name: CI/CD Pipeline on: push: branches: - main - dev - "feature/**" pull_request: branches: - main - dev env: PYTHON_VERSION: "3.11" REGISTRY_HOST: "10.10.0.10:3000" WEB_IMAGE: "mostovik-web" CELERY_IMAGE: "mostovik-celery" jobs: lint: name: Code Quality Checks runs-on: ubuntu-latest if: ${{ !contains(github.event.head_commit.message, '#no_lint') }} steps: - name: Checkout code run: | REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Install Python and uv run: | set -euo pipefail apt-get update apt-get install -y software-properties-common add-apt-repository -y ppa:deadsnakes/ppa apt-get update apt-get install -y python3.11 python3.11-venv curl -LsSf https://astral.sh/uv/install.sh | sh - name: Create virtual environment and install dependencies run: | set -euo pipefail export PATH="$HOME/.local/bin:$PATH" uv venv --python python3.11 . .venv/bin/activate uv sync --dev --frozen - name: Run Ruff linting run: | set -euo pipefail . .venv/bin/activate ruff check src - name: Run Ruff formatting check run: | set -euo pipefail . .venv/bin/activate ruff format src --check test: name: Run Tests runs-on: ubuntu-latest if: ${{ !contains(github.event.head_commit.message, '#no_test') }} steps: - name: Checkout code run: | REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Install Python and uv run: | set -euo pipefail apt-get update apt-get install -y software-properties-common add-apt-repository -y ppa:deadsnakes/ppa apt-get update apt-get install -y python3.11 python3.11-venv curl -LsSf https://astral.sh/uv/install.sh | sh - name: Create virtual environment and install dependencies run: | set -euo pipefail export PATH="$HOME/.local/bin:$PATH" uv venv --python python3.11 . .venv/bin/activate uv sync --dev --frozen - name: Run Django tests env: DJANGO_SETTINGS_MODULE: config.settings.test SECRET_KEY: test-secret-key-for-ci run: | set -euo pipefail . .venv/bin/activate export PYTHONPATH="${PWD}/src:${PYTHONPATH:-}" python src/manage.py test tests --verbosity=2 build_push: name: Build & Push Images runs-on: ubuntu-latest needs: [lint, test] if: | always() && github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && (github.ref == 'refs/heads/dev' || ( (needs.lint.result == 'success' || needs.lint.result == 'skipped') && (needs.test.result == 'success' || needs.test.result == 'skipped') )) steps: - name: Checkout code run: | REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Build and push images env: REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} run: | set -euo pipefail curl -sL https://github.com/google/go-containerregistry/releases/download/v0.19.0/go-containerregistry_Linux_x86_64.tar.gz | tar xz crane chmod +x crane BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7) REPO_OWNER="${GITHUB_REPOSITORY%%/*}" REGISTRY="${REGISTRY_HOST}/${REPO_OWNER}" echo "Registry: ${REGISTRY_HOST}" echo "Actor: ${GITHUB_ACTOR}" echo "${REGISTRY_PASSWORD}" | ./crane auth login --insecure "${REGISTRY_HOST}" -u "${REGISTRY_USER}" --password-stdin docker build -f ./docker/Dockerfile.web -t "${WEB_IMAGE}:local" . docker save "${WEB_IMAGE}:local" -o /tmp/web.tar ./crane push --insecure /tmp/web.tar "${REGISTRY}/${WEB_IMAGE}:${BRANCH_TAG}" ./crane push --insecure /tmp/web.tar "${REGISTRY}/${WEB_IMAGE}:${BRANCH_TAG}-${SHA_SHORT}" if [ "${GITHUB_REF_NAME}" = "main" ]; then ./crane push --insecure /tmp/web.tar "${REGISTRY}/${WEB_IMAGE}:latest" fi docker build -f ./docker/Dockerfile.celery -t "${CELERY_IMAGE}:local" . docker save "${CELERY_IMAGE}:local" -o /tmp/celery.tar ./crane push --insecure /tmp/celery.tar "${REGISTRY}/${CELERY_IMAGE}:${BRANCH_TAG}" ./crane push --insecure /tmp/celery.tar "${REGISTRY}/${CELERY_IMAGE}:${BRANCH_TAG}-${SHA_SHORT}" if [ "${GITHUB_REF_NAME}" = "main" ]; then ./crane push --insecure /tmp/celery.tar "${REGISTRY}/${CELERY_IMAGE}:latest" fi - name: Image summary run: | REPO_OWNER="${GITHUB_REPOSITORY%%/*}" echo "Images pushed to ${REGISTRY_HOST}/${REPO_OWNER}/" deploy_dev: name: Deploy (dev) runs-on: ubuntu-latest needs: [build_push] if: github.event_name == 'push' && github.ref == 'refs/heads/dev' concurrency: deploy-dev environment: dev steps: - name: Checkout code run: | REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Deploy via SSH env: DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} DEPLOY_USER: ${{ secrets.DEPLOY_USER }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} run: | set -euo pipefail BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') mkdir -p ~/.ssh echo "${DEPLOY_SSH_KEY}" | base64 -d > ~/.ssh/deploy_key chmod 600 ~/.ssh/deploy_key ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" "mkdir -p /opt/mostovik-backend" scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no docker-compose.prod.yml "${DEPLOY_USER}@${DEPLOY_HOST}:/opt/mostovik-backend/" ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" " set -e # Configure insecure registry if not already configured if ! grep -q '${REGISTRY_HOST}' /etc/docker/daemon.json 2>/dev/null; then echo '{\"insecure-registries\": [\"${REGISTRY_HOST}\"]}' > /etc/docker/daemon.json systemctl restart docker fi cd /opt/mostovik-backend echo '${REGISTRY_PASSWORD}' | docker login --username '${REGISTRY_USER}' --password-stdin ${REGISTRY_HOST} export IMAGE_TAG=${BRANCH_TAG} docker compose -f docker-compose.prod.yml pull web celery_worker celery_beat docker compose -f docker-compose.prod.yml down --remove-orphans || true docker rm -f mostovik_web mostovik_celery_worker mostovik_celery_beat 2>/dev/null || true docker compose -f docker-compose.prod.yml up -d docker image prune -f " echo "Deployed ${BRANCH_TAG} to ${DEPLOY_HOST}" deploy_prod: name: Deploy (prod) runs-on: ubuntu-latest needs: [build_push] if: github.event_name == 'push' && github.ref == 'refs/heads/main' concurrency: deploy-prod environment: prod steps: - name: Checkout code run: | REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Deploy via SSH env: DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} DEPLOY_USER: ${{ secrets.DEPLOY_USER }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} run: | set -euo pipefail BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') mkdir -p ~/.ssh echo "${DEPLOY_SSH_KEY}" | base64 -d > ~/.ssh/deploy_key chmod 600 ~/.ssh/deploy_key ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" "mkdir -p /opt/mostovik-backend" scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no docker-compose.prod.yml "${DEPLOY_USER}@${DEPLOY_HOST}:/opt/mostovik-backend/" ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" " set -e # Configure insecure registry if not already configured if ! grep -q '${REGISTRY_HOST}' /etc/docker/daemon.json 2>/dev/null; then echo '{\"insecure-registries\": [\"${REGISTRY_HOST}\"]}' > /etc/docker/daemon.json systemctl restart docker fi cd /opt/mostovik-backend echo '${REGISTRY_PASSWORD}' | docker login --username '${REGISTRY_USER}' --password-stdin ${REGISTRY_HOST} export IMAGE_TAG=${BRANCH_TAG} docker compose -f docker-compose.prod.yml pull web celery_worker celery_beat docker compose -f docker-compose.prod.yml down --remove-orphans || true docker rm -f mostovik_web mostovik_celery_worker mostovik_celery_beat 2>/dev/null || true docker compose -f docker-compose.prod.yml up -d docker image prune -f " echo "Deployed ${BRANCH_TAG} to ${DEPLOY_HOST}"