CodeCrow/.github/workflows/deploy.yml at main · rostilos/CodeCrow · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
###############################################################################
# CodeCrow CI/CD Pipeline
#
# Triggers: push to main branch, or manual dispatch
#
# Flow:
#   1. Checkout code (with submodules)
#   2. Build & test Java artifacts (Maven + JaCoCo)
#   3. Build all 5 Docker images
#   4. Push images to GHCR
#   5. SSH into server and run deployment script
#
# Required GitHub Secrets:
#   DEPLOY_SSH_KEY              — Private SSH key for env
#   DEPLOY_HOST                 — Server IP
#   DEPLOY_USER                 — SSH user
#   DEPLOY_HOST_FINGERPRINT     — Server SSH host key (ssh-keyscan -H <ip>)
#   ENV_INFERENCE_ORCHESTRATOR  — Contents of inference-orchestrator/.env
#   ENV_RAG_PIPELINE            — Contents of rag-pipeline/.env
#   ENV_WEB_FRONTEND            — Contents of frontend/.env
#   GHCR_PAT                    — GitHub Personal Access Token for GHCR (optional, uses GITHUB_TOKEN if not set)
###############################################################################

name: Deploy to Production

on:
  push:
    branches: [main]
  workflow_dispatch:
    inputs:
      skip_build:
        description: "Skip build (deploy existing images on server)"
        required: false
        default: "false"

concurrency:
  group: production-deploy
  cancel-in-progress: false

env:
  DEPLOY_PATH: /opt/codecrow

permissions:
  contents: read
  packages: write
  checks: write

jobs:
  build:
    name: Build & Test → Docker Images
    runs-on: ubuntu-latest
    if: github.event.inputs.skip_build != 'true'
    timeout-minutes: 30

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          submodules: recursive
          fetch-depth: 0

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 17
          cache: maven

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and Push (ci-build.sh)
        env:
          ENV_INFERENCE_ORCHESTRATOR: ${{ secrets.ENV_INFERENCE_ORCHESTRATOR }}
          ENV_RAG_PIPELINE: ${{ secrets.ENV_RAG_PIPELINE }}
          ENV_WEB_FRONTEND: ${{ secrets.ENV_WEB_FRONTEND }}
          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
        run: |
          chmod +x deployment/ci/ci-build.sh
          deployment/ci/ci-build.sh

      - name: Publish test results
        if: always()
        uses: dorny/test-reporter@v1
        with:
          name: Java Tests
          path: java-ecosystem/**/target/surefire-reports/*.xml
          reporter: java-junit

      - name: Upload test reports
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: surefire-reports
          path: java-ecosystem/**/target/surefire-reports/
          retention-days: 7

  deploy:
    name: Deploy to Server
    runs-on: ubuntu-latest
    needs: [build]
    if: always() && (needs.build.result == 'success' || github.event.inputs.skip_build == 'true')
    timeout-minutes: 15
    environment: production

    steps:
      - name: Checkout (for compose file + deploy script)
        uses: actions/checkout@v4

      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          # Use pre-registered host fingerprint instead of ssh-keyscan (MITM-safe)
          # Generate with:  ssh-keyscan -H <server-ip> 2>/dev/null
          echo "${{ secrets.DEPLOY_HOST_FINGERPRINT }}" >> ~/.ssh/known_hosts

      - name: Upload docker-compose.prod.yml and deploy script
        run: |
          scp -i ~/.ssh/deploy_key \
            deployment/docker-compose.prod.yml \
            deployment/ci/server-deploy.sh \
            ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ env.DEPLOY_PATH }}/

      - name: Deploy on server
        run: |
          ssh -i ~/.ssh/deploy_key \
            ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} \
            "chmod +x ${{ env.DEPLOY_PATH }}/server-deploy.sh && GITHUB_REPOSITORY_OWNER=${{ github.repository_owner }} ${{ env.DEPLOY_PATH }}/server-deploy.sh"

      - name: Verify deployment
        run: |
          ssh -i ~/.ssh/deploy_key \
            ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} \
            "cd ${{ env.DEPLOY_PATH }} && docker compose -f docker-compose.prod.yml ps --format 'table {{.Name}}\t{{.Status}}'"

      - name: Cleanup SSH key
        if: always()
        run: rm -f ~/.ssh/deploy_key