4-mysql php8.4-xml php8.4-mbstring php8.4-json php8.4-intl php8.4-bcmath
- name: Install Composer
run: |
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer
chmod +x /usr/local/bin/composer
- name: Install Dependencies
run: |
composer install --no-progress --prefer-dist --optimize-autoloader
- name: Run Security Scan
run: |
# Composer-Audit für bekannte Vulnerabilities
composer audit --format=json || true
# Grundlegende Sicherheitsscans
find . -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; || true
build: build:
needs: [test, security-scan] needs: test
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop'
@@ -157,175 +77,26 @@ jobs:
run: | run: |
if [ "${{ github.ref }}" = "refs/heads/main" ]; then if [ "${{ github.ref }}" = "refs/heads/main" ]; then
echo "tag=latest" >> $GITHUB_OUTPUT echo "tag=latest" >> $GITHUB_OUTPUT
echo "env=production" >> $GITHUB_OUTPUT
else else
echo "tag=develop" >> $GITHUB_OUTPUT echo "tag=develop" >> $GITHUB_OUTPUT
echo "env=staging" >> $GITHUB_OUTPUT
fi fi
- name: Build and Push PHP Image - name: Build and Push Images
run: | run: |
docker build \ # Build and push PHP image
--build-arg ENV=${{ steps.tag.outputs.env }} \ if [ -f docker/php/Dockerfile ]; then
--build-arg COMPOSER_INSTALL_FLAGS="--no-scripts --no-autoloader --optimize-autoloader" \ docker build -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} -f docker/php/Dockerfile .
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} \ docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }}
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} \ fi
-f docker/php/Dockerfile .
# Build and push Nginx image
docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} if [ -f docker/nginx/Dockerfile ]; then
docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} docker build -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} -f docker/nginx/Dockerfile .
docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }}
- name: Build and Push Nginx Image fi
run: |
docker build \ # Build and push Worker image
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} \ if [ -f docker/worker/Dockerfile ]; then
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} \ docker build -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} -f docker/worker/Dockerfile .
-f docker/nginx/Dockerfile . docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }}
docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }}
docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }}
- name: Build and Push Worker Image
run: |
docker build \
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} \
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} \
-f docker/worker/Dockerfile .
docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }}
docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }}
- name: Update Image Tags in Deployment
run: |
echo "Built images with tag: ${{ steps.tag.outputs.tag }}"
echo "SHA: ${{ github.sha }}"
deploy-staging:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/develop'
environment: staging
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Install SSH Client
run: |
apt-get update
apt-get install -y openssh-client
- name: Setup SSH
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts
- name: Deploy to Staging
run: |
ssh -i ~/.ssh/id_rsa ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
cd /var/www/michaelschiemer
# Registry-Login
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin
# Images pullen
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:develop
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:develop
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:develop
# Environment auf develop setzen
sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=develop/' .env
# Services neustarten
docker compose pull
docker compose up -d
# Aufräumen
docker system prune -f
EOF
- name: Health Check Staging
run: |
sleep 30
curl -f https://staging.michaelschiemer.de/health || exit 1
deploy-production:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
environment: production
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Install SSH Client
run: |
apt-get update
apt-get install -y openssh-client
- name: Setup SSH
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H ${{ secrets.PRODUCTION_HOST }} >> ~/.ssh/known_hosts
- name: Deploy to Production
run: |
ssh -i ~/.ssh/id_rsa ${{ secrets.PRODUCTION_USER }}@${{ secrets.PRODUCTION_HOST }} << 'EOF'
cd /var/www/michaelschiemer
# Registry-Login
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin
# Images pullen
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:latest
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:latest
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:latest
# Environment auf latest setzen
sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=latest/' .env
# Services neustarten
docker compose pull
docker compose up -d
# Aufräumen
docker system prune -f
EOF
- name: Health Check Production
run: |
sleep 30
curl -f https://michaelschiemer.de/health || exit 1
cleanup:
needs: [deploy-staging, deploy-production]
runs-on: ubuntu-latest
if: always()
steps:
- name: Clean up old images
run: |
echo "Cleanup läuft..."
echo "Cleanup abgeschlossen"
notify:
needs: [deploy-staging, deploy-production]
runs-on: ubuntu-latest
if: always()
steps:
- name: Notify Deployment Status
run: |
STATUS="${{ job.status }}"
BRANCH="${{ github.ref_name }}"
if [ "$STATUS" = "success" ]; then
echo "✅ Deployment erfolgreich für Branch: $BRANCH"
else
echo "❌ Deployment fehlgeschlagen für Branch: $BRANCH"
fi fi