michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
60bccc0ca906bbfa070c577732e3d709dccc5ce2
michaelschiemer/.gitea/workflows/ci-cd.yml

292 lines
8.6 KiB
YAML
Raw Blame History

name: CI/CD Pipeline für michaelschiemer.de
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
env:
REGISTRY_URL: registry.michaelschiemer.de
IMAGE_NAME: michaelschiemer
PHP_VERSION: "8.4"
jobs:
test:
runs-on: ubuntu-22.04
services:
redis:
image: redis:8-alpine
mariadb:
image: mariadb:latest
env:
MYSQL_ROOT_PASSWORD: test
MYSQL_DATABASE: test
steps:
- name: Checkout Code
run: |
git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
ls -la
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ env.PHP_VERSION }}
extensions: gd, zip, pdo, pdo_mysql, opcache, pcntl, posix, shmop, redis
tools: composer
coverage: none
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
- name: Cache Composer Dependencies
uses: actions/cache@v3
with:
path: ~/.composer/cache
key: composer-${{ hashFiles('**/composer.lock') }}
restore-keys: composer-
- name: Install Dependencies
run: |
composer install --no-progress --prefer-dist --optimize-autoloader
- name: Build Frontend Assets
run: npm install && npm run build
- name: Run PHP CS Fixer (Check)
run: |
composer cs
- name: Run Tests
run: |
./vendor/bin/pest
env:
DB_HOST: mariadb
DB_PORT: 3306
DB_DATABASE: test
DB_USERNAME: root
DB_PASSWORD: test
REDIS_HOST: redis
REDIS_PORT: 6379
security-scan:
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout Code
run: |
git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
ls -la
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ env.PHP_VERSION }}
tools: composer
coverage: none
- name: Install Dependencies
run: |
composer install --no-progress --prefer-dist --optimize-autoloader
- name: Run Security Scan
run: |
# Composer-Audit für bekannte Vulnerabilities
composer audit --format=json || true
# Grundlegende Sicherheitsscans
find . -name "*.php" -exec grep -l "eval\|system\|exec\|shell_exec" {} \; || true
build:
needs: [test, security-scan]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop'
steps:
- name: Checkout Code
run: |
git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
ls -la
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Private Registry
run: |
echo ${{ secrets.REGISTRY_PASSWORD }} | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin
- name: Determine Image Tag
id: tag
run: |
if [ "${{ github.ref }}" = "refs/heads/main" ]; then
echo "tag=latest" >> $GITHUB_OUTPUT
echo "env=production" >> $GITHUB_OUTPUT
else
echo "tag=develop" >> $GITHUB_OUTPUT
echo "env=staging" >> $GITHUB_OUTPUT
fi
- name: Build and Push PHP Image
run: |
docker buildx build --push \
--platform linux/amd64,linux/arm64 \
--build-arg ENV=${{ steps.tag.outputs.env }} \
--build-arg COMPOSER_INSTALL_FLAGS="--no-scripts --no-autoloader --optimize-autoloader" \
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ steps.tag.outputs.tag }} \
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:${{ github.sha }} \
-f docker/php/Dockerfile .
- name: Build and Push Nginx Image
run: |
docker buildx build --push \
--platform linux/amd64,linux/arm64 \
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ steps.tag.outputs.tag }} \
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:${{ github.sha }} \
-f docker/nginx/Dockerfile .
- name: Build and Push Worker Image
run: |
docker buildx build --push \
--platform linux/amd64,linux/arm64 \
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ steps.tag.outputs.tag }} \
-t ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:${{ github.sha }} \
-f docker/worker/Dockerfile .
- name: Update Image Tags in Deployment
run: |
# Für spätere Ansible-Integration
echo "Built images with tag: ${{ steps.tag.outputs.tag }}"
echo "SHA: ${{ github.sha }}"
deploy-staging:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/develop'
environment: staging
steps:
- name: Checkout Code
run: |
git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
ls -la
- name: Setup SSH
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts
- name: Deploy to Staging
run: |
ssh -i ~/.ssh/id_rsa ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
cd /var/www/michaelschiemer
# Registry-Login
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin
# Images pullen
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:develop
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:develop
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:develop
# Environment auf develop setzen
sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=develop/' .env
# Services neustarten
docker compose pull
docker compose up -d
# Aufräumen
docker system prune -f
EOF
- name: Health Check Staging
run: |
sleep 30
curl -f https://staging.michaelschiemer.de/health || exit 1
deploy-production:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
environment: production
steps:
- name: Checkout Code
run: |
git clone --depth=1 --branch=${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} .
ls -la
- name: Setup SSH
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H ${{ secrets.PRODUCTION_HOST }} >> ~/.ssh/known_hosts
- name: Deploy to Production
run: |
ssh -i ~/.ssh/id_rsa ${{ secrets.PRODUCTION_USER }}@${{ secrets.PRODUCTION_HOST }} << 'EOF'
cd /var/www/michaelschiemer
# Registry-Login
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin
# Images pullen
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/php:latest
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/nginx:latest
docker pull ${{ env.REGISTRY_URL }}/${{ env.IMAGE_NAME }}/worker:latest
# Environment auf latest setzen
sed -i 's/IMAGE_TAG=.*/IMAGE_TAG=latest/' .env
# Services neustarten
docker compose pull
docker compose up -d
# Aufräumen
docker system prune -f
EOF
- name: Health Check Production
run: |
sleep 30
curl -f https://michaelschiemer.de/health || exit 1
cleanup:
needs: [deploy-staging, deploy-production]
runs-on: ubuntu-latest
if: always()
steps:
- name: Clean up old images
run: |
echo "Cleanup läuft..."
# Hier könnten Sie Registry-API-Calls für Cleanup implementieren
echo "Cleanup abgeschlossen"
notify:
needs: [deploy-staging, deploy-production]
runs-on: ubuntu-latest
if: always()
steps:
- name: Notify Deployment Status
run: |
STATUS="${{ job.status }}"
BRANCH="${{ github.ref_name }}"
if [ "$STATUS" = "success" ]; then
echo "✅ Deployment erfolgreich für Branch: $BRANCH"
else
echo "❌ Deployment fehlgeschlagen für Branch: $BRANCH"
fi
# Hier könnten Sie Slack/Email-Benachrichtigungen hinzufügen
Reference in New Issue View Git Blame Copy Permalink