github-workflows/.github/workflows/call-redeployment-webhook.yml at main · BehindTheMusicTree/github-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Redeploy Webhook Call
# Optional input images: JSON object of image overrides (e.g. {"gateway_image": "user/repo:v1", "htmt_api_image": "user/api:v2"}).
# Server applies them before redeploy: gateway_image updates gateway .env and restarts gateway; other keys are written to scripts .env as UPPER_SNAKE_CASE.
name: Redeploy Webhook Call

on:
  workflow_dispatch:
    inputs:
      env:
        description: "Environment (prod or staging)"
        required: true
        type: string
      images:
        description: 'Optional JSON image overrides (e.g. {"gateway_image": "user/repo:tag"})'
        required: false
        type: string
        default: "{}"
  workflow_call:
    inputs:
      env:
        required: true
        type: string
      images:
        required: false
        type: string
        default: "{}"

jobs:
  validate-env:
    name: Validate env
    runs-on: ubuntu-latest
    outputs:
      env_normalized: ${{ steps.normalize.outputs.env_normalized }}
    steps:
      - name: Validate env
        id: normalize
        run: |
          env="${{ inputs.env }}"
          if [[ -z "$env" ]]; then
            echo "ERROR: env is required (no default)."
            exit 1
          fi
          env_lower=$(echo "$env" | tr '[:upper:]' '[:lower:]')
          if [[ "$env_lower" != "prod" && "$env_lower" != "staging" ]]; then
            echo "ERROR: env must be 'prod' or 'staging' (got: $env)."
            exit 1
          fi
          echo "env_normalized=$env_lower" >> "$GITHUB_OUTPUT"
        shell: bash

  check-required-config:
    name: Check required vars and secrets
    runs-on: ubuntu-latest
    needs: [validate-env]
    environment:
      name: ${{ needs.validate-env.outputs.env_normalized }}
    steps:

      - name: Check required vars and secrets
        env:
          ENV: ${{ needs.validate-env.outputs.env_normalized }}
          VPS_IP: ${{ vars.VPS_IP }}
          REDEPLOYMENT_WEBHOOK_PORT: ${{ secrets.REDEPLOYMENT_WEBHOOK_PORT }}
          REDEPLOYMENT_HOOK_ID_BASE: ${{ vars.REDEPLOYMENT_HOOK_ID_BASE }}
          REDEPLOYMENT_WEBHOOK_SECRET: ${{ needs.validate-env.outputs.env_normalized == 'prod' && secrets.REDEPLOYMENT_WEBHOOK_SECRET_PROD || secrets.REDEPLOYMENT_WEBHOOK_SECRET_STAGING }}
        run: |
          missing=""
          [[ -z "$VPS_IP" ]] && missing="${missing} VPS_IP"
          [[ -z "$REDEPLOYMENT_WEBHOOK_PORT" ]] && missing="${missing} REDEPLOYMENT_WEBHOOK_PORT"
          [[ -z "$REDEPLOYMENT_HOOK_ID_BASE" ]] && missing="${missing} REDEPLOYMENT_HOOK_ID_BASE"
          case "$ENV" in
            prod) sec_name=REDEPLOYMENT_WEBHOOK_SECRET_PROD ;;
            staging) sec_name=REDEPLOYMENT_WEBHOOK_SECRET_STAGING ;;
            *) sec_name="REDEPLOYMENT_WEBHOOK_SECRET_<env>" ;;
          esac
          [[ -z "$REDEPLOYMENT_WEBHOOK_SECRET" ]] && missing="${missing} $sec_name"
          if [[ -n "$missing" ]]; then
            echo "ERROR: Missing required config:$missing"
            echo "Set variables and secrets in Settings → Environments (or org/repo level). See README."
            exit 1
          fi
          echo "All required vars and secrets are set."
        shell: bash

  call_webhook:
    name: Call Redeploy Webhook
    runs-on: ubuntu-latest
    needs: [check-required-config, validate-env]
    environment:
      name: ${{ needs.validate-env.outputs.env_normalized }}
    steps:
      - name: Call redeploy webhook
        env:
          SERVER_REDEPLOYMENT_WEBHOOK_URL: http://${{ vars.VPS_IP }}:${{ secrets.REDEPLOYMENT_WEBHOOK_PORT }}/hooks/${{ vars.REDEPLOYMENT_HOOK_ID_BASE }}-${{ needs.validate-env.outputs.env_normalized }}
          REDEPLOYMENT_WEBHOOK_SECRET: ${{ needs.validate-env.outputs.env_normalized == 'prod' && secrets.REDEPLOYMENT_WEBHOOK_SECRET_PROD || secrets.REDEPLOYMENT_WEBHOOK_SECRET_STAGING }}
          IMAGES_PAYLOAD: ${{ inputs.images }}
        run: |
          set +e
          response=$(curl -s -w '\n%{http_code}' -v \
            -X POST \
            -H "Content-Type: application/json" \
            -H "X-Secret: $REDEPLOYMENT_WEBHOOK_SECRET" \
            -d "$IMAGES_PAYLOAD" \
            --max-time 15 \
            "$SERVER_REDEPLOYMENT_WEBHOOK_URL")
          curl_exit=$?
          set -e
          if [[ $curl_exit -ne 0 ]]; then
            echo "Webhook call failed (curl exit $curl_exit)."
            echo "Exit 7 = connection refused: nothing listening on host:port, or firewall blocking. Check webhook service on server (systemctl status webhook), port in REDEPLOYMENT_WEBHOOK_PORT, and firewall."
            exit 1
          fi
          http_code=$(echo "$response" | tail -n1)
          response=$(echo "$response" | sed '$d')
          if [[ "$response" != "Redeploying BTMT ecosystem"* ]]; then
            echo "ERROR: Webhook call failed with response: $response"
            if [[ "$response" == "Hook not found." ]] || [[ "$http_code" == "404" ]]; then
              echo "REDEPLOYMENT_HOOK_ID_BASE + '-' + env must match the hook id in hooks.json (path is /hooks/<id>-<env>)."
            fi
            exit 1
          fi
        shell: bash