APIbase/.github/workflows/deploy.yml at main · whiteknightonhorse/APIbase · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# APIbase.pro — CI/CD Deploy Pipeline (§12.12, §12.222)
#
# Pipeline: lint → typecheck → test → Docker build → push GHCR → SSH deploy → smoke test
# Deploy strategy (Phase 1): 5-10s downtime acceptable.
# Rollback: automatic on smoke test failure via scripts/deploy.sh.
#
# Required GitHub Secrets:
#   SSH_KEY          — Private key for SSH to Hetzner server
#   SERVER_HOST      — Hetzner server IP address
#   DEPLOY_USER      — SSH username (not root)

name: Deploy

on:
  push:
    branches: [main]

permissions:
  contents: read
  packages: write

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ghcr.io/whiteknightonhorse/apibase
  IMAGE_TAG: sha-${{ github.sha }}

jobs:
  # -------------------------------------------------------------------------
  # Stage 1: Validate (lint + typecheck + test)
  # -------------------------------------------------------------------------
  validate:
    name: Lint + Typecheck + Test
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: "npm"

      - name: Install dependencies
        run: npm ci --ignore-scripts --legacy-peer-deps

      - name: Generate Prisma client
        run: npx prisma generate

      - name: Lint
        run: npm run lint

      - name: Typecheck
        run: npm run typecheck

      - name: Unit tests
        run: npm run test -- --ci --passWithNoTests

  # -------------------------------------------------------------------------
  # Stage 2: Build Docker image + push to GHCR
  # -------------------------------------------------------------------------
  build:
    name: Build & Push Image
    needs: validate
    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Log in to GHCR
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: docker/Dockerfile
          push: true
          tags: |
            ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
            ${{ env.IMAGE_NAME }}:latest
          cache-from: type=gha
          cache-to: type=gha,mode=max

  # -------------------------------------------------------------------------
  # Stage 3: Deploy to Hetzner via SSH
  # -------------------------------------------------------------------------
  deploy:
    name: Deploy to Production
    needs: build
    runs-on: ubuntu-latest
    timeout-minutes: 10
    environment: production

    steps:
      - name: Setup SSH key
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_KEY }}" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          ssh-keyscan -H ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts 2>/dev/null

      - name: Deploy via SSH
        run: |
          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no \
            ${{ secrets.DEPLOY_USER }}@${{ secrets.SERVER_HOST }} \
            "cd /home/apibase/apibase && bash scripts/deploy.sh ${{ github.sha }}"

      - name: Cleanup SSH key
        if: always()
        run: rm -f ~/.ssh/deploy_key