deployment to railway

Author: onlycs

.env

@@ -4,97 +4,77 @@ on:
   push:
     branches:
       - main
+    paths:
+      - "**.rs"
+      - "**.vue"
+      - "**.ts"
+      - ".github/workflows/deploy.yaml"
+      - "**Dockerfile"
   workflow_dispatch:
 
 jobs:
-  setup:
+  deploy:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set up Rust
-        uses: dtolnay/rust-toolchain@master
+      - name: Login to Google Cloud
+        id: gcp-auth
+        uses: google-github-actions/auth@v2
         with:
-          toolchain: nightly-2025-11-15
-          targets: wasm32-unknown-unknown
-
-      - name: Install wasm-pack
-        uses: jetli/[email protected]
+          token_format: "access_token"
+          project_id: ${{ secrets.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ secrets.GCP_WLIF_PROVIDER }}
+          service_account: ${{ secrets.GCP_SA }}
+          access_token_lifetime: 600s
 
-      - name: Install Bun
-        uses: oven-sh/setup-bun@v2
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Restore Cargo cache
+      - name: Restore build cache
         uses: actions/cache/restore@v4
-        id: cargo-cache
+        id: build-cache
         with:
           path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ~/.cargo/bin
             src-api/target
             src-crypto/target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: ${{ runner.os }}-cargo-
-
-      - name: Install dependencies and run postinstall
-        run: bun i
-        env:
-          DATABASE_URL: ${{ secrets.DATABASE_URL }}
-
-      - name: Save Cargo cache
-        if: always()
-        uses: actions/cache/save@v4
-        with:
-          path: |
+            src-macro/target
+            ~/.cargo/bin
             ~/.cargo/registry
             ~/.cargo/git
-            ~/.cargo/bin
-            src-api/target
-            src-crypto/target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-
-      - name: Upload workspace
-        uses: actions/upload-artifact@v4
-        with:
-          name: workspace
-          path: |
-            .
-            !.git
-          retention-days: 1
-
-  api:
-    needs: setup
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      id-token: write
-
-    steps:
-      - name: Download workspace
-        uses: actions/download-artifact@v4
-        with:
-          name: workspace
+            node_modules
+          key: ${{ runner.os }}-build-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-build-${{ hashFiles('**/Cargo.lock') }}
+            ${{ runner.os }}-build-${{ hashFiles('**/package-lock.json') }}
+            ${{ runner.os }}-build-
 
       - name: Set up Rust
+        if: steps.build-cache.outputs.cache-hit != 'true'
         uses: dtolnay/rust-toolchain@master
         with:
           toolchain: nightly-2025-11-15
+          targets: wasm32-unknown-unknown
+          components: rustfmt
 
-      - name: Restore Cargo cache
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ~/.cargo/bin
-            src-api/target
-            src-crypto/target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: ${{ runner.os }}-cargo-
+      - name: Write to .env
+        run: |
+          echo "DATABASE_URL=${{ secrets.DATABASE_URL }}" > src-api/.env
+
+      - name: Install wasm-pack
+        uses: jetli/[email protected]
+
+      - name: Install Bun
+        uses: oven-sh/setup-bun@v2
 
       - name: Check if sqlx CLI is cached
         id: checkfile
@@ -113,92 +93,84 @@ jobs:
         env:
           DATABASE_URL: ${{ secrets.DATABASE_URL }}
 
-      - name: Build API (release)
-        run: cargo build --release --locked
-        working-directory: src-api
+      - name: Install dependencies and run postinstall
+        run: |
+          echo "DATABASE_URL=${{ secrets.DATABASE_URL }}" > src-api/.env
+          bun i
         env:
           DATABASE_URL: ${{ secrets.DATABASE_URL }}
 
-      - name: Login to Google Cloud
-        id: gcp-auth
-        uses: google-github-actions/auth@v2
-        with:
-          token_format: "access_token"
-          project_id: ${{ secrets.GCP_PROJECT_ID }}
-          workload_identity_provider: ${{ secrets.GCP_WLIF_PROVIDER }}
-          service_account: ${{ secrets.GCP_SA }}
-          access_token_lifetime: 600s
+      - name: Build API
+        working-directory: src-api
+        run: cargo build --release --locked --no-default-features
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Build API image
+        run: docker build . -t onlycs/attendance:api -f Dockerfile.api
 
-      - name: Login to Artifact Registry
-        uses: docker/login-action@v2
-        with:
-          registry: us-central1-docker.pkg.dev
-          username: oauth2accesstoken
-          password: ${{ steps.gcp-auth.outputs.access_token }}
+      - name: Generate static site
+        run: bun generate
 
-      - name: Build Docker image
+      - name: Build API (include static assets)
         working-directory: src-api
-        run: |
-          docker build . -t onlycs/attendance:latest -t us-central1-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/attendance/attendance:latest
+        run: cargo build --release --locked
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+
+      - name: Build standard image
+        run: docker build . -t onlycs/attendance:latest
 
-      - name: Push Docker image
+      - name: Push Docker images
         run: |
-          docker push us-central1-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/attendance/attendance:latest
+          docker push onlycs/attendance:api
           docker push onlycs/attendance:latest
 
-      - name: Deploy to Cloud Run
+      - name: Regenerate frontend for ourselves
         run: |
-          gcloud run deploy attendance \
-          --image=us-central1-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/attendance/attendance:latest \
-          --platform=managed \
-          --region=us-central1 \
-          --allow-unauthenticated
-
-  static:
-    needs: setup
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      id-token: write
-
-    steps:
-      - name: Download workspace
-        uses: actions/download-artifact@v4
-        with:
-          name: workspace
-
-      - name: Install Bun
-        uses: oven-sh/setup-bun@v2
-
-      - name: Install dependencies
-        run: bun i --frozen-lockfile
-        env:
-          DATABASE_URL: ${{ secrets.DATABASE_URL }}
-
-      - name: Generate static site
-        run: bun generate
+          rm -rf .output
+          echo "NUXT_PUBLIC_API_URL=${{ secrets.API_URL }}" > .env
+          bun generate
         env:
           API_URL: ${{ secrets.API_URL }}
-          DATABASE_URL: ${{ secrets.DATABASE_URL }}
-
-      - name: Login to Google Cloud
-        uses: google-github-actions/auth@v2
-        with:
-          project_id: ${{ secrets.GCP_PROJECT_ID }}
-          workload_identity_provider: ${{ secrets.GCP_WLIF_PROVIDER }}
-          service_account: ${{ secrets.GCP_SA }}
 
-      - name: Deploy to Firebase Hosting
+      - name: Deploy API to GCE
+        run: |
+          gcloud compute ssh attendance-vm \
+            --zone=us-central1-a \
+            --tunnel-through-iap \
+            --command="
+              sudo docker pull onlycs/attendance:api &&
+              sudo docker stop attendance || true &&
+              sudo docker rm attendance || true &&
+              sudo docker run -d \
+                --name attendance \
+                --restart always \
+                --network=attendance-net \
+                -e DATABASE_URL='${{ secrets.DATABASE_URL }}' \
+                -e JWT_SECRET='${{ secrets.JWT_SECRET }}' \
+                -p 8080:8080 \
+                onlycs/attendance:api
+            "
+
+      - name: Deploy Static to Firebase Hosting
         uses: FirebaseExtended/action-hosting-deploy@v0
         with:
           repoToken: ${{ secrets.GITHUB_TOKEN }}
-          firebaseServiceAccount: ${{ secrets.GCP_SA }}
+          firebaseServiceAccount: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_RIVER_WAVE_445602_N7 }}
           channelId: live
           projectId: ${{ secrets.GCP_PROJECT_ID }}
+
+      - name: Save Build cache
+        if: always()
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            src-api/target
+            src-crypto/target
+            src-macro/target
+            ~/.cargo/bin
+            ~/.cargo/registry
+            ~/.cargo/git
+            node_modules
+          key: ${{ runner.os }}-build-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/package-lock.json') }}

.github/workflows/deploy.yml

@@ -30,3 +30,6 @@ app/wasm/*
 app/utils/api/hey/*
 app/utils/api/client.ts
 src-api/openapi.yml
+
+.firebaserc
+.firebase

.gitignore

@@ -0,0 +1,9 @@
+FROM rustlang/rust:nightly
+
+WORKDIR /var/www/attendance
+COPY ./src-api/target/release/attendance-api .
+COPY start.sh .
+COPY ./.output/public ./static
+RUN chmod +x start.sh
+
+CMD ["./start.sh"]

Dockerfile

@@ -0,0 +1,8 @@
+FROM rustlang/rust:nightly
+
+WORKDIR /var/www/attendance
+COPY ./start.sh .
+COPY ./src-api/target/release/attendance-api .
+RUN chmod +x start.sh
+
+CMD ["./start.sh"]

Dockerfile.api

@@ -8,10 +8,10 @@ wasm:
 	@echo "=== Building WASM package"
 	cd src-crypto && rm -rf pkg && wasm-pack build --target web --release
 	@echo "=== Copying package files"
-	rm -rf app/wasm
-	cp -r src-crypto/pkg app/wasm
+	rm -rf public/wasm
+	cp -r src-crypto/pkg public/wasm
 	@echo "=== Patching workerHelpers.js files"
-	sed -i 's|\.\./\.\./\.\.|../../../attendance_crypto.js|g' app/wasm/snippets/*/src/workerHelpers.js
+	sed -i 's|\.\./\.\./\.\.|../../../attendance_crypto.js|g' public/wasm/snippets/*/src/workerHelpers.js
 
 openapi:
 	@echo "=== Generating OpenAPI spec"

Makefile

@@ -1,3 +1,52 @@
 # Attendance
 
-This was such a big update, readme incoming soon!
+An FRC-focused attendance tracker.
+
+## Features
+
+- **QR Code Logins**: Students can scan a QR code to sign in
+- **Fully encrypted**: All student information is fully encrypted, complying with NYS-ED laws (or so I'm told)
+- **Admin Dashboard and Editor**: Admins can view and edit attendance records, student information, and more.
+- **Hour Types**: Record build season, learning days, offseason, or outreach hours separately.
+- **API**: Includes a REST API with OpenAPI documentation at `/api/docs` or `/api/openapi.yml`
+- **Mobile Friendly**: Includes a seperate mobile interface for both students and admins
+
+## Deployment
+
+1. Deploy the docker container. Railway is by far the easiest way to do this.
+   [![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/wWtiqs?referralCode=Y3VMtD&utm_medium=integration&utm_source=template&utm_campaign=generic)
+    1. To set the timezone (`TZ`), use the [database timezone format](https://wikipedia.org/wiki/List_of_tz_database_time_zones).
+    2. Set the `JWT_SECRET` to a large (>32 character), random password. You do not need to remember this.
+
+2. On your app's dashboard, select `onlycs/attendance`, and then `Settings` > `Networking`. If your team has a domain
+   (e.g. `attendance.team2791.org`), add a `Custom Domain`. Otherwise, generate a domain.
+
+    <img src="https://github.com/onlycs/attendance/blob/main/assets/deploy-railway-url.png?raw=true" alt="URL Settings" width="69%">
+
+3. Visit `https://<your-domain>/onboard`, and click `Get a new setup token`. To view this, in Railway, select `onlycs/attendance`, and then `Deployments` > `View Logs`.
+
+   <p align="center">
+     <img src="https://github.com/onlycs/attendance/blob/main/assets/deploy-railway-logs.png?raw=true" alt="Logs" width="69%">
+     <img src="https://github.com/onlycs/attendance/blob/main/assets/deploy-railway-token.png?raw=true" alt="Setup Token" width="69%">
+   </p>
+
+4. Use the setup token, enter the initial admin username and password, and you're all set!
+
+## Further configuration
+
+- **Inviting Admins**: `Settings` > `Invitation`
+- **Student ID Format**: `Settings` > `User Management` > `Student ID Configuration`
+- **Hour Goals or Requirements**: `Settings` > `Attendance`
+- **Change Username or Password**: `Settings` > `My Account`
+
+## Screenshots
+
+![Attendance UI](https://github.com/onlycs/attendance/blob/main/assets/sc-attendance.png?raw=true)
+![Admin Dashboard](https://github.com/onlycs/attendance/blob/main/assets/sc-dashboard.png?raw=true)
+![Admin Settings UI](https://github.com/onlycs/attendance/blob/main/assets/sc-settings.png?raw=true)
+![Hours Editor](https://github.com/onlycs/attendance/blob/main/assets/sc-editor-censored.png?raw=true)
+
+<p align="center">
+  <img src="https://github.com/onlycs/attendance/blob/main/assets/sc-mobile.png?raw=true" alt="Student Mobile UI" width="29%">
+  <img src="https://github.com/onlycs/attendance/blob/main/assets/sc-sign-in.png?raw=true" alt="Login Page" width="69%">
+</p>