.trellis/tasks/archive/2026-04/04-29-cicd-ecr-deployment-flow/IMPLEMENTATION_PLAN.md

# CI/CD ECR Deployment Flow Completion

## Completed

- Production backend Docker image workflow exists at `.gitea/workflows/build-production-docker.yml`.
- Workflow trigger is configured for push to `main` and manual `workflow_dispatch`.
- Workflow builds `backend/Dockerfile` with Docker Buildx, validates image size, and runs a smoke test.
- Workflow logs in to ECR, creates the repository if missing, and pushes both `${GITHUB_SHA}` and `latest` tags.
- Production Docker Compose file exists at `deploy/docker-compose.prod.yml` and pulls images from ECR instead of building locally.
- Production deploy guide exists at `deploy/README.md` with EC2-side ECR login, Compose pull/up, health check, logs, and stop commands.
- Cloudflare IPv4 ingress rules were added to AWS security group `sg-064bf6675c881fde3` for `tcp/80` and `tcp/443`.

## Deferred Intentionally

- EC2 will not auto-pull and restart yet. The operator will log in to the single EC2 host and start Docker Compose manually after ECR image confirmation.
- Public `0.0.0.0/0` ingress for `tcp/80` and `tcp/443` remains until `https://api.meeyao.com` or the agreed health endpoint is confirmed healthy.
- Gitea workflow does not yet include SSH or SSM deployment steps.

## Verification To Perform After PR Merge

1. Confirm the PR is merged to `main` or otherwise pushed to `main`.
2. Confirm Gitea Actions runs the production Docker workflow successfully.
3. Confirm ECR contains the backend image tagged with the commit SHA and `latest`.
4. Operator manually logs in to EC2 and runs the documented Compose deployment commands.
5. Confirm local EC2 health check returns `{"status":"ok"}`.
6. Confirm external API health through Cloudflare.
7. Remove `0.0.0.0/0` ingress for `tcp/80` and `tcp/443` only after external health is confirmed.
chore(deploy): add backend ECR deployment flow 2026-04-29 18:04:25 +08:00			`# CI/CD ECR Deployment Flow Completion`

			`## Completed`

			- Production backend Docker image workflow exists at `.gitea/workflows/build-production-docker.yml`.
			- Workflow trigger is configured for push to `main` and manual `workflow_dispatch`.
			- Workflow builds `backend/Dockerfile` with Docker Buildx, validates image size, and runs a smoke test.
			- Workflow logs in to ECR, creates the repository if missing, and pushes both `${GITHUB_SHA}` and `latest` tags.
			- Production Docker Compose file exists at `deploy/docker-compose.prod.yml` and pulls images from ECR instead of building locally.
			- Production deploy guide exists at `deploy/README.md` with EC2-side ECR login, Compose pull/up, health check, logs, and stop commands.
			- Cloudflare IPv4 ingress rules were added to AWS security group `sg-064bf6675c881fde3` for `tcp/80` and `tcp/443`.

			`## Deferred Intentionally`

			`- EC2 will not auto-pull and restart yet. The operator will log in to the single EC2 host and start Docker Compose manually after ECR image confirmation.`
			- Public `0.0.0.0/0` ingress for `tcp/80` and `tcp/443` remains until `https://api.meeyao.com` or the agreed health endpoint is confirmed healthy.
			`- Gitea workflow does not yet include SSH or SSM deployment steps.`

			`## Verification To Perform After PR Merge`

			1. Confirm the PR is merged to `main` or otherwise pushed to `main`.
			`2. Confirm Gitea Actions runs the production Docker workflow successfully.`
			3. Confirm ECR contains the backend image tagged with the commit SHA and `latest`.
			`4. Operator manually logs in to EC2 and runs the documented Compose deployment commands.`
			5. Confirm local EC2 health check returns `{"status":"ok"}`.
			`6. Confirm external API health through Cloudflare.`
			7. Remove `0.0.0.0/0` ingress for `tcp/80` and `tcp/443` only after external health is confirmed.