Add workflows for video2commons deployment

[Amdrel]

Description

This patch adds GHA workflows for deploying to both the frontend (Toolforge) and encoders (Cloud VPS). This should help allow deployments to be easier for maintainers.

@don-vip I'll take this out of draft mode once we confirm some of the assumptions I'm making.

Changes

• Added workflows for deploying v2c updates to the frontend and encoders.
  • For now only manual deployments are supported, but there are commented out triggers for deploying on push in case we want to do that.
• Remove all minified files from the repository as they are now generated by the workflows prior to deployment.
  • Minified files have been added to the .gitignore file as well.
  • Because of this, the steps to check and push minified files in ci.yml have been removed. The check job just makes sure the build completes without any errors now.
• Added a new script for deploying the frontend to Toolforge named deploy-toolforge.sh.
• Renamed deploy.sh to deploy-encoders.sh as there are now two deployment scripts.
• Updated the existing deploy-encoders.sh script to return a non-zero exit code if the deployment fails for any workers.
• Added an explicit TimeoutStopSec=infinity to the v2ccelery.service service unit to make sure systemd never sends a SIGKILL to the workers before they complete.

Disclaimers

• The workflow assumes that the SSH key is stored in the V2C_SSH_PRIVATE_KEY secret and uses ed25519. Please let me know if this needs to be changed.
  • Update: Secret name has been corrected to SSH_PRIVATE_KEY.
• I've only tested these workflows on local VMs with act so far, but these environments are not the same as production.

[don-vip]

* The workflow assumes that the SSH key is stored in the `V2C_SSH_PRIVATE_KEY` secret and uses ed25519. Please let me know if this needs to be changed.

The secret is simply named SSH_PRIVATE_KEY, otherwise yes, it has been generated using ed25519.

[don-vip]

socketio is its own toolforge project, so we need to remove this line, and duplicate the deploy-toolforge script to have deploy-toolforge-video2commons and deploy-toolforge-video2commons-socketio. We could also add a fourth one for deploy-toolforge-video2commons-test.

Maybe we could push-to-deploy for "video2commons-test" automatically, and keep manual deployments for the the three production services.

[Amdrel]

That makes sense to me! I didn't realize there was a test project. I'll update the patterns soon and work on a 3rd script. I do have a couple of questions.

1. I noticed there's no test version of video2commons-socketio. Is it used by both production and the testing environment, or is it not used at all by video2commons-test?
2. Does video2commons-test use the same encoders as video2commons?

[Amdrel]

Oh, and one other question I forgot. How is the socketio service restarted? Or does it need to be restarted at all. I didn't see any mention of it in the Wikitech documentation.

[don-vip]

For 1, I don't remember, I think it uses the same as I don't remember having seen a socketio test account.
For 2, it uses the redis instance as an encoder. It's likely it doesn't work right now as nobody uses it, and I didn't touch it for a very long time. But you can give a try :) (with a small file of course): https://video2commons-test.toolforge.org/

[don-vip]

And how to restart the socketio service, mmmm good question!

[don-vip]

in the shell history I see I did that last year:

2025-01-19 17:14:52 toolforge webservice --backend=kubernetes node18 start

[don-vip]

These secrets don't exist yet, are you able to create them or do you want me to create them?

[Amdrel]

I think I should be able to with my permissions. I'll let you know if I run into any problems.

[Amdrel]

I added the secrets to the repository-level secrets. I don't have access to the environment-level secrets, which is where I assume SSH_PRIVATE_KEY is located. Is this fine?

[Amdrel]

Also, I set V2C_USERNAME to adminv2c since that's what I saw in the membership requests.

[don-vip]

Ah strange, I must have missed something, I would prefer to set all secrets in the environment, I'm checking your permissions

[don-vip]

I've set you to maintainer role, is it enough now to have access to env secrets?

[Amdrel]

I still don't see it. I'm not sure what permission controls the visibility of that section.

[don-vip]

OK now you're admin I can't give you more permissions :D Is it working?

[Amdrel]

That seemed to do it. I'll get those updated here shortly 😅

[Amdrel]

Done