chore: update ci-cd.yml

2025-07-17 21:33:29 +02:00
parent 874eff08aa
commit 8af6264b80
1 changed files with 203 additions and 200 deletions
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -7,7 +7,8 @@ on:
    branches: [ main ]
 env:
-  REGISTRY_URL: registry.michaelschiemer.de
+  REGISTRY_URL: localhost:5000  # For local development
  # REGISTRY_URL: registry.michaelschiemer.de  # For production with proper SSL
  IMAGE_NAME: michaelschiemer
  PHP_VERSION: "8.4"
@@ -17,104 +18,104 @@ jobs:
    services:
      redis:
        image: redis:8-alpine
        ports:
          - 6379:6379
      mariadb:
        image: mariadb:latest
        env:
          MYSQL_ROOT_PASSWORD: test
          MYSQL_DATABASE: test
        ports:
          - 3306:3306
    steps:
-    - name: Debug Environment
+      - name: Debug Environment
-      run: |
+        run: |
-        echo "=== Environment Debug ==="
+          echo "=== Environment Debug ==="
-        echo "PWD: $(pwd)"
+          echo "PWD: $(pwd)"
-        echo "USER: $(whoami)"
+          echo "USER: $(whoami)"
-        echo "PATH: $PATH"
+          echo "PATH: $PATH"
-        echo "Available commands:"
+          echo "Available commands:"
-        which git || echo "git not found"
+          which git || echo "git not found"
-        which node || echo "node not found"
+          which node || echo "node not found"
-        which npm || echo "npm not found"
+          which npm || echo "npm not found"
-        echo "OS Info:"
+          echo "OS Info:"
-        cat /etc/os-release || echo "os-release not found"
+          cat /etc/os-release || echo "os-release not found"
-        echo "=== End Debug ==="
+          echo "=== End Debug ==="
-    - name: Checkout Code
+      - name: Checkout Code
-      run: |
+        uses: actions/checkout@v4
        git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
        ls -la
-    - name: Setup PHP
+      - name: Setup PHP
-      uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@v2
-      with:
+        with:
-        php-version: ${{ env.PHP_VERSION }}
+          php-version: ${{ env.PHP_VERSION }}
-        extensions: gd, zip, pdo, pdo_mysql, opcache, pcntl, posix, shmop, redis
+          extensions: gd, zip, pdo, pdo_mysql, opcache, pcntl, posix, shmop, redis
-        tools: composer
+          tools: composer
-        coverage: none
+          coverage: none
-    - name: Setup Node.js
+      - name: Setup Node.js
-      uses: actions/setup-node@v4
+        uses: actions/setup-node@v4
-      with:
+        with:
-        node-version: '18'
+          node-version: '18'
-        cache: 'npm'
+          cache: 'npm'
-    - name: Cache Composer Dependencies
+      - name: Cache Composer Dependencies
-      uses: actions/cache@v3
+        uses: actions/cache@v4
-      with:
+        with:
-        path: ~/.composer/cache
+          path: ~/.composer/cache
-        key: composer-${{ hashFiles('**/composer.lock') }}
+          key: composer-${{ hashFiles('**/composer.lock') }}
-        restore-keys: composer-
+          restore-keys: composer-
-    - name: Install Dependencies
+      - name: Install Dependencies
-      run: |
+        run: |
-        composer install --no-progress --prefer-dist --optimize-autoloader
+          composer install --no-progress --prefer-dist --optimize-autoloader
-    - name: Build Frontend Assets
+      - name: Build Frontend Assets
-      run: npm install && npm run build
+        run: npm install && npm run build
-    - name: Run PHP CS Fixer (Check)
+      - name: Run PHP CS Fixer (Check)
-      run: |
+        run: |
-        composer cs
+          composer cs
-    - name: Run Tests
+      - name: Run Tests
-      run: |
+        run: |
-        ./vendor/bin/pest
+          ./vendor/bin/pest
-      env:
+        env:
-        DB_HOST: mariadb
+          DB_HOST: localhost
-        DB_PORT: 3306
+          DB_PORT: 3306
-        DB_DATABASE: test
+          DB_DATABASE: test
-        DB_USERNAME: root
+          DB_USERNAME: root
-        DB_PASSWORD: test
+          DB_PASSWORD: test
-        REDIS_HOST: redis
+          REDIS_HOST: localhost
-        REDIS_PORT: 6379
+          REDIS_PORT: 6379
  security-scan:
    runs-on: ubuntu-latest
    needs: test
    steps:
-    - name: Checkout Code
+      - name: Checkout Code
-      run: |
+        uses: actions/checkout@v4
        git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
        ls -la
-    - name: Setup PHP
+      - name: Setup PHP
-      uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@v2
-      with:
+        with:
-        php-version: ${{ env.PHP_VERSION }}
+          php-version: ${{ env.PHP_VERSION }}
-        tools: composer
+          tools: composer
-        coverage: none
+          coverage: none
-    - name: Install Dependencies
+      - name: Install Dependencies
-      run: |
+        run: |
-        composer install --no-progress --prefer-dist --optimize-autoloader
+          composer install --no-progress --prefer-dist --optimize-autoloader
-    - name: Run Security Scan
+      - name: Run Security Scan
-      run: |
+        run: |
-        # Composer-Audit für bekannte Vulnerabilities
+          # Composer-Audit für bekannte Vulnerabilities
-        composer audit --format=json || true
+          composer audit --format=json || true
-        # Grundlegende Sicherheitsscans
+          # Grundlegende Sicherheitsscans
-        find . -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; || true
+          find . -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; || true
  build:
    needs: [test, security-scan]
@@ -122,60 +123,64 @@ jobs:
    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop'
    steps:
-    - name: Checkout Code
+      - name: Checkout Code
-      run: |
+        uses: actions/checkout@v4
        git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
        ls -la
-    - name: Set up Docker Buildx
+      - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v3
-    - name: Login to Private Registry
+      - name: Configure Docker for Insecure Registry
-      run: |
+        run: |
-        echo ${{ secrets.REGISTRY_PASSWORD }} | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin
+          # For self-signed certificates or local registry
          echo '{"insecure-registries":["localhost:5000","registry.michaelschiemer.de"]}' | sudo tee /etc/docker/daemon.json
          sudo systemctl restart docker
-    - name: Determine Image Tag
+      - name: Login to Private Registry
-      id: tag
+        run: |
-      run: |
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin
        if [ "${{ github.ref }}" = "refs/heads/main" ]; then
          echo "tag=latest" >> $GITHUB_OUTPUT
          echo "env=production" >> $GITHUB_OUTPUT
        else
          echo "tag=develop" >> $GITHUB_OUTPUT
          echo "env=staging" >> $GITHUB_OUTPUT
        fi
-    - name: Build and Push PHP Image
+      - name: Determine Image Tag
-      run: |
+        id: tag
-        docker buildx build --push \
+        run: |
-          --platform linux/amd64,linux/arm64 \
+          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
-          --build-arg ENV=${{ steps.tag.outputs.env }} \
+            echo "tag=latest" >> $GITHUB_OUTPUT
-          --build-arg COMPOSER_INSTALL_FLAGS="--no-scripts --no-autoloader --optimize-autoloader" \
+            echo "env=production" >> $GITHUB_OUTPUT
-          -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} \
+          else
-          -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} \
+            echo "tag=develop" >> $GITHUB_OUTPUT
-          -f docker/php/Dockerfile .
+            echo "env=staging" >> $GITHUB_OUTPUT
          fi
-    - name: Build and Push Nginx Image
+      - name: Build and Push PHP Image
-      run: |
+        run: |
-        docker buildx build --push \
+          docker buildx build --push \
-          --platform linux/amd64,linux/arm64 \
+            --platform linux/amd64 \
-          -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} \
+            --build-arg ENV=${{ steps.tag.outputs.env }} \
-          -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} \
+            --build-arg COMPOSER_INSTALL_FLAGS="--no-scripts --no-autoloader --optimize-autoloader" \
-          -f docker/nginx/Dockerfile .
+            -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} \
            -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} \
            -f docker/php/Dockerfile .
-    - name: Build and Push Worker Image
+      - name: Build and Push Nginx Image
-      run: |
+        run: |
-        docker buildx build --push \
+          docker buildx build --push \
-          --platform linux/amd64,linux/arm64 \
+            --platform linux/amd64 \
-          -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} \
+            -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} \
-          -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} \
+            -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} \
-          -f docker/worker/Dockerfile .
+            -f docker/nginx/Dockerfile .
-    - name: Update Image Tags in Deployment
+      - name: Build and Push Worker Image
-      run: |
+        run: |
-        # Für spätere Ansible-Integration
+          docker buildx build --push \
-        echo "Built images with tag: ${{ steps.tag.outputs.tag }}"
+            --platform linux/amd64 \
-        echo "SHA: ${{ github.sha }}"
+            -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} \
            -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} \
            -f docker/worker/Dockerfile .
      - name: Update Image Tags in Deployment
        run: |
          # Für spätere Ansible-Integration
          echo "Built images with tag: ${{ steps.tag.outputs.tag }}"
          echo "SHA: ${{ github.sha }}"
  deploy-staging:
    needs: build
@@ -184,46 +189,44 @@ jobs:
    environment: staging
    steps:
-    - name: Checkout Code
+      - name: Checkout Code
-      run: |
+        uses: actions/checkout@v4
        git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
        ls -la
-    - name: Setup SSH
+      - name: Setup SSH
-      run: |
+        run: |
-        mkdir -p ~/.ssh
+          mkdir -p ~/.ssh
-        echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
-        chmod 600 ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
-        ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts
+          ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts
-    - name: Deploy to Staging
+      - name: Deploy to Staging
-      run: |
+        run: |
-        ssh -i ~/.ssh/id_rsa ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
+          ssh -i ~/.ssh/id_rsa ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
-          cd /var/www/michaelschiemer
+            cd /var/www/michaelschiemer
-          # Registry-Login
+            # Registry-Login
-          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin
-          # Images pullen
+            # Images pullen
-          docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:develop
+            docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:develop
-          docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:develop
+            docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:develop
-          docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:develop
+            docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:develop
-          # Environment auf develop setzen
+            # Environment auf develop setzen
-          sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=develop/' .env
+            sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=develop/' .env
-          # Services neustarten
+            # Services neustarten
-          docker compose pull
+            docker compose pull
-          docker compose up -d
+            docker compose up -d
-          # Aufräumen
+            # Aufräumen
-          docker system prune -f
+            docker system prune -f
-        EOF
+          EOF
-    - name: Health Check Staging
+      - name: Health Check Staging
-      run: |
+        run: |
-        sleep 30
+          sleep 30
-        curl -f https://staging.michaelschiemer.de/health || exit 1
+          curl -f https://staging.michaelschiemer.de/health || exit 1
  deploy-production:
    needs: build
@@ -232,46 +235,44 @@ jobs:
    environment: production
    steps:
-    - name: Checkout Code
+      - name: Checkout Code
-      run: |
+        uses: actions/checkout@v4
        git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
        ls -la
-    - name: Setup SSH
+      - name: Setup SSH
-      run: |
+        run: |
-        mkdir -p ~/.ssh
+          mkdir -p ~/.ssh
-        echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
-        chmod 600 ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
-        ssh-keyscan -H ${{ secrets.PRODUCTION_HOST }} >> ~/.ssh/known_hosts
+          ssh-keyscan -H ${{ secrets.PRODUCTION_HOST }} >> ~/.ssh/known_hosts
-    - name: Deploy to Production
+      - name: Deploy to Production
-      run: |
+        run: |
-        ssh -i ~/.ssh/id_rsa ${{ secrets.PRODUCTION_USER }}@${{ secrets.PRODUCTION_HOST }} << 'EOF'
+          ssh -i ~/.ssh/id_rsa ${{ secrets.PRODUCTION_USER }}@${{ secrets.PRODUCTION_HOST }} << 'EOF'
-          cd /var/www/michaelschiemer
+            cd /var/www/michaelschiemer
-          # Registry-Login
+            # Registry-Login
-          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin
-          # Images pullen
+            # Images pullen
-          docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:latest
+            docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:latest
-          docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:latest
+            docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:latest
-          docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:latest
+            docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:latest
-          # Environment auf latest setzen
+            # Environment auf latest setzen
-          sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=latest/' .env
+            sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=latest/' .env
-          # Services neustarten
+            # Services neustarten
-          docker compose pull
+            docker compose pull
-          docker compose up -d
+            docker compose up -d
-          # Aufräumen
+            # Aufräumen
-          docker system prune -f
+            docker system prune -f
-        EOF
+          EOF
-    - name: Health Check Production
+      - name: Health Check Production
-      run: |
+        run: |
-        sleep 30
+          sleep 30
-        curl -f https://michaelschiemer.de/health || exit 1
+          curl -f https://michaelschiemer.de/health || exit 1
  cleanup:
    needs: [deploy-staging, deploy-production]
@@ -279,11 +280,12 @@ jobs:
    if: always()
    steps:
-    - name: Clean up old images
+      - name: Clean up old images
-      run: |
+        run: |
-        echo "Cleanup läuft..."
+          echo "Cleanup läuft..."
-        # Hier könnten Sie Registry-API-Calls für Cleanup implementieren
+          # Registry cleanup can be implemented here using registry API
-        echo "Cleanup abgeschlossen"
+          # For now, just log that cleanup is running
          echo "Cleanup abgeschlossen"
  notify:
    needs: [deploy-staging, deploy-production]
@@ -291,15 +293,16 @@ jobs:
    if: always()
    steps:
-    - name: Notify Deployment Status
+      - name: Notify Deployment Status
-      run: |
+        run: |
-        STATUS="${{ job.status }}"
+          STATUS="${{ job.status }}"
-        BRANCH="${{ github.ref_name }}"
+          BRANCH="${{ github.ref_name }}"
-        if [ "$STATUS" = "success" ]; then
+          if [ "$STATUS" = "success" ]; then
-          echo "✅ Deployment erfolgreich für Branch: $BRANCH"
+            echo "✅ Deployment erfolgreich für Branch: $BRANCH"
-        else
+          else
-          echo "❌ Deployment fehlgeschlagen für Branch: $BRANCH"
+            echo "❌ Deployment fehlgeschlagen für Branch: $BRANCH"
-        fi
+          fi
-        # Hier könnten Sie Slack/Email-Benachrichtigungen hinzufügen
+          # Hier könnten Sie Slack/Email-Benachrichtigungen hinzufügen
          # Example: curl -X POST -H 'Content-type: application/json' --data '{"text":"Deployment Status: $STATUS for $BRANCH"}' $SLACK_WEBHOOK_URL