chore(deploy): add backend ECR deployment flow

2026-04-29 18:04:25 +08:00
parent 59760416e6
commit fb163cfeab
8 changed files with 487 additions and 0 deletions
@@ -0,0 +1,27 @@
+# CI/CD ECR Deployment Flow Completion
+
+## Completed
+
+- Production backend Docker image workflow exists at `.gitea/workflows/build-production-docker.yml`.
+- Workflow trigger is configured for push to `main` and manual `workflow_dispatch`.
+- Workflow builds `backend/Dockerfile` with Docker Buildx, validates image size, and runs a smoke test.
+- Workflow logs in to ECR, creates the repository if missing, and pushes both `${GITHUB_SHA}` and `latest` tags.
+- Production Docker Compose file exists at `deploy/docker-compose.prod.yml` and pulls images from ECR instead of building locally.
+- Production deploy guide exists at `deploy/README.md` with EC2-side ECR login, Compose pull/up, health check, logs, and stop commands.
+- Cloudflare IPv4 ingress rules were added to AWS security group `sg-064bf6675c881fde3` for `tcp/80` and `tcp/443`.
+
+## Deferred Intentionally
+
+- EC2 will not auto-pull and restart yet. The operator will log in to the single EC2 host and start Docker Compose manually after ECR image confirmation.
+- Public `0.0.0.0/0` ingress for `tcp/80` and `tcp/443` remains until `https://api.meeyao.com` or the agreed health endpoint is confirmed healthy.
+- Gitea workflow does not yet include SSH or SSM deployment steps.
+
+## Verification To Perform After PR Merge
+
+1. Confirm the PR is merged to `main` or otherwise pushed to `main`.
+2. Confirm Gitea Actions runs the production Docker workflow successfully.
+3. Confirm ECR contains the backend image tagged with the commit SHA and `latest`.
+4. Operator manually logs in to EC2 and runs the documented Compose deployment commands.
+5. Confirm local EC2 health check returns `{"status":"ok"}`.
+6. Confirm external API health through Cloudflare.
+7. Remove `0.0.0.0/0` ingress for `tcp/80` and `tcp/443` only after external health is confirmed.
@@ -0,0 +1,27 @@
+# CI/CD ECR Deployment Flow Record
+
+## Goal
+
+Record the current production CI/CD state for the backend Docker deployment path and preserve the handoff point before EC2 manual service startup.
+
+## Scope
+
+- Document that pushes to `main` trigger the Gitea workflow to build the backend Docker image.
+- Document that the workflow validates the image and pushes `${GITHUB_SHA}` and `latest` tags to AWS ECR.
+- Document that Cloudflare IPv4 CIDR ingress rules were added for `tcp/80` and `tcp/443` on security group `sg-064bf6675c881fde3` in `us-east-2`.
+- Document that the open `0.0.0.0/0` ingress rules for `tcp/80` and `tcp/443` remain in place until the API is healthy.
+- Document that final EC2 service startup is intentionally manual: the operator will log in to the single EC2 host and run Docker Compose after confirming the image exists in ECR.
+
+## Out of Scope
+
+- Automated SSH or SSM deployment to EC2.
+- ECS task definition or service deployment.
+- Removing the public `0.0.0.0/0` security group rules before API health is confirmed.
+
+## Acceptance Criteria
+
+- Trellis task records the completed CI/CD preparation work.
+- The task is archived after recording completion.
+- The temporary root-level `DEPLOYMENT_REPORT.md` is removed.
+- Current repository changes are committed on `dev`, pushed, and proposed for merge to `main`.
+- After merge or main push triggers CI, ECR is checked for the uploaded backend image.
@@ -0,0 +1,49 @@
+{
+  "id": "cicd-ecr-deployment-flow",
+  "name": "cicd-ecr-deployment-flow",
+  "title": "Record CI/CD ECR deployment flow",
+  "description": "Record completed backend Docker CI/CD preparation through ECR push and the remaining manual EC2 Docker Compose startup step.",
+  "status": "completed",
+  "dev_type": "docs",
+  "scope": "deployment",
+  "priority": "P2",
+  "creator": "zl-q",
+  "assignee": "zl-q",
+  "createdAt": "2026-04-29",
+  "completedAt": "2026-04-29",
+  "branch": null,
+  "base_branch": "dev",
+  "worktree_path": null,
+  "current_phase": 0,
+  "next_action": [
+    {
+      "phase": 1,
+      "action": "implement"
+    },
+    {
+      "phase": 2,
+      "action": "check"
+    },
+    {
+      "phase": 3,
+      "action": "finish"
+    },
+    {
+      "phase": 4,
+      "action": "create-pr"
+    }
+  ],
+  "commit": null,
+  "pr_url": null,
+  "subtasks": [],
+  "children": [],
+  "parent": null,
+  "relatedFiles": [
+    ".gitea/workflows/build-production-docker.yml",
+    "backend/Dockerfile",
+    "deploy/docker-compose.prod.yml",
+    "deploy/README.md"
+  ],
+  "notes": "CI/CD is complete through ECR image push. EC2 remains single-host Docker Compose and will be started manually after ECR image confirmation. Cloudflare IPv4 ingress was added; public 0.0.0.0/0 ingress remains until API health is confirmed.",
+  "meta": {}
+}