Merge pull request #158 from rostilos/1.5.3-rc

feat: Add support for repository access tokens in VCS connections

Author: rostilos

.github/workflows/deploy.yml

@@ -7,9 +7,8 @@
 #   1. Checkout code (with submodules)
 #   2. Build & test Java artifacts (Maven + JaCoCo)
 #   3. Build all 5 Docker images
-#   4. Save images as a compressed tarball
-#   5. SCP tarball to production server
-#   6. SSH into server and run deployment script
+#   4. Push images to GHCR
+#   5. SSH into server and run deployment script
 #
 # Required GitHub Secrets:
 #   DEPLOY_SSH_KEY              — Private SSH key for env
@@ -19,6 +18,7 @@
 #   ENV_INFERENCE_ORCHESTRATOR  — Contents of inference-orchestrator/.env
 #   ENV_RAG_PIPELINE            — Contents of rag-pipeline/.env
 #   ENV_WEB_FRONTEND            — Contents of frontend/.env
+#   GHCR_PAT                    — GitHub Personal Access Token for GHCR (optional, uses GITHUB_TOKEN if not set)
 ###############################################################################
 
 name: Deploy to Production
@@ -42,6 +42,7 @@ env:
 
 permissions:
   contents: read
+  packages: write
   checks: write
 
 jobs:
@@ -68,11 +69,19 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build (ci-build.sh)
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push (ci-build.sh)
         env:
           ENV_INFERENCE_ORCHESTRATOR: ${{ secrets.ENV_INFERENCE_ORCHESTRATOR }}
           ENV_RAG_PIPELINE: ${{ secrets.ENV_RAG_PIPELINE }}
           ENV_WEB_FRONTEND: ${{ secrets.ENV_WEB_FRONTEND }}
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
         run: |
           chmod +x deployment/ci/ci-build.sh
           deployment/ci/ci-build.sh
@@ -93,14 +102,6 @@ jobs:
           path: java-ecosystem/**/target/surefire-reports/
           retention-days: 7
 
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: codecrow-images
-          path: build-output/codecrow-images.tar.zst
-          retention-days: 7
-          compression-level: 0
-
   deploy:
     name: Deploy to Server
     runs-on: ubuntu-latest
@@ -113,13 +114,6 @@ jobs:
       - name: Checkout (for compose file + deploy script)
         uses: actions/checkout@v4
 
-      - name: Download artifact
-        if: github.event.inputs.skip_build != 'true'
-        uses: actions/download-artifact@v4
-        with:
-          name: codecrow-images
-          path: build-output
-
       - name: Setup SSH
         run: |
           mkdir -p ~/.ssh
@@ -136,18 +130,11 @@ jobs:
             deployment/ci/server-deploy.sh \
             ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ env.DEPLOY_PATH }}/
 
-      - name: Upload Docker images tarball
-        if: github.event.inputs.skip_build != 'true'
-        run: |
-          scp -i ~/.ssh/deploy_key \
-            build-output/codecrow-images.tar.zst \
-            ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ env.DEPLOY_PATH }}/releases/
-
       - name: Deploy on server
         run: |
           ssh -i ~/.ssh/deploy_key \
             ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} \
-            "chmod +x ${{ env.DEPLOY_PATH }}/server-deploy.sh && ${{ env.DEPLOY_PATH }}/server-deploy.sh"
+            "chmod +x ${{ env.DEPLOY_PATH }}/server-deploy.sh && GITHUB_REPOSITORY_OWNER=${{ github.repository_owner }} ${{ env.DEPLOY_PATH }}/server-deploy.sh"
 
       - name: Verify deployment
         run: |

deployment/build/production-build.sh

@@ -11,20 +11,20 @@ CONFIG_PATH="deployment/config"
 
 cd "$(dirname "$0")/../../"
 
-# echo "--- 1. Ensuring frontend submodule is synchronized ---"
-# if [ -d "$FRONTEND_DIR" ] && [ ! -f "$FRONTEND_DIR/.git" ]; then
-#    echo "Stale frontend directory detected (not a submodule). Removing and re-initializing..."
-#    rm -rf "$FRONTEND_DIR"
-#    git submodule update --init -- "$FRONTEND_DIR"
-# elif [ ! -d "$FRONTEND_DIR" ]; then
-#    echo "Initializing frontend submodule..."
-#    git submodule update --init -- "$FRONTEND_DIR"
-# else
-#    echo "Frontend submodule exists."
-# fi
-# echo "Fetching latest from origin and resetting to origin/$FRONTEND_BRANCH..."
-# (cd "$FRONTEND_DIR" && git fetch origin "$FRONTEND_BRANCH" && git reset --hard "origin/$FRONTEND_BRANCH")
-# echo "Frontend at: $(cd "$FRONTEND_DIR" && git log --oneline -1)"
+echo "--- 1. Ensuring frontend submodule is synchronized ---"
+if [ -d "$FRONTEND_DIR" ] && [ ! -f "$FRONTEND_DIR/.git" ]; then
+   echo "Stale frontend directory detected (not a submodule). Removing and re-initializing..."
+   rm -rf "$FRONTEND_DIR"
+   git submodule update --init -- "$FRONTEND_DIR"
+elif [ ! -d "$FRONTEND_DIR" ]; then
+   echo "Initializing frontend submodule..."
+   git submodule update --init -- "$FRONTEND_DIR"
+else
+   echo "Frontend submodule exists."
+fi
+echo "Fetching latest from origin and resetting to origin/$FRONTEND_BRANCH..."
+(cd "$FRONTEND_DIR" && git fetch origin "$FRONTEND_BRANCH" && git reset --hard "origin/$FRONTEND_BRANCH")
+echo "Frontend at: $(cd "$FRONTEND_DIR" && git log --oneline -1)"
 
 echo "--- 2. Injecting Environment Configurations ---"
 

deployment/ci/ci-build.sh

@@ -5,8 +5,7 @@
 # 1. Writes .env files from GitHub secrets
 # 2. Builds & tests Java artifacts (Maven)  — fails fast on test errors
 # 3. Copies MCP JARs to inference-orchestrator context
-# 4. Builds all 5 Docker images
-# 5. Saves them to a single compressed tarball
+# 4. Builds all 5 Docker images and pushes them to GHCR
 #
 # Required env vars (set by GH Actions):
 #   ENV_INFERENCE_ORCHESTRATOR  — contents of inference-orchestrator/.env
@@ -21,10 +20,11 @@ ROOT_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
 MCP_JAR="java-ecosystem/mcp-servers/vcs-mcp/target/codecrow-vcs-mcp-1.0.jar"
 PLATFORM_MCP_JAR="java-ecosystem/mcp-servers/platform-mcp/target/codecrow-platform-mcp-1.0.jar"
 JAVA_DIR="java-ecosystem"
-OUTPUT_DIR="$ROOT_DIR/build-output"
+# GITHUB_REPOSITORY_OWNER is assumed to be provided for ghcr.io paths
+REPO_OWNER=${GITHUB_REPOSITORY_OWNER:-codecrow}
+REPO_OWNER=$(echo "$REPO_OWNER" | tr '[:upper:]' '[:lower:]')
 
 cd "$ROOT_DIR"
-mkdir -p "$OUTPUT_DIR"
 
 echo "=========================================="
 echo "  CodeCrow CI Build"
@@ -83,41 +83,33 @@ for entry in "${IMAGES[@]}"; do
   IFS='|' read -r IMAGE_NAME CONTEXT DOCKERFILE <<< "$entry"
   # Scope cache per image to avoid collisions
   SCOPE="$(echo "$IMAGE_NAME" | tr '/' '-')"
-  echo "  Building $IMAGE_NAME from $CONTEXT ..."
+  
+  # Map codecrow to ghcr.io/<repo-owner>/codecrow-<service>
+  # E.g. codecrow/web-server -> ghcr.io/username/codecrow-web-server:latest
+  SERVICE_NAME=$(echo "$IMAGE_NAME" | cut -d'/' -f2)
+  FULL_IMAGE_NAME="ghcr.io/$REPO_OWNER/codecrow-$SERVICE_NAME:latest"
+
+  echo "  Building and pushing $FULL_IMAGE_NAME from $CONTEXT ..."
   if [ -n "${DOCKERFILE:-}" ]; then
     docker buildx build \
       --cache-from "type=gha,scope=$SCOPE" \
       --cache-to "type=gha,mode=max,scope=$SCOPE" \
-      --load \
-      -t "${IMAGE_NAME}:latest" \
+      --push \
+      -t "$FULL_IMAGE_NAME" \
       -f "$CONTEXT/$DOCKERFILE" \
       "$CONTEXT"
   else
     docker buildx build \
       --cache-from "type=gha,scope=$SCOPE" \
       --cache-to "type=gha,mode=max,scope=$SCOPE" \
-      --load \
-      -t "${IMAGE_NAME}:latest" \
+      --push \
+      -t "$FULL_IMAGE_NAME" \
       "$CONTEXT"
   fi
-  echo "  ✓ $IMAGE_NAME built"
+  echo "  ✓ $FULL_IMAGE_NAME built and pushed"
 done
 
-# ── 5. Save images to tarball ─────────────────────────────────────────────
-echo "--- 5. Saving Docker images to tarball ---"
-
-IMAGE_LIST=""
-for entry in "${IMAGES[@]}"; do
-  IFS='|' read -r IMAGE_NAME _ _ <<< "$entry"
-  IMAGE_LIST="$IMAGE_LIST ${IMAGE_NAME}:latest"
-done
-
-docker save $IMAGE_LIST | zstd -T0 --ultra -20 -o "$OUTPUT_DIR/codecrow-images.tar.zst"
-
-TARBALL_SIZE=$(du -h "$OUTPUT_DIR/codecrow-images.tar.zst" | cut -f1)
-echo "  ✓ Tarball created: codecrow-images.tar.zst ($TARBALL_SIZE)"
-
 echo ""
 echo "=========================================="
-echo "  Build complete! Artifact: build-output/codecrow-images.tar.zst"
+echo "  Build and push complete!"
 echo "=========================================="

deployment/ci/server-deploy.sh

@@ -2,47 +2,37 @@
 ###############################################################################
 # server-deploy.sh — Runs ON THE LIVE SERVER via SSH from GitHub Actions.
 #
-# Expects the tarball to already be uploaded to /opt/codecrow/releases/
+# Expects docker-compose.prod.yml to be updated to point to GHCR.
 #
 # Flow:
 #   1. Pre-flight config checks
 #   2. Backup PostgreSQL database
-#   3. Load new Docker images from tarball
+#   3. Pull new Docker images from Registry
 #   4. Stop existing services
 #   5. Start services (--no-build, --wait for healthchecks)
 #   6. Verify health
-#   7. Cleanup old releases & backups
+#   7. Cleanup old backups
 #
 # Usage:
-#   server-deploy.sh [tarball-name]
-#
-# Default tarball: codecrow-images.tar.zst
+#   GITHUB_REPOSITORY_OWNER=username server-deploy.sh
 ###############################################################################
 set -euo pipefail
 
 DEPLOY_DIR="/opt/codecrow"
-RELEASES_DIR="$DEPLOY_DIR/releases"
 CONFIG_DIR="$DEPLOY_DIR/config"
 BACKUP_DIR="$DEPLOY_DIR/backups"
 COMPOSE_FILE="$DEPLOY_DIR/docker-compose.prod.yml"
-TARBALL_NAME="${1:-codecrow-images.tar.zst}"
-TARBALL_PATH="$RELEASES_DIR/$TARBALL_NAME"
+
+# For GHCR pulling
+export GITHUB_REPOSITORY_OWNER="${GITHUB_REPOSITORY_OWNER:-codecrow}"
+export GITHUB_REPOSITORY_OWNER=$(echo "$GITHUB_REPOSITORY_OWNER" | tr '[:upper:]' '[:lower:]')
 
 echo "=========================================="
 echo "  CodeCrow Server Deployment"
 echo "  $(date '+%Y-%m-%d %H:%M:%S')"
 echo "=========================================="
 
 # ── Pre-flight checks ─────────────────────────────────────────────────────
-if ! command -v zstd &>/dev/null; then
-  echo "ERROR: zstd is not installed. Run: sudo apt-get install zstd"
-  exit 1
-fi
-
-if [ ! -f "$TARBALL_PATH" ]; then
-  echo "ERROR: Tarball not found: $TARBALL_PATH"
-  exit 1
-fi
 
 if [ ! -f "$COMPOSE_FILE" ]; then
   echo "ERROR: docker-compose.prod.yml not found: $COMPOSE_FILE"
@@ -94,10 +84,10 @@ else
   echo "  ⚠ PostgreSQL not running — skipping backup (first deploy?)"
 fi
 
-# ── 2. Load Docker images ─────────────────────────────────────────────────
-echo "--- 2. Loading Docker images from tarball ---"
-zstd -d --stdout "$TARBALL_PATH" | docker load
-echo "  ✓ Images loaded"
+# ── 2. Pull Docker images ─────────────────────────────────────────────────
+echo "--- 2. Pulling Docker images from registry ---"
+docker compose -f "$COMPOSE_FILE" pull
+echo "  ✓ Images pulled"
 
 # ── 3. Stop existing services ─────────────────────────────────────────────
 echo "--- 3. Stopping existing services ---"
@@ -129,12 +119,8 @@ echo "  ✓ Services started and healthy"
 echo "--- 5. Service status ---"
 docker compose -f docker-compose.prod.yml ps
 
-# ── 6. Cleanup old releases (keep last 5) ─────────────────────────────────
-echo "--- 6. Cleaning up old releases and backups ---"
-cd "$RELEASES_DIR"
-ls -1t *.tar.zst 2>/dev/null | tail -n +6 | xargs -r rm -f
-REMAINING=$(ls -1 *.tar.zst 2>/dev/null | wc -l)
-echo "  ✓ Keeping $REMAINING release(s)"
+# ── 6. Cleanup old backups ────────────────────────────────────────────────
+echo "--- 6. Cleaning up old backups ---"
 
 # Cleanup old DB backups (keep last 10)
 cd "$BACKUP_DIR"

deployment/docker-compose.prod.yml

@@ -60,7 +60,7 @@ services:
     restart: unless-stopped
 
   web-server:
-    image: codecrow/web-server:latest
+    image: ghcr.io/${GITHUB_REPOSITORY_OWNER:-rostilos}/codecrow-web-server:latest
     container_name: codecrow-web-application
     environment:
       SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-codecrow_ai}
@@ -113,7 +113,7 @@ services:
     restart: unless-stopped
 
   pipeline-agent:
-    image: codecrow/pipeline-agent:latest
+    image: ghcr.io/${GITHUB_REPOSITORY_OWNER:-rostilos}/codecrow-pipeline-agent:latest
     container_name: codecrow-pipeline-agent
     environment:
       SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-codecrow_ai}
@@ -165,7 +165,7 @@ services:
       - "host.docker.internal:host-gateway"
 
   inference-orchestrator:
-    image: codecrow/inference-orchestrator:latest
+    image: ghcr.io/${GITHUB_REPOSITORY_OWNER:-rostilos}/codecrow-inference-orchestrator:latest
     container_name: codecrow-inference-orchestrator
     ports:
       - "127.0.0.1:8000:8000"
@@ -198,7 +198,7 @@ services:
           memory: 512M
 
   rag-pipeline:
-    image: codecrow/rag-pipeline:latest
+    image: ghcr.io/${GITHUB_REPOSITORY_OWNER:-rostilos}/codecrow-rag-pipeline:latest
     container_name: codecrow-rag-pipeline
     environment:
       CODECROW_WEB_SERVER_URL: http://web-server:8081
@@ -231,7 +231,7 @@ services:
       - "host.docker.internal:host-gateway"
 
   web-frontend:
-    image: codecrow/web-frontend:latest
+    image: ghcr.io/${GITHUB_REPOSITORY_OWNER:-rostilos}/codecrow-web-frontend:latest
     container_name: codecrow-web-frontend
     ports:
       - "127.0.0.1:8080:8080"

frontend

@@ -27,6 +27,18 @@
             <artifactId>codecrow-core</artifactId>
         </dependency>
 
+        <!-- Commit graph (DAG) module -->
+        <dependency>
+            <groupId>org.rostilos.codecrow</groupId>
+            <artifactId>codecrow-commit-graph</artifactId>
+        </dependency>
+
+        <!-- File content/snapshot module -->
+        <dependency>
+            <groupId>org.rostilos.codecrow</groupId>
+            <artifactId>codecrow-file-content</artifactId>
+        </dependency>
+
         <!-- Analysis API interfaces -->
         <dependency>
             <groupId>org.rostilos.codecrow</groupId>
@@ -130,6 +142,8 @@
                         @{argLine}
                         --add-opens org.rostilos.codecrow.analysisengine/org.rostilos.codecrow.analysisengine.service=com.fasterxml.jackson.databind
                         --add-opens org.rostilos.codecrow.core/org.rostilos.codecrow.core.model.branch=org.rostilos.codecrow.analysisengine
+                        --add-opens org.rostilos.codecrow.core/org.rostilos.codecrow.core.model.project=org.rostilos.codecrow.analysisengine
+                        --add-opens org.rostilos.codecrow.core/org.rostilos.codecrow.core.model.pullrequest=org.rostilos.codecrow.analysisengine
                     </argLine>
                 </configuration>
             </plugin>

java-ecosystem/libs/analysis-engine/pom.xml

@@ -8,6 +8,8 @@
         requires spring.data.jpa;
         requires spring.tx;
         requires org.rostilos.codecrow.core;
+        requires org.rostilos.codecrow.commitgraph;
+        requires org.rostilos.codecrow.filecontent;
         requires org.rostilos.codecrow.vcs;
         requires org.rostilos.codecrow.analysisapi;
         requires transitive org.rostilos.codecrow.queue;
@@ -32,7 +34,6 @@
         exports org.rostilos.codecrow.analysisengine.processor;
         exports org.rostilos.codecrow.analysisengine.processor.analysis;
         exports org.rostilos.codecrow.analysisengine.service;
-        exports org.rostilos.codecrow.analysisengine.service.gitgraph;
         exports org.rostilos.codecrow.analysisengine.service.rag;
         exports org.rostilos.codecrow.analysisengine.service.vcs;
         exports org.rostilos.codecrow.analysisengine.util;
@@ -47,8 +48,6 @@
                         to spring.core, spring.beans, spring.context, com.fasterxml.jackson.databind;
         opens org.rostilos.codecrow.analysisengine.service
                         to spring.core, spring.beans, spring.context, com.fasterxml.jackson.databind;
-        opens org.rostilos.codecrow.analysisengine.service.gitgraph
-                        to spring.core, spring.beans, spring.context, com.fasterxml.jackson.databind;
         opens org.rostilos.codecrow.analysisengine.service.rag
                         to spring.core, spring.beans, spring.context, com.fasterxml.jackson.databind;
         opens org.rostilos.codecrow.analysisengine.service.vcs