qzl
171 lines
6.3 KiB
YAML
171 lines
6.3 KiB
YAML
name: Build production Docker image
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
build-backend-image:
|
|
runs-on: wsl2-docker-host
|
|
env:
|
|
IMAGE_NAME: eryao-backend
|
|
IMAGE_SIZE_LIMIT_BYTES: 500000000
|
|
steps:
|
|
- name: Check out repository
|
|
run: |
|
|
set -euo pipefail
|
|
git clone --depth 1 --branch "${GITHUB_REF_NAME:-main}" "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" .
|
|
|
|
- name: Validate ECR configuration
|
|
run: |
|
|
set -euo pipefail
|
|
test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
|
|
test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
|
|
test -n "${{ secrets.AWS_REGION }}"
|
|
test -n "${{ secrets.AWS_ACCOUNT_ID }}"
|
|
test -n "${{ secrets.ECR_REPOSITORY }}"
|
|
test -n "${{ secrets.DEPLOY_SSH_KEY }}"
|
|
|
|
- name: Build backend production image
|
|
run: |
|
|
set -euo pipefail
|
|
docker buildx build \
|
|
--provenance=false \
|
|
--load \
|
|
--file backend/Dockerfile \
|
|
--tag ${IMAGE_NAME}:prod-${GITHUB_SHA} \
|
|
.
|
|
|
|
- name: Check image size budget
|
|
run: |
|
|
set -euo pipefail
|
|
image_size_bytes="$(docker image inspect ${IMAGE_NAME}:prod-${GITHUB_SHA} --format '{{.Size}}')"
|
|
echo "Image size: ${image_size_bytes} bytes"
|
|
if [ "${image_size_bytes}" -gt "${IMAGE_SIZE_LIMIT_BYTES}" ]; then
|
|
echo "Image exceeds ${IMAGE_SIZE_LIMIT_BYTES} bytes" >&2
|
|
exit 1
|
|
fi
|
|
|
|
- name: Smoke test backend image
|
|
run: |
|
|
set -euo pipefail
|
|
docker run --rm \
|
|
-e ERYAO_RUNTIME__ENVIRONMENT=prod \
|
|
-e ERYAO_SUPABASE__PUBLIC_URL=http://localhost:8001 \
|
|
-e ERYAO_POINTS_POLICY__REGISTER_BONUS_HMAC_KEY=ci-smoke-test-key \
|
|
--entrypoint python \
|
|
${IMAGE_NAME}:prod-${GITHUB_SHA} \
|
|
-c "import app; print(app.app.title)"
|
|
|
|
- name: Push backend image to ECR
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
|
|
AWS_REGION: ${{ secrets.AWS_REGION }}
|
|
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
|
|
ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
|
|
run: |
|
|
set -euo pipefail
|
|
caller_account_id="$(aws sts get-caller-identity --query Account --output text)"
|
|
if [ "${caller_account_id}" != "${AWS_ACCOUNT_ID}" ]; then
|
|
echo "AWS_ACCOUNT_ID does not match caller identity" >&2
|
|
exit 1
|
|
fi
|
|
|
|
ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
|
|
ecr_image="${ecr_registry}/${ECR_REPOSITORY}"
|
|
|
|
aws ecr describe-repositories \
|
|
--region "${AWS_REGION}" \
|
|
--repository-names "${ECR_REPOSITORY}" >/dev/null 2>&1 \
|
|
|| aws ecr create-repository \
|
|
--region "${AWS_REGION}" \
|
|
--repository-name "${ECR_REPOSITORY}" \
|
|
--image-scanning-configuration scanOnPush=true \
|
|
--encryption-configuration encryptionType=AES256 >/dev/null
|
|
|
|
aws ecr get-login-password --region "${AWS_REGION}" \
|
|
| docker login --username AWS --password-stdin "${ecr_registry}"
|
|
|
|
docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:latest"
|
|
|
|
image_ids="$(aws ecr list-images \
|
|
--region "${AWS_REGION}" \
|
|
--repository-name "${ECR_REPOSITORY}" \
|
|
--query 'imageIds[*]' \
|
|
--output json)"
|
|
if [ "${image_ids}" != "[]" ]; then
|
|
aws ecr batch-delete-image \
|
|
--region "${AWS_REGION}" \
|
|
--repository-name "${ECR_REPOSITORY}" \
|
|
--image-ids "${image_ids}" >/dev/null
|
|
fi
|
|
|
|
docker push "${ecr_image}:latest"
|
|
|
|
deploy-production:
|
|
needs: build-backend-image
|
|
runs-on: wsl2-docker-host
|
|
steps:
|
|
- name: Validate deploy configuration
|
|
run: |
|
|
set -euo pipefail
|
|
test -n "${{ secrets.DEPLOY_SSH_KEY }}"
|
|
test -n "${{ secrets.DEPLOY_HOST }}"
|
|
test -n "${{ secrets.DEPLOY_USER }}"
|
|
test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
|
|
test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
|
|
test -n "${{ secrets.AWS_REGION }}"
|
|
|
|
- name: Deploy production server
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
|
|
AWS_REGION: ${{ secrets.AWS_REGION }}
|
|
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
|
|
DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
install -m 700 -d ~/.ssh
|
|
printf '%s\n' '${{ secrets.DEPLOY_SSH_KEY }}' > ~/.ssh/eryao_deploy_key
|
|
chmod 600 ~/.ssh/eryao_deploy_key
|
|
ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts
|
|
|
|
ssh -i ~/.ssh/eryao_deploy_key \
|
|
-o IdentitiesOnly=yes \
|
|
"${DEPLOY_USER}@${DEPLOY_HOST}" \
|
|
"AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}' AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}' AWS_DEFAULT_REGION='${AWS_REGION}' AWS_REGION='${AWS_REGION}' bash -se" <<'REMOTE'
|
|
set -euo pipefail
|
|
|
|
cd ~/deploy
|
|
set -a
|
|
. ./.env
|
|
set +a
|
|
|
|
ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
|
|
aws ecr get-login-password --region "${AWS_REGION}" \
|
|
| sudo docker login --username AWS --password-stdin "${ecr_registry}"
|
|
|
|
sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers pull
|
|
sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers up -d --remove-orphans
|
|
|
|
for attempt in $(seq 1 12); do
|
|
if curl -fsS "http://127.0.0.1:${ERYAO_WEB__PORT:-5775}/health"; then
|
|
break
|
|
fi
|
|
if [ "${attempt}" -eq 12 ]; then
|
|
sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers ps
|
|
sudo docker logs --tail 200 eryao-prod-backend || true
|
|
exit 1
|
|
fi
|
|
sleep 5
|
|
done
|
|
|
|
sudo docker image prune -af --filter "until=168h"
|
|
REMOTE
|