name: CI/CD Pipeline für michaelschiemer.de on: push: branches: [ main, develop ] pull_request: branches: [ main ] env: REGISTRY_URL: docker-registry:5000 # Internal network name for Gitea runner IMAGE_NAME: michaelschiemer PHP_VERSION: "8.4" jobs: test: runs-on: ubuntu-latest container: image: node:18-bullseye services: redis: image: redis:8-alpine ports: - 6379:6379 mariadb: image: mariadb:latest env: MYSQL_ROOT_PASSWORD: test MYSQL_DATABASE: test ports: - 3306:3306 steps: - name: Install System Dependencies run: | apt-get update apt-get install -y git curl wget gnupg2 software-properties-common lsb-release ca-certificates apt-transport-https - name: Debug Environment run: | echo "=== Environment Debug ===" echo "PWD: $(pwd)" echo "USER: $(whoami)" echo "PATH: $PATH" echo "Available commands:" which git || echo "git not found" which node || echo "node not found" which npm || echo "npm not found" echo "Node version: $(node --version)" echo "NPM version: $(npm --version)" echo "OS Info:" cat /etc/os-release || echo "os-release not found" echo "=== End Debug ===" - name: Checkout Code uses: actions/checkout@v4 - name: Setup PHP run: | # Install PHP 8.4 wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list apt-get update apt-get install -y php8.4-cli php8.4-common php8.4-curl php8.4-zip php8.4-gd php8.4-mysql php8.4-xml php8.4-mbstring php8.4-json php8.4-intl php8.4-bcmath php8.4-redis - name: Install Composer run: | curl -sS https://getcomposer.org/installer | php mv composer.phar /usr/local/bin/composer chmod +x /usr/local/bin/composer - name: Cache Composer Dependencies uses: actions/cache@v4 with: path: ~/.composer/cache key: composer-${{ hashFiles('**/composer.lock') }} restore-keys: composer- - name: Install Dependencies run: | composer install --no-progress --prefer-dist --optimize-autoloader - name: Build Frontend Assets run: npm install && npm run build - name: Run PHP CS Fixer (Check) run: | composer cs - name: Run Tests run: | ./vendor/bin/pest env: DB_HOST: mariadb DB_PORT: 3306 DB_DATABASE: test DB_USERNAME: root DB_PASSWORD: test REDIS_HOST: redis REDIS_PORT: 6379 security-scan: runs-on: ubuntu-latest container: image: node:18-bullseye needs: test steps: - name: Install System Dependencies run: | apt-get update apt-get install -y git curl wget gnupg2 software-properties-common lsb-release ca-certificates apt-transport-https - name: Checkout Code uses: actions/checkout@v4 - name: Setup PHP run: | # Install PHP 8.4 wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list apt-get update apt-get install -y php8.4-cli php8.4-common php8.4-curl php8.4-zip php8.4-gd php8.4-mysql php8.4-xml php8.4-mbstring php8.4-json php8.4-intl php8.4-bcmath - name: Install Composer run: | curl -sS https://getcomposer.org/installer | php mv composer.phar /usr/local/bin/composer chmod +x /usr/local/bin/composer - name: Install Dependencies run: | composer install --no-progress --prefer-dist --optimize-autoloader - name: Run Security Scan run: | # Composer-Audit für bekannte Vulnerabilities composer audit --format=json || true # Grundlegende Sicherheitsscans find . -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; || true build: needs: [test, security-scan] runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' steps: - name: Checkout Code uses: actions/checkout@v4 - name: Login to Private Registry run: | echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin - name: Determine Image Tag id: tag run: | if [ "${{ github.ref }}" = "refs/heads/main" ]; then echo "tag=latest" >> $GITHUB_OUTPUT echo "env=production" >> $GITHUB_OUTPUT else echo "tag=develop" >> $GITHUB_OUTPUT echo "env=staging" >> $GITHUB_OUTPUT fi - name: Build and Push PHP Image run: | docker build \ --build-arg ENV=${{ steps.tag.outputs.env }} \ --build-arg COMPOSER_INSTALL_FLAGS="--no-scripts --no-autoloader --optimize-autoloader" \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} \ -f docker/php/Dockerfile . docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} - name: Build and Push Nginx Image run: | docker build \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} \ -f docker/nginx/Dockerfile . docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} - name: Build and Push Worker Image run: | docker build \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} \ -f docker/worker/Dockerfile . docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} docker push ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} - name: Update Image Tags in Deployment run: | echo "Built images with tag: ${{ steps.tag.outputs.tag }}" echo "SHA: ${{ github.sha }}" deploy-staging: needs: build runs-on: ubuntu-latest if: github.ref == 'refs/heads/develop' environment: staging steps: - name: Checkout Code uses: actions/checkout@v4 - name: Install SSH Client run: | apt-get update apt-get install -y openssh-client - name: Setup SSH run: | mkdir -p ~/.ssh echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts - name: Deploy to Staging run: | ssh -i ~/.ssh/id_rsa ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF' cd /var/www/michaelschiemer # Registry-Login echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin # Images pullen docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:develop docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:develop docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:develop # Environment auf develop setzen sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=develop/' .env # Services neustarten docker compose pull docker compose up -d # Aufräumen docker system prune -f EOF - name: Health Check Staging run: | sleep 30 curl -f https://staging.michaelschiemer.de/health || exit 1 deploy-production: needs: build runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' environment: production steps: - name: Checkout Code uses: actions/checkout@v4 - name: Install SSH Client run: | apt-get update apt-get install -y openssh-client - name: Setup SSH run: | mkdir -p ~/.ssh echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan -H ${{ secrets.PRODUCTION_HOST }} >> ~/.ssh/known_hosts - name: Deploy to Production run: | ssh -i ~/.ssh/id_rsa ${{ secrets.PRODUCTION_USER }}@${{ secrets.PRODUCTION_HOST }} << 'EOF' cd /var/www/michaelschiemer # Registry-Login echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u admin --password-stdin # Images pullen docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:latest docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:latest docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:latest # Environment auf latest setzen sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=latest/' .env # Services neustarten docker compose pull docker compose up -d # Aufräumen docker system prune -f EOF - name: Health Check Production run: | sleep 30 curl -f https://michaelschiemer.de/health || exit 1 cleanup: needs: [deploy-staging, deploy-production] runs-on: ubuntu-latest if: always() steps: - name: Clean up old images run: | echo "Cleanup läuft..." echo "Cleanup abgeschlossen" notify: needs: [deploy-staging, deploy-production] runs-on: ubuntu-latest if: always() steps: - name: Notify Deployment Status run: | STATUS="${{ job.status }}" BRANCH="${{ github.ref_name }}" if [ "$STATUS" = "success" ]; then echo "✅ Deployment erfolgreich für Branch: $BRANCH" else echo "❌ Deployment fehlgeschlagen für Branch: $BRANCH" fi