From 8af6264b80fc5353dde14169486db63b9726af53 Mon Sep 17 00:00:00 2001 From: Michael Schiemer Date: Thu, 17 Jul 2025 21:33:29 +0200 Subject: [PATCH] chore: update ci-cd.yml --- .gitea/workflows/ci-cd.yml | 403 +++++++++++++++++++------------------ 1 file changed, 203 insertions(+), 200 deletions(-) diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml index db64e6c9..7178844d 100644 --- a/.gitea/workflows/ci-cd.yml +++ b/.gitea/workflows/ci-cd.yml @@ -7,7 +7,8 @@ on: branches: [ main ] env: - REGISTRY_URL: registry.michaelschiemer.de + REGISTRY_URL: localhost:5000 # For local development + # REGISTRY_URL: registry.michaelschiemer.de # For production with proper SSL IMAGE_NAME: michaelschiemer PHP_VERSION: "8.4" @@ -17,104 +18,104 @@ jobs: services: redis: image: redis:8-alpine + ports: + - 6379:6379 mariadb: image: mariadb:latest env: MYSQL_ROOT_PASSWORD: test MYSQL_DATABASE: test + ports: + - 3306:3306 steps: - - name: Debug Environment - run: | - echo "=== Environment Debug ===" - echo "PWD: $(pwd)" - echo "USER: $(whoami)" - echo "PATH: $PATH" - echo "Available commands:" - which git || echo "git not found" - which node || echo "node not found" - which npm || echo "npm not found" - echo "OS Info:" - cat /etc/os-release || echo "os-release not found" - echo "=== End Debug ===" + - name: Debug Environment + run: | + echo "=== Environment Debug ===" + echo "PWD: $(pwd)" + echo "USER: $(whoami)" + echo "PATH: $PATH" + echo "Available commands:" + which git || echo "git not found" + which node || echo "node not found" + which npm || echo "npm not found" + echo "OS Info:" + cat /etc/os-release || echo "os-release not found" + echo "=== End Debug ===" - - name: Checkout Code - run: | - git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} . - ls -la + - name: Checkout Code + uses: actions/checkout@v4 - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: ${{ env.PHP_VERSION }} - extensions: gd, zip, pdo, pdo_mysql, opcache, pcntl, posix, shmop, redis - tools: composer - coverage: none + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ env.PHP_VERSION }} + extensions: gd, zip, pdo, pdo_mysql, opcache, pcntl, posix, shmop, redis + tools: composer + coverage: none - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '18' - cache: 'npm' + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '18' + cache: 'npm' - - name: Cache Composer Dependencies - uses: actions/cache@v3 - with: - path: ~/.composer/cache - key: composer-${{ hashFiles('**/composer.lock') }} - restore-keys: composer- + - name: Cache Composer Dependencies + uses: actions/cache@v4 + with: + path: ~/.composer/cache + key: composer-${{ hashFiles('**/composer.lock') }} + restore-keys: composer- - - name: Install Dependencies - run: | - composer install --no-progress --prefer-dist --optimize-autoloader + - name: Install Dependencies + run: | + composer install --no-progress --prefer-dist --optimize-autoloader - - name: Build Frontend Assets - run: npm install && npm run build + - name: Build Frontend Assets + run: npm install && npm run build - - name: Run PHP CS Fixer (Check) - run: | - composer cs + - name: Run PHP CS Fixer (Check) + run: | + composer cs - - name: Run Tests - run: | - ./vendor/bin/pest - env: - DB_HOST: mariadb - DB_PORT: 3306 - DB_DATABASE: test - DB_USERNAME: root - DB_PASSWORD: test - REDIS_HOST: redis - REDIS_PORT: 6379 + - name: Run Tests + run: | + ./vendor/bin/pest + env: + DB_HOST: localhost + DB_PORT: 3306 + DB_DATABASE: test + DB_USERNAME: root + DB_PASSWORD: test + REDIS_HOST: localhost + REDIS_PORT: 6379 security-scan: runs-on: ubuntu-latest needs: test steps: - - name: Checkout Code - run: | - git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} . - ls -la + - name: Checkout Code + uses: actions/checkout@v4 - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: ${{ env.PHP_VERSION }} - tools: composer - coverage: none + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ env.PHP_VERSION }} + tools: composer + coverage: none - - name: Install Dependencies - run: | - composer install --no-progress --prefer-dist --optimize-autoloader + - name: Install Dependencies + run: | + composer install --no-progress --prefer-dist --optimize-autoloader - - name: Run Security Scan - run: | - # Composer-Audit für bekannte Vulnerabilities - composer audit --format=json || true + - name: Run Security Scan + run: | + # Composer-Audit für bekannte Vulnerabilities + composer audit --format=json || true - # Grundlegende Sicherheitsscans - find . -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; || true + # Grundlegende Sicherheitsscans + find . -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; || true build: needs: [test, security-scan] @@ -122,60 +123,64 @@ jobs: if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' steps: - - name: Checkout Code - run: | - git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} . - ls -la + - name: Checkout Code + uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Login to Private Registry - run: | - echo ${{ secrets.REGISTRY_PASSWORD }} | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin + - name: Configure Docker for Insecure Registry + run: | + # For self-signed certificates or local registry + echo '{"insecure-registries":["localhost:5000","registry.michaelschiemer.de"]}' | sudo tee /etc/docker/daemon.json + sudo systemctl restart docker - - name: Determine Image Tag - id: tag - run: | - if [ "${{ github.ref }}" = "refs/heads/main" ]; then - echo "tag=latest" >> $GITHUB_OUTPUT - echo "env=production" >> $GITHUB_OUTPUT - else - echo "tag=develop" >> $GITHUB_OUTPUT - echo "env=staging" >> $GITHUB_OUTPUT - fi + - name: Login to Private Registry + run: | + echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin - - name: Build and Push PHP Image - run: | - docker buildx build --push \ - --platform linux/amd64,linux/arm64 \ - --build-arg ENV=${{ steps.tag.outputs.env }} \ - --build-arg COMPOSER_INSTALL_FLAGS="--no-scripts --no-autoloader --optimize-autoloader" \ - -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} \ - -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} \ - -f docker/php/Dockerfile . + - name: Determine Image Tag + id: tag + run: | + if [ "${{ github.ref }}" = "refs/heads/main" ]; then + echo "tag=latest" >> $GITHUB_OUTPUT + echo "env=production" >> $GITHUB_OUTPUT + else + echo "tag=develop" >> $GITHUB_OUTPUT + echo "env=staging" >> $GITHUB_OUTPUT + fi - - name: Build and Push Nginx Image - run: | - docker buildx build --push \ - --platform linux/amd64,linux/arm64 \ - -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} \ - -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} \ - -f docker/nginx/Dockerfile . + - name: Build and Push PHP Image + run: | + docker buildx build --push \ + --platform linux/amd64 \ + --build-arg ENV=${{ steps.tag.outputs.env }} \ + --build-arg COMPOSER_INSTALL_FLAGS="--no-scripts --no-autoloader --optimize-autoloader" \ + -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} \ + -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} \ + -f docker/php/Dockerfile . - - name: Build and Push Worker Image - run: | - docker buildx build --push \ - --platform linux/amd64,linux/arm64 \ - -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} \ - -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} \ - -f docker/worker/Dockerfile . + - name: Build and Push Nginx Image + run: | + docker buildx build --push \ + --platform linux/amd64 \ + -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} \ + -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} \ + -f docker/nginx/Dockerfile . - - name: Update Image Tags in Deployment - run: | - # Für spätere Ansible-Integration - echo "Built images with tag: ${{ steps.tag.outputs.tag }}" - echo "SHA: ${{ github.sha }}" + - name: Build and Push Worker Image + run: | + docker buildx build --push \ + --platform linux/amd64 \ + -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} \ + -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} \ + -f docker/worker/Dockerfile . + + - name: Update Image Tags in Deployment + run: | + # Für spätere Ansible-Integration + echo "Built images with tag: ${{ steps.tag.outputs.tag }}" + echo "SHA: ${{ github.sha }}" deploy-staging: needs: build @@ -184,46 +189,44 @@ jobs: environment: staging steps: - - name: Checkout Code - run: | - git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} . - ls -la + - name: Checkout Code + uses: actions/checkout@v4 - - name: Setup SSH - run: | - mkdir -p ~/.ssh - echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa - chmod 600 ~/.ssh/id_rsa - ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts + - name: Setup SSH + run: | + mkdir -p ~/.ssh + echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa + chmod 600 ~/.ssh/id_rsa + ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts - - name: Deploy to Staging - run: | - ssh -i ~/.ssh/id_rsa ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF' - cd /var/www/michaelschiemer + - name: Deploy to Staging + run: | + ssh -i ~/.ssh/id_rsa ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF' + cd /var/www/michaelschiemer - # Registry-Login - echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin + # Registry-Login + echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin - # Images pullen - docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:develop - docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:develop - docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:develop + # Images pullen + docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:develop + docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:develop + docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:develop - # Environment auf develop setzen - sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=develop/' .env + # Environment auf develop setzen + sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=develop/' .env - # Services neustarten - docker compose pull - docker compose up -d + # Services neustarten + docker compose pull + docker compose up -d - # Aufräumen - docker system prune -f - EOF + # Aufräumen + docker system prune -f + EOF - - name: Health Check Staging - run: | - sleep 30 - curl -f https://staging.michaelschiemer.de/health || exit 1 + - name: Health Check Staging + run: | + sleep 30 + curl -f https://staging.michaelschiemer.de/health || exit 1 deploy-production: needs: build @@ -232,46 +235,44 @@ jobs: environment: production steps: - - name: Checkout Code - run: | - git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} . - ls -la + - name: Checkout Code + uses: actions/checkout@v4 - - name: Setup SSH - run: | - mkdir -p ~/.ssh - echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa - chmod 600 ~/.ssh/id_rsa - ssh-keyscan -H ${{ secrets.PRODUCTION_HOST }} >> ~/.ssh/known_hosts + - name: Setup SSH + run: | + mkdir -p ~/.ssh + echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa + chmod 600 ~/.ssh/id_rsa + ssh-keyscan -H ${{ secrets.PRODUCTION_HOST }} >> ~/.ssh/known_hosts - - name: Deploy to Production - run: | - ssh -i ~/.ssh/id_rsa ${{ secrets.PRODUCTION_USER }}@${{ secrets.PRODUCTION_HOST }} << 'EOF' - cd /var/www/michaelschiemer + - name: Deploy to Production + run: | + ssh -i ~/.ssh/id_rsa ${{ secrets.PRODUCTION_USER }}@${{ secrets.PRODUCTION_HOST }} << 'EOF' + cd /var/www/michaelschiemer - # Registry-Login - echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin + # Registry-Login + echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin - # Images pullen - docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:latest - docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:latest - docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:latest + # Images pullen + docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:latest + docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:latest + docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:latest - # Environment auf latest setzen - sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=latest/' .env + # Environment auf latest setzen + sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=latest/' .env - # Services neustarten - docker compose pull - docker compose up -d + # Services neustarten + docker compose pull + docker compose up -d - # Aufräumen - docker system prune -f - EOF + # Aufräumen + docker system prune -f + EOF - - name: Health Check Production - run: | - sleep 30 - curl -f https://michaelschiemer.de/health || exit 1 + - name: Health Check Production + run: | + sleep 30 + curl -f https://michaelschiemer.de/health || exit 1 cleanup: needs: [deploy-staging, deploy-production] @@ -279,11 +280,12 @@ jobs: if: always() steps: - - name: Clean up old images - run: | - echo "Cleanup läuft..." - # Hier könnten Sie Registry-API-Calls für Cleanup implementieren - echo "Cleanup abgeschlossen" + - name: Clean up old images + run: | + echo "Cleanup läuft..." + # Registry cleanup can be implemented here using registry API + # For now, just log that cleanup is running + echo "Cleanup abgeschlossen" notify: needs: [deploy-staging, deploy-production] @@ -291,15 +293,16 @@ jobs: if: always() steps: - - name: Notify Deployment Status - run: | - STATUS="${{ job.status }}" - BRANCH="${{ github.ref_name }}" + - name: Notify Deployment Status + run: | + STATUS="${{ job.status }}" + BRANCH="${{ github.ref_name }}" - if [ "$STATUS" = "success" ]; then - echo "✅ Deployment erfolgreich für Branch: $BRANCH" - else - echo "❌ Deployment fehlgeschlagen für Branch: $BRANCH" - fi + if [ "$STATUS" = "success" ]; then + echo "✅ Deployment erfolgreich für Branch: $BRANCH" + else + echo "❌ Deployment fehlgeschlagen für Branch: $BRANCH" + fi - # Hier könnten Sie Slack/Email-Benachrichtigungen hinzufügen + # Hier könnten Sie Slack/Email-Benachrichtigungen hinzufügen + # Example: curl -X POST -H 'Content-type: application/json' --data '{"text":"Deployment Status: $STATUS for $BRANCH"}' $SLACK_WEBHOOK_URL