name: Build production Docker image on: push: branches: - main workflow_dispatch: jobs: build-backend-image: runs-on: wsl2-docker-host env: IMAGE_NAME: eryao-backend IMAGE_SIZE_LIMIT_BYTES: 500000000 steps: - name: Check out repository run: | set -euo pipefail git clone --depth 1 --branch "${GITHUB_REF_NAME:-main}" "ssh://git@www.qzselfz.cloud:2222/${GITHUB_REPOSITORY}.git" . - name: Validate ECR configuration run: | set -euo pipefail test -n "${{ secrets.AWS_ACCESS_KEY_ID }}" test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}" test -n "${{ secrets.AWS_REGION }}" test -n "${{ secrets.AWS_ACCOUNT_ID }}" test -n "${{ secrets.ECR_REPOSITORY }}" - name: Build backend production image run: | set -euo pipefail docker buildx build \ --provenance=false \ --load \ --file backend/Dockerfile \ --tag ${IMAGE_NAME}:prod-${GITHUB_SHA} \ . - name: Check image size budget run: | set -euo pipefail image_size_bytes="$(docker image inspect ${IMAGE_NAME}:prod-${GITHUB_SHA} --format '{{.Size}}')" echo "Image size: ${image_size_bytes} bytes" if [ "${image_size_bytes}" -gt "${IMAGE_SIZE_LIMIT_BYTES}" ]; then echo "Image exceeds ${IMAGE_SIZE_LIMIT_BYTES} bytes" >&2 exit 1 fi - name: Smoke test backend image run: | set -euo pipefail docker run --rm \ -e ERYAO_RUNTIME__ENVIRONMENT=prod \ -e ERYAO_SUPABASE__PUBLIC_URL=http://localhost:8001 \ -e ERYAO_POINTS_POLICY__REGISTER_BONUS_HMAC_KEY=ci-smoke-test-key \ --entrypoint python \ ${IMAGE_NAME}:prod-${GITHUB_SHA} \ -c "import app; print(app.app.title)" - name: Push backend image to ECR env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }} AWS_REGION: ${{ secrets.AWS_REGION }} AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} run: | set -euo pipefail caller_account_id="$(aws sts get-caller-identity --query Account --output text)" if [ "${caller_account_id}" != "${AWS_ACCOUNT_ID}" ]; then echo "AWS_ACCOUNT_ID does not match caller identity" >&2 exit 1 fi ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" ecr_image="${ecr_registry}/${ECR_REPOSITORY}" aws ecr describe-repositories \ --region "${AWS_REGION}" \ --repository-names "${ECR_REPOSITORY}" >/dev/null 2>&1 \ || aws ecr create-repository \ --region "${AWS_REGION}" \ --repository-name "${ECR_REPOSITORY}" \ --image-scanning-configuration scanOnPush=true \ --encryption-configuration encryptionType=AES256 >/dev/null aws ecr get-login-password --region "${AWS_REGION}" \ | docker login --username AWS --password-stdin "${ecr_registry}" docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:latest" image_ids="$(aws ecr list-images \ --region "${AWS_REGION}" \ --repository-name "${ECR_REPOSITORY}" \ --query 'imageIds[*]' \ --output json)" if [ "${image_ids}" != "[]" ]; then aws ecr batch-delete-image \ --region "${AWS_REGION}" \ --repository-name "${ECR_REPOSITORY}" \ --image-ids "${image_ids}" >/dev/null \ || echo "Warning: ECR image cleanup failed; ensure the CI AWS user has ecr:BatchDeleteImage" >&2 fi docker push "${ecr_image}:latest" deploy-production: needs: build-backend-image runs-on: wsl2-docker-host steps: - name: Validate deploy configuration env: DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} DEPLOY_USER: ${{ secrets.DEPLOY_USER }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_REGION: ${{ secrets.AWS_REGION }} run: | set -euo pipefail test -n "${DEPLOY_SSH_KEY}" test -n "${DEPLOY_HOST}" test -n "${DEPLOY_USER}" test -n "${AWS_ACCESS_KEY_ID}" test -n "${AWS_SECRET_ACCESS_KEY}" test -n "${AWS_REGION}" - name: Deploy production server env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }} AWS_REGION: ${{ secrets.AWS_REGION }} DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} DEPLOY_USER: ${{ secrets.DEPLOY_USER }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} run: | set -euo pipefail install -m 700 -d ~/.ssh printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/eryao_deploy_key chmod 600 ~/.ssh/eryao_deploy_key ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts ssh -i ~/.ssh/eryao_deploy_key \ -o IdentitiesOnly=yes \ "${DEPLOY_USER}@${DEPLOY_HOST}" \ "AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}' AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}' AWS_DEFAULT_REGION='${AWS_REGION}' AWS_REGION='${AWS_REGION}' bash -se" <<'REMOTE' set -euo pipefail cd ~/deploy set -a . ./.env set +a ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" aws ecr get-login-password --region "${AWS_REGION}" \ | sudo docker login --username AWS --password-stdin "${ecr_registry}" sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers pull sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers up -d --remove-orphans for attempt in $(seq 1 12); do if curl -fsS "http://127.0.0.1:${ERYAO_WEB__PORT:-5775}/health"; then break fi if [ "${attempt}" -eq 12 ]; then sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers ps sudo docker logs --tail 200 eryao-prod-backend || true exit 1 fi sleep 5 done sudo docker image prune -af --filter "until=168h" REMOTE