qzl/eryao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a9c026b1bb9e0eb827f85d27135ff928b7a5dbe
eryao/.gitea/workflows/build-production-docker.yml
T
zl-q 08460c6ca9 ci: retry ecr push before cleanup
2026-05-21 16:59:57 +08:00

196 lines
7.2 KiB
YAML
Raw Blame History

name: Build production Docker image
on:
push:
branches:
- main
workflow_dispatch:
jobs:
build-backend-image:
runs-on: wsl2-docker-host
env:
IMAGE_NAME: eryao-backend
IMAGE_SIZE_LIMIT_BYTES: 500000000
RUNNER_REPO_CACHE: /home/zl/Code/eryao
steps:
- name: Check out repository
run: |
set -euo pipefail
git -C "${RUNNER_REPO_CACHE}" fetch --no-tags origin "${GITHUB_SHA}"
git init .
git remote add origin "${RUNNER_REPO_CACHE}/.git"
git fetch --no-tags --depth=1 origin "${GITHUB_SHA}"
git checkout --detach FETCH_HEAD
- name: Validate ECR configuration
run: |
set -euo pipefail
test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
test -n "${{ secrets.AWS_REGION }}"
test -n "${{ secrets.AWS_ACCOUNT_ID }}"
test -n "${{ secrets.ECR_REPOSITORY }}"
- name: Build backend production image
run: |
set -euo pipefail
docker buildx build \
--provenance=false \
--load \
--file backend/Dockerfile \
--tag ${IMAGE_NAME}:prod-${GITHUB_SHA} \
.
- name: Check image size budget
run: |
set -euo pipefail
image_size_bytes="$(docker image inspect ${IMAGE_NAME}:prod-${GITHUB_SHA} --format '{{.Size}}')"
echo "Image size: ${image_size_bytes} bytes"
if [ "${image_size_bytes}" -gt "${IMAGE_SIZE_LIMIT_BYTES}" ]; then
echo "Image exceeds ${IMAGE_SIZE_LIMIT_BYTES} bytes" >&2
exit 1
fi
- name: Smoke test backend image
run: |
set -euo pipefail
docker run --rm \
-e ERYAO_RUNTIME__ENVIRONMENT=prod \
-e ERYAO_SUPABASE__PUBLIC_URL=http://localhost:8001 \
-e ERYAO_POINTS_POLICY__REGISTER_BONUS_HMAC_KEY=ci-smoke-test-key \
--entrypoint python \
${IMAGE_NAME}:prod-${GITHUB_SHA} \
-c "import app; print(app.app.title)"
- name: Push backend image to ECR
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
AWS_REGION: ${{ secrets.AWS_REGION }}
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
run: |
set -euo pipefail
caller_account_id="$(aws sts get-caller-identity --query Account --output text)"
if [ "${caller_account_id}" != "${AWS_ACCOUNT_ID}" ]; then
echo "AWS_ACCOUNT_ID does not match caller identity" >&2
exit 1
fi
ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
ecr_image="${ecr_registry}/${ECR_REPOSITORY}"
aws ecr describe-repositories \
--region "${AWS_REGION}" \
--repository-names "${ECR_REPOSITORY}" >/dev/null 2>&1 \
|| aws ecr create-repository \
--region "${AWS_REGION}" \
--repository-name "${ECR_REPOSITORY}" \
--image-scanning-configuration scanOnPush=true \
--encryption-configuration encryptionType=AES256 >/dev/null
aws ecr get-login-password --region "${AWS_REGION}" \
| docker login --username AWS --password-stdin "${ecr_registry}"
docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:latest"
retry() {
for attempt in 1 2 3; do
if "$@"; then
return 0
fi
if [ "${attempt}" -eq 3 ]; then
return 1
fi
sleep "$((attempt * 5))"
done
}
retry docker push "${ecr_image}:latest"
untagged_image_ids="$(aws ecr list-images \
--region "${AWS_REGION}" \
--repository-name "${ECR_REPOSITORY}" \
--filter tagStatus=UNTAGGED \
--query 'imageIds[*]' \
--output json)"
if [ "${untagged_image_ids}" != "[]" ]; then
aws ecr batch-delete-image \
--region "${AWS_REGION}" \
--repository-name "${ECR_REPOSITORY}" \
--image-ids "${untagged_image_ids}" >/dev/null \
|| echo "Warning: ECR image cleanup failed; ensure the CI AWS user has ecr:BatchDeleteImage" >&2
fi
deploy-production:
needs: build-backend-image
runs-on: wsl2-docker-host
steps:
- name: Validate deploy configuration
env:
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
run: |
set -euo pipefail
test -n "${DEPLOY_SSH_KEY}"
test -n "${DEPLOY_HOST}"
test -n "${DEPLOY_USER}"
test -n "${AWS_ACCESS_KEY_ID}"
test -n "${AWS_SECRET_ACCESS_KEY}"
test -n "${AWS_REGION}"
- name: Deploy production server
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
AWS_REGION: ${{ secrets.AWS_REGION }}
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
set -euo pipefail
install -m 700 -d ~/.ssh
printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/eryao_deploy_key
chmod 600 ~/.ssh/eryao_deploy_key
ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts
ssh -i ~/.ssh/eryao_deploy_key \
-o IdentitiesOnly=yes \
"${DEPLOY_USER}@${DEPLOY_HOST}" \
"AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}' AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}' AWS_DEFAULT_REGION='${AWS_REGION}' AWS_REGION='${AWS_REGION}' bash -se" <<'REMOTE'
set -euo pipefail
cd ~/deploy
set -a
. ./.env
set +a
ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
aws ecr get-login-password --region "${AWS_REGION}" \
| sudo docker login --username AWS --password-stdin "${ecr_registry}"
sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers pull
sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers up -d --remove-orphans
for attempt in $(seq 1 12); do
if curl -fsS "http://127.0.0.1:${ERYAO_WEB__PORT:-5775}/health"; then
break
fi
if [ "${attempt}" -eq 12 ]; then
sudo docker compose --env-file ./.env -f docker-compose.prod.yml --profile workers ps
sudo docker logs --tail 200 eryao-prod-backend || true
exit 1
fi
sleep 5
done
sudo docker image prune -af --filter "until=168h"
REMOTE
Reference in New Issue View Git Blame Copy Permalink