Michael Schiemer
c087d372c2
- Replace git.michaelschiemer.de:5000 (HTTP) with registry.michaelschiemer.de (HTTPS) - Update all Ansible playbooks and configuration files - Update CI/CD workflows to use HTTPS registry endpoint - Update Docker Compose files with new registry URL - Update documentation and scripts Benefits: - Secure HTTPS connection (no insecure registry config needed) - Consistent use of HTTPS endpoint via Traefik - Better security practices for production deployment
302 lines
10 KiB
YAML
302 lines
10 KiB
YAML
name: Production Deployment Pipeline
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
paths-ignore:
|
|
- 'docs/**'
|
|
- '**.md'
|
|
- '.github/**'
|
|
- '.gitea/workflows/**'
|
|
workflow_dispatch:
|
|
inputs:
|
|
skip_tests:
|
|
description: 'Skip tests (emergency only)'
|
|
required: false
|
|
default: false
|
|
type: boolean
|
|
|
|
env:
|
|
REGISTRY: registry.michaelschiemer.de
|
|
IMAGE_NAME: framework
|
|
DEPLOYMENT_HOST: 94.16.110.151
|
|
|
|
jobs:
|
|
# Job 1: Run Tests
|
|
test:
|
|
name: Run Tests & Quality Checks
|
|
runs-on: ubuntu-latest
|
|
if: ${{ !inputs.skip_tests }}
|
|
steps:
|
|
- name: Checkout code
|
|
run: |
|
|
REF_NAME="${{ github.ref_name }}"
|
|
REPO="${{ github.repository }}"
|
|
if [ -z "$REF_NAME" ]; then
|
|
REF_NAME="main"
|
|
fi
|
|
|
|
# Use CI token if available, otherwise try public access
|
|
if [ -n "${{ secrets.CI_TOKEN }}" ]; then
|
|
git clone --depth 1 --branch "$REF_NAME" \
|
|
"https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo
|
|
else
|
|
# Try public HTTPS (works if repository is public)
|
|
git clone --depth 1 --branch "$REF_NAME" \
|
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo || \
|
|
# Fallback: Try to use Gitea's internal runner access
|
|
git clone --depth 1 \
|
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo
|
|
fi
|
|
|
|
cd /workspace/repo
|
|
|
|
- name: Setup PHP
|
|
run: |
|
|
# Add sury.org repository for PHP 8.x
|
|
apt-get update
|
|
apt-get install -y lsb-release ca-certificates apt-transport-https software-properties-common
|
|
curl -sSL https://packages.sury.org/php/apt.gpg | apt-key add -
|
|
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
|
|
apt-get update
|
|
|
|
# Install PHP 8.5 (matches composer.json requirement ^8.5 and Dockerfiles)
|
|
# Note: pcntl and sodium are built-in in PHP 8.5, no separate packages needed
|
|
apt-get install -y \
|
|
php8.5 \
|
|
php8.5-cli \
|
|
php8.5-mbstring \
|
|
php8.5-xml \
|
|
php8.5-pdo \
|
|
php8.5-pdo-mysql \
|
|
php8.5-zip \
|
|
php8.5-gd \
|
|
php8.5-intl \
|
|
php8.5-bcmath \
|
|
php8.5-redis \
|
|
composer
|
|
|
|
- name: Cache Composer dependencies (simple)
|
|
run: |
|
|
if [ -d "/tmp/composer-cache/vendor" ]; then
|
|
echo "📦 Restoring cached dependencies..."
|
|
cp -r /tmp/composer-cache/vendor /workspace/repo/vendor || true
|
|
fi
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
cd /workspace/repo
|
|
composer install --no-interaction --prefer-dist --optimize-autoloader
|
|
|
|
- name: Save Composer cache
|
|
run: |
|
|
mkdir -p /tmp/composer-cache
|
|
cp -r /workspace/repo/vendor /tmp/composer-cache/vendor || true
|
|
|
|
- name: Run Pest tests
|
|
run: |
|
|
cd /workspace/repo
|
|
./vendor/bin/pest --colors=always
|
|
|
|
- name: Run PHPStan
|
|
run: |
|
|
cd /workspace/repo
|
|
make phpstan
|
|
|
|
- name: Code style check
|
|
run: |
|
|
cd /workspace/repo
|
|
composer cs
|
|
|
|
# Job 2: Build & Push Docker Image
|
|
build:
|
|
name: Build Docker Image
|
|
needs: test
|
|
if: always() && (needs.test.result == 'success' || needs.test.result == 'skipped')
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
image_tag: ${{ steps.meta.outputs.tag }}
|
|
commit_sha: ${{ steps.meta.outputs.commit_sha }}
|
|
steps:
|
|
- name: Checkout code
|
|
run: |
|
|
REF_NAME="${{ github.ref_name }}"
|
|
REPO="${{ github.repository }}"
|
|
if [ -z "$REF_NAME" ]; then
|
|
REF_NAME="main"
|
|
fi
|
|
|
|
# Use CI token if available, otherwise try public access
|
|
if [ -n "${{ secrets.CI_TOKEN }}" ]; then
|
|
git clone --depth 1 --branch "$REF_NAME" \
|
|
"https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo
|
|
else
|
|
# Try public HTTPS (works if repository is public)
|
|
git clone --depth 1 --branch "$REF_NAME" \
|
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo || \
|
|
# Fallback: Try to use Gitea's internal runner access
|
|
git clone --depth 1 \
|
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo
|
|
fi
|
|
|
|
cd /workspace/repo
|
|
|
|
- name: Setup Docker Buildx
|
|
run: |
|
|
docker buildx create --name builder --use || docker buildx use builder
|
|
docker buildx inspect --bootstrap
|
|
|
|
- name: Generate image metadata
|
|
id: meta
|
|
run: |
|
|
cd /workspace/repo
|
|
# Gitea Actions supports github.sha for compatibility
|
|
COMMIT_SHA="${{ github.sha }}"
|
|
if [ -z "$COMMIT_SHA" ]; then
|
|
COMMIT_SHA=$(git rev-parse HEAD)
|
|
fi
|
|
SHORT_SHA=$(echo "$COMMIT_SHA" | cut -c1-7)
|
|
TAG="${SHORT_SHA}-$(date +%s)"
|
|
echo "tag=${TAG}" >> $GITHUB_OUTPUT
|
|
echo "short_sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
|
|
echo "commit_sha=${COMMIT_SHA}" >> $GITHUB_OUTPUT
|
|
echo "Generated tag: ${TAG}"
|
|
|
|
- name: Login to Registry
|
|
run: |
|
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u ${{ secrets.REGISTRY_USER }} --password-stdin
|
|
|
|
- name: Build and push Docker image
|
|
run: |
|
|
cd /workspace/repo
|
|
COMMIT_SHA="${{ github.sha }}"
|
|
if [ -z "$COMMIT_SHA" ]; then
|
|
COMMIT_SHA=$(git rev-parse HEAD)
|
|
fi
|
|
REF_NAME="${{ github.ref_name }}"
|
|
if [ -z "$REF_NAME" ]; then
|
|
REF_NAME=$(git rev-parse --abbrev-ref HEAD)
|
|
fi
|
|
SHORT_SHA=$(echo "$COMMIT_SHA" | cut -c1-7)
|
|
TAG="${SHORT_SHA}-$(date +%s)"
|
|
|
|
# Build with cache
|
|
docker buildx build \
|
|
--platform linux/amd64 \
|
|
--file ./Dockerfile.production \
|
|
--tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
|
|
--tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${TAG} \
|
|
--tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:git-${SHORT_SHA} \
|
|
--cache-from type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache \
|
|
--cache-to type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max \
|
|
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
|
|
--build-arg GIT_COMMIT=${COMMIT_SHA} \
|
|
--build-arg GIT_BRANCH=${REF_NAME} \
|
|
--push \
|
|
.
|
|
|
|
- name: Image scan for vulnerabilities
|
|
run: |
|
|
echo "✅ Image built successfully: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.tag }}"
|
|
|
|
# Job 3: Deploy to Production
|
|
deploy:
|
|
name: Deploy to Production Server
|
|
needs: build
|
|
runs-on: ubuntu-latest
|
|
environment:
|
|
name: production
|
|
url: https://michaelschiemer.de
|
|
steps:
|
|
- name: Checkout deployment scripts
|
|
run: |
|
|
REF_NAME="${{ github.ref_name }}"
|
|
REPO="${{ github.repository }}"
|
|
if [ -z "$REF_NAME" ]; then
|
|
REF_NAME="main"
|
|
fi
|
|
|
|
# Use CI token if available, otherwise try public access
|
|
if [ -n "${{ secrets.CI_TOKEN }}" ]; then
|
|
git clone --depth 1 --branch "$REF_NAME" \
|
|
"https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo
|
|
else
|
|
# Try public HTTPS (works if repository is public)
|
|
git clone --depth 1 --branch "$REF_NAME" \
|
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo || \
|
|
# Fallback: Try to use Gitea's internal runner access
|
|
git clone --depth 1 \
|
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo
|
|
fi
|
|
|
|
cd /workspace/repo
|
|
|
|
- name: Setup SSH key
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/production
|
|
chmod 600 ~/.ssh/production
|
|
ssh-keyscan -H ${{ env.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts
|
|
|
|
# Ansible is pre-installed in php-ci image
|
|
- name: Verify Ansible installation
|
|
run: ansible --version
|
|
|
|
- name: Deploy via Ansible
|
|
run: |
|
|
cd /workspace/repo/deployment/ansible
|
|
ansible-playbook -i inventory/production.yml \
|
|
playbooks/deploy-update.yml \
|
|
-e "image_tag=${{ needs.build.outputs.image_tag }}" \
|
|
-e "git_commit_sha=${{ needs.build.outputs.commit_sha }}" \
|
|
-e "deployment_timestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
|
|
-e "docker_registry_username=${{ secrets.REGISTRY_USER }}" \
|
|
-e "docker_registry_password=${{ secrets.REGISTRY_PASSWORD }}"
|
|
|
|
- name: Wait for deployment to stabilize
|
|
run: sleep 30
|
|
|
|
- name: Health check
|
|
id: health
|
|
run: |
|
|
for i in {1..10}; do
|
|
if curl -f -k https://michaelschiemer.de/health; then
|
|
echo "✅ Health check passed"
|
|
exit 0
|
|
fi
|
|
echo "⏳ Waiting for service... (attempt $i/10)"
|
|
sleep 10
|
|
done
|
|
echo "❌ Health check failed"
|
|
exit 1
|
|
|
|
- name: Rollback on failure
|
|
if: failure() && steps.health.outcome == 'failure'
|
|
run: |
|
|
cd /workspace/repo/deployment/ansible
|
|
ansible-playbook -i inventory/production.yml \
|
|
playbooks/rollback.yml
|
|
|
|
- name: Notify deployment success
|
|
if: success()
|
|
run: |
|
|
echo "🚀 Deployment successful!"
|
|
echo "Image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag }}"
|
|
echo "Commit: ${{ needs.build.outputs.commit_sha }}"
|
|
|
|
- name: Notify deployment failure
|
|
if: failure()
|
|
run: |
|
|
echo "❌ Deployment failed and was rolled back"
|
|
# TODO: Add Slack/Email notification
|