name: CI/CD Pipeline für michaelschiemer.de on: push: branches: [ main, develop ] pull_request: branches: [ main ] env: REGISTRY_URL: registry.michaelschiemer.de IMAGE_NAME: michaelschiemer PHP_VERSION: "8.4" jobs: test: runs-on: ubuntu-22.04 services: redis: image: redis:8-alpine mariadb: image: mariadb:latest env: MYSQL_ROOT_PASSWORD: test MYSQL_DATABASE: test steps: - name: Checkout Code uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: ${{ env.PHP_VERSION }} extensions: gd, zip, pdo, pdo_mysql, opcache, pcntl, posix, shmop, redis tools: composer coverage: none - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '18' cache: 'npm' - name: Cache Composer Dependencies uses: actions/cache@v3 with: path: ~/.composer/cache key: composer-${{ hashFiles('**/composer.lock') }} restore-keys: composer- - name: Install Dependencies run: | composer install --no-progress --prefer-dist --optimize-autoloader - name: Build Frontend Assets run: npm install && npm run build - name: Run PHP CS Fixer (Check) run: | composer cs - name: Run Tests run: | ./vendor/bin/pest env: DB_HOST: mariadb DB_PORT: 3306 DB_DATABASE: test DB_USERNAME: root DB_PASSWORD: test REDIS_HOST: redis REDIS_PORT: 6379 security-scan: runs-on: ubuntu-latest needs: test steps: - name: Checkout Code uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: ${{ env.PHP_VERSION }} tools: composer coverage: none - name: Install Dependencies run: | composer install --no-progress --prefer-dist --optimize-autoloader - name: Run Security Scan run: | # Composer-Audit für bekannte Vulnerabilities composer audit --format=json || true # Grundlegende Sicherheitsscans find . -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; || true build: needs: [test, security-scan] runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' steps: - name: Checkout Code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Private Registry run: | echo ${{ secrets.REGISTRY_PASSWORD }} | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin - name: Determine Image Tag id: tag run: | if [ "${{ github.ref }}" = "refs/heads/main" ]; then echo "tag=latest" >> $GITHUB_OUTPUT echo "env=production" >> $GITHUB_OUTPUT else echo "tag=develop" >> $GITHUB_OUTPUT echo "env=staging" >> $GITHUB_OUTPUT fi - name: Build and Push PHP Image run: | docker buildx build --push \ --platform linux/amd64,linux/arm64 \ --build-arg ENV=${{ steps.tag.outputs.env }} \ --build-arg COMPOSER_INSTALL_FLAGS="--no-scripts --no-autoloader --optimize-autoloader" \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} \ -f docker/php/Dockerfile . - name: Build and Push Nginx Image run: | docker buildx build --push \ --platform linux/amd64,linux/arm64 \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} \ -f docker/nginx/Dockerfile . - name: Build and Push Worker Image run: | docker buildx build --push \ --platform linux/amd64,linux/arm64 \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} \ -t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} \ -f docker/worker/Dockerfile . - name: Update Image Tags in Deployment run: | # Für spätere Ansible-Integration echo "Built images with tag: ${{ steps.tag.outputs.tag }}" echo "SHA: ${{ github.sha }}" deploy-staging: needs: build runs-on: ubuntu-latest if: github.ref == 'refs/heads/develop' environment: staging steps: - name: Checkout Code uses: actions/checkout@v4 - name: Setup SSH run: | mkdir -p ~/.ssh echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts - name: Deploy to Staging run: | ssh -i ~/.ssh/id_rsa ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF' cd /var/www/michaelschiemer # Registry-Login echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin # Images pullen docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:develop docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:develop docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:develop # Environment auf develop setzen sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=develop/' .env # Services neustarten docker compose pull docker compose up -d # Aufräumen docker system prune -f EOF - name: Health Check Staging run: | sleep 30 curl -f https://staging.michaelschiemer.de/health || exit 1 deploy-production: needs: build runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' environment: production steps: - name: Checkout Code uses: actions/checkout@v4 - name: Setup SSH run: | mkdir -p ~/.ssh echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan -H ${{ secrets.PRODUCTION_HOST }} >> ~/.ssh/known_hosts - name: Deploy to Production run: | ssh -i ~/.ssh/id_rsa ${{ secrets.PRODUCTION_USER }}@${{ secrets.PRODUCTION_HOST }} << 'EOF' cd /var/www/michaelschiemer # Registry-Login echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin # Images pullen docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:latest docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:latest docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:latest # Environment auf latest setzen sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=latest/' .env # Services neustarten docker compose pull docker compose up -d # Aufräumen docker system prune -f EOF - name: Health Check Production run: | sleep 30 curl -f https://michaelschiemer.de/health || exit 1 cleanup: needs: [deploy-staging, deploy-production] runs-on: ubuntu-latest if: always() steps: - name: Clean up old images run: | echo "Cleanup läuft..." # Hier könnten Sie Registry-API-Calls für Cleanup implementieren echo "Cleanup abgeschlossen" notify: needs: [deploy-staging, deploy-production] runs-on: ubuntu-latest if: always() steps: - name: Notify Deployment Status run: | STATUS="${{ job.status }}" BRANCH="${{ github.ref_name }}" if [ "$STATUS" = "success" ]; then echo "✅ Deployment erfolgreich für Branch: $BRANCH" else echo "❌ Deployment fehlgeschlagen für Branch: $BRANCH" fi # Hier könnten Sie Slack/Email-Benachrichtigungen hinzufügen