avm/state-corp-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: deploy dev through compose
All checks were successful
CI/CD Pipeline / Run Tests (push) Successful in 2m21s
Details
CI/CD Pipeline / Code Quality Checks (push) Successful in 2m44s
Details
CI/CD Pipeline / Build and Push Dev Images (push) Successful in 3m4s
Details
CI/CD Pipeline / Deploy Dev via Compose (push) Successful in 43s
Details

Browse Source
This commit is contained in:
Aleksandr Meshchriakov
2026-06-02 00:01:40 +02:00
parent b64425b31d
commit 943abb16ce
1 changed files with 79 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

172
.gitea/workflows/ci-cd.yml
View File

@@ -14,6 +14,10 @@ on:
env: env:
PYTHON_VERSION: "3.11" PYTHON_VERSION: "3.11"
REGISTRY_HOST: "registry.dev.nii-ecos.ru"
REGISTRY_NAMESPACE: "${{ github.repository_owner }}"
WEB_IMAGE: "state-corp-backend-web"
CELERY_IMAGE: "state-corp-backend-celery"
jobs: jobs:
lint: lint:
@@ -109,49 +113,12 @@ jobs:
export PYTHONPATH="${PWD}/src:${PYTHONPATH:-}" export PYTHONPATH="${PWD}/src:${PYTHONPATH:-}"
.venv/bin/python -m pytest tests -q .venv/bin/python -m pytest tests -q
build: build_push:
name: Build Docker Images name: Build and Push Dev Images
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 45
needs: [lint, test] needs: [lint, test]
if: github.event_name == 'push' && github.ref == 'refs/heads/dev' && !contains(github.event.head_commit.message, '#no_image')
steps:
- name: Checkout code
run: |
set -euo pipefail
REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|")
BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" .
git checkout "${GITHUB_SHA}"
- name: Build web image
run: |
set -euo pipefail
BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g')
SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
docker build \
-f ./docker/Dockerfile \
--target runtime-web \
-t state_corp-web:${BRANCH_TAG} \
-t state_corp-web:${BRANCH_TAG}-${SHA_SHORT} \
.
- name: Build celery image
run: |
set -euo pipefail
BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g')
SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
docker build \
-f ./docker/Dockerfile \
--target runtime-celery \
-t state_corp-celery:${BRANCH_TAG} \
-t state_corp-celery:${BRANCH_TAG}-${SHA_SHORT} \
.
push:
name: Push to Gitea Registry
runs-on: ubuntu-latest
needs: [build]
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/dev'
steps: steps:
- name: Checkout code - name: Checkout code
@@ -164,46 +131,63 @@ jobs:
- name: Build and push images - name: Build and push images
env: env:
REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_USER: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: | run: |
set -euo pipefail set -euo pipefail
if [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then if [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then
echo "Registry credentials are not configured; skipping image push." echo "Registry credentials are not configured" >&2
exit 0 exit 1
fi fi
curl -sL https://github.com/google/go-containerregistry/releases/download/v0.19.0/go-containerregistry_Linux_x86_64.tar.gz | tar xz crane SHA_SHORT="$(printf '%s' "${GITHUB_SHA}" | cut -c1-7)"
chmod +x crane BUILD_TIME="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
REGISTRY="${REGISTRY_HOST}/${REGISTRY_NAMESPACE}"
WEB_REF="${REGISTRY}/${WEB_IMAGE}"
CELERY_REF="${REGISTRY}/${CELERY_IMAGE}"
BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') echo "${REGISTRY_PASSWORD}" \
SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7) | docker login "${REGISTRY_HOST}" \
REGISTRY_HOST="10.10.0.10:3000" -u "${REGISTRY_USER}" \
REGISTRY="${REGISTRY_HOST}/${{ github.repository_owner }}" --password-stdin
echo "${REGISTRY_PASSWORD}" | ./crane auth login --insecure "${REGISTRY_HOST}" -u "${REGISTRY_USER}" --password-stdin if ! docker buildx inspect state-corp-builder >/dev/null 2>&1; then
docker buildx create --name state-corp-builder --use
docker build -f ./docker/Dockerfile --target runtime-web -t state_corp-web:local . else
docker save state_corp-web:local -o /tmp/web.tar docker buildx use state-corp-builder
./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:${BRANCH_TAG}"
./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:${BRANCH_TAG}-${SHA_SHORT}"
if [ "${GITHUB_REF_NAME}" = "dev" ]; then
./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:latest"
fi fi
docker buildx inspect --bootstrap
docker build -f ./docker/Dockerfile --target runtime-celery -t state_corp-celery:local . docker buildx build \
docker save state_corp-celery:local -o /tmp/celery.tar -f ./docker/Dockerfile \
./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:${BRANCH_TAG}" --target runtime-web \
./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:${BRANCH_TAG}-${SHA_SHORT}" --build-arg INSTALL_DEV=false \
if [ "${GITHUB_REF_NAME}" = "dev" ]; then --label "org.opencontainers.image.revision=${GITHUB_SHA}" \
./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:latest" --label "org.opencontainers.image.source=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" \
fi --label "org.opencontainers.image.created=${BUILD_TIME}" \
--tag "${WEB_REF}:dev-${SHA_SHORT}" \
--tag "${WEB_REF}:dev" \
--push \
.
deploy: docker buildx build \
name: Deploy to Server -f ./docker/Dockerfile \
--target runtime-celery \
--build-arg INSTALL_DEV=false \
--label "org.opencontainers.image.revision=${GITHUB_SHA}" \
--label "org.opencontainers.image.source=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" \
--label "org.opencontainers.image.created=${BUILD_TIME}" \
--tag "${CELERY_REF}:dev-${SHA_SHORT}" \
--tag "${CELERY_REF}:dev" \
--push \
.
deploy_dev:
name: Deploy Dev via Compose
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [push] timeout-minutes: 5
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/dev' needs: [build_push]
if: needs.build_push.result == 'success'
steps: steps:
- name: Checkout code - name: Checkout code
@@ -214,38 +198,40 @@ jobs:
git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" .
git checkout "${GITHUB_SHA}" git checkout "${GITHUB_SHA}"
- name: Deploy via SSH - name: Deploy prebuilt images via SSH
env: env:
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
DEPLOY_USER: ${{ secrets.DEPLOY_USER }} DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: | run: |
set -euo pipefail set -euo pipefail
if [ -z "${DEPLOY_HOST:-}" ] || [ -z "${DEPLOY_USER:-}" ] || [ -z "${DEPLOY_SSH_KEY:-}" ] || [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then
echo "Deploy credentials are not configured; skipping deploy." if [ "${GITHUB_REF}" != "refs/heads/dev" ]; then
echo "Skip dev deploy for ${GITHUB_REF}"
exit 0 exit 0
fi fi
BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') case "${HEAD_COMMIT_MESSAGE:-}" in
*"#no_deploy"* | *"#no_image"*)
echo "Skip dev deploy because commit message disables deploy or image build"
exit 0
;;
esac
short_sha="$(printf '%s' "${GITHUB_SHA}" | cut -c1-7)"
image_tag="dev-${short_sha}"
mkdir -p ~/.ssh mkdir -p ~/.ssh
echo "${DEPLOY_SSH_KEY}" | base64 -d > ~/.ssh/deploy_key printf '%s' "${DEPLOY_SSH_KEY}" | base64 -d > ~/.ssh/ecos_deploy_key
chmod 600 ~/.ssh/deploy_key chmod 0600 ~/.ssh/ecos_deploy_key
ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null
tmp_current="$(mktemp)"
scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no docker-compose.prod.yml "${DEPLOY_USER}@${DEPLOY_HOST}:/opt/state-corp-backend/" ssh -i ~/.ssh/ecos_deploy_key "${DEPLOY_USER}@${DEPLOY_HOST}" 'cat /opt/ecos-dev/releases/current.env' > "${tmp_current}"
grep -v '^STATE_CORP_BACKEND_' "${tmp_current}" > "${tmp_current}.new"
ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" " cat >> "${tmp_current}.new" <<EOF
set -euo pipefail STATE_CORP_BACKEND_WEB_IMAGE=${REGISTRY_HOST}/avm/state-corp-backend-web:${image_tag}
cd /opt/state-corp-backend STATE_CORP_BACKEND_CELERY_IMAGE=${REGISTRY_HOST}/avm/state-corp-backend-celery:${image_tag}
echo '${REGISTRY_PASSWORD}' | docker login --username '${REGISTRY_USER}' --password-stdin 10.10.0.10:3000 EOF
REGISTRY=10.10.0.10:3000/${{ github.repository_owner }} scp -i ~/.ssh/ecos_deploy_key "${tmp_current}.new" "${DEPLOY_USER}@${DEPLOY_HOST}:/tmp/current.env"
export WEB_IMAGE=\${REGISTRY}/state_corp-web:${BRANCH_TAG} ssh -i ~/.ssh/ecos_deploy_key "${DEPLOY_USER}@${DEPLOY_HOST}" 'cat /tmp/current.env > /opt/ecos-dev/releases/current.env && rm -f /tmp/current.env && /opt/ecos-dev/deploy.sh state-corp-backend'
export CELERY_IMAGE=\${REGISTRY}/state_corp-celery:${BRANCH_TAG}
docker compose --env-file .env.prod -f docker-compose.prod.yml pull web celery_worker celery_beat
docker compose --env-file .env.prod -f docker-compose.prod.yml down --remove-orphans || true
docker compose --env-file .env.prod -f docker-compose.prod.yml up -d
docker image prune -f
"