name: Deploy Customer Main on: push: branches: - main workflow_dispatch: concurrency: group: state-corp-backend-customer-main-${{ github.ref }} cancel-in-progress: true env: CUSTOMER_REGISTRY_HOST: registry.dev.nii-ecos.ru CUSTOMER_REGISTRY_NAMESPACE: avm CUSTOMER_WEB_IMAGE: state-corp-backend-web CUSTOMER_CELERY_IMAGE: state-corp-backend-celery CUSTOMER_DEPLOY_USER: ecos CUSTOMER_DEPLOY_HOST: 10.0.10.174 CUSTOMER_SSH_PROXY_HOST: root@10.10.0.121 CUSTOMER_COMPOSE_FILE: /ecos/docker-compose.yml CUSTOMER_DEPLOY_SCRIPT: /ecos/pull-and-run.sh jobs: deploy: name: Build, Push, Deploy runs-on: ubuntu-latest timeout-minutes: 90 steps: - name: Ensure main branch run: | set -euo pipefail if [ "${GITHUB_REF_NAME}" != "main" ]; then echo "Customer deploy is allowed only from main; current ref is ${GITHUB_REF_NAME}" >&2 exit 1 fi - name: Checkout code run: | set -euo pipefail REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git -c core.hooksPath=/dev/null clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git -c core.hooksPath=/dev/null checkout "${GITHUB_SHA}" - name: Validate deploy inputs env: REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} GITEA_TOKEN: ${{ gitea.token }} CUSTOMER_DEPLOY_SSH_KEY: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY }} CUSTOMER_DEPLOY_SSH_KEY_B64: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY_B64 }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} run: | set -euo pipefail registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-${GITHUB_ACTOR:-}}}" registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-${GITEA_TOKEN:-}}}" home_dir="${HOME:-/root}" if [ -z "${registry_user}" ]; then echo "Missing registry user secret: set REGISTRY_USER or REGISTRY_USERNAME" >&2 exit 1 fi if [ -z "${registry_password}" ]; then echo "Missing registry password secret: set REGISTRY_TOKEN or REGISTRY_PASSWORD" >&2 exit 1 fi if [ -z "${CUSTOMER_DEPLOY_SSH_KEY:-}" ] \ && [ -z "${CUSTOMER_DEPLOY_SSH_KEY_B64:-}" ] \ && [ -z "${DEPLOY_SSH_KEY:-}" ] \ && [ ! -f "${home_dir}/.ssh/ci-key" ] \ && [ ! -f "/root/.ssh/ci-key" ]; then echo "Missing customer SSH key: set CUSTOMER_DEPLOY_SSH_KEY_B64, CUSTOMER_DEPLOY_SSH_KEY, DEPLOY_SSH_KEY, or install ~/.ssh/ci-key on the runner" >&2 exit 1 fi - name: Setup Docker Buildx run: | set -euo pipefail if ! docker buildx inspect customer-builder >/dev/null 2>&1; then docker buildx create --name customer-builder --driver docker-container --use else docker buildx use customer-builder fi docker buildx inspect --bootstrap - name: Build and push customer images env: REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} GITEA_TOKEN: ${{ gitea.token }} run: | set -euo pipefail registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-${GITHUB_ACTOR:-}}}" registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-${GITEA_TOKEN:-}}}" sha_short="$(printf '%s' "${GITHUB_SHA}" | cut -c1-12)" registry_path="${CUSTOMER_REGISTRY_HOST}/${CUSTOMER_REGISTRY_NAMESPACE}" web_ref="${registry_path}/${CUSTOMER_WEB_IMAGE}" celery_ref="${registry_path}/${CUSTOMER_CELERY_IMAGE}" printf '%s' "${registry_password}" \ | docker login "${CUSTOMER_REGISTRY_HOST}" \ -u "${registry_user}" \ --password-stdin docker buildx build \ --platform linux/amd64 \ -f ./docker/Dockerfile \ --target runtime-web \ --build-arg INSTALL_DEV=false \ --push \ -t "${web_ref}:latest" \ -t "${web_ref}:${sha_short}" \ . docker buildx build \ --platform linux/amd64 \ -f ./docker/Dockerfile \ --target runtime-celery \ --build-arg INSTALL_DEV=false \ --push \ -t "${celery_ref}:latest" \ -t "${celery_ref}:${sha_short}" \ . - name: Deploy customer stack env: CUSTOMER_DEPLOY_SSH_KEY: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY }} CUSTOMER_DEPLOY_SSH_KEY_B64: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY_B64 }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} run: | set -euo pipefail home_dir="${HOME:-/root}" mkdir -p "${home_dir}/.ssh" key_path="${home_dir}/.ssh/customer_deploy_key" if [ -n "${CUSTOMER_DEPLOY_SSH_KEY_B64:-}" ]; then printf '%s' "${CUSTOMER_DEPLOY_SSH_KEY_B64}" | base64 -d > "${key_path}" elif [ -n "${DEPLOY_SSH_KEY:-}" ]; then printf '%s' "${DEPLOY_SSH_KEY}" | base64 -d > "${key_path}" elif [ -n "${CUSTOMER_DEPLOY_SSH_KEY:-}" ]; then printf '%s\n' "${CUSTOMER_DEPLOY_SSH_KEY}" > "${key_path}" elif [ -f "${home_dir}/.ssh/ci-key" ]; then cp "${home_dir}/.ssh/ci-key" "${key_path}" else cp "/root/.ssh/ci-key" "${key_path}" fi chmod 600 "${key_path}" ssh_common=( -i "${key_path}" -o BatchMode=yes -o IdentitiesOnly=yes \ -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=15 ) proxy_command="ssh -i ${key_path} -o BatchMode=yes -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=15 -W %h:%p ${CUSTOMER_SSH_PROXY_HOST}" remote_command="set -euo pipefail flock -w 1800 /tmp/ecos-customer-deploy.lock /bin/sh -c 'cd /ecos && FORCE_PULL=1 COMPOSE_FILE=\"${CUSTOMER_COMPOSE_FILE}\" \"${CUSTOMER_DEPLOY_SCRIPT}\" && docker image prune -f'" ssh "${ssh_common[@]}" -o "ProxyCommand=${proxy_command}" "${CUSTOMER_DEPLOY_USER}@${CUSTOMER_DEPLOY_HOST}" "true" ssh "${ssh_common[@]}" -o "ProxyCommand=${proxy_command}" "${CUSTOMER_DEPLOY_USER}@${CUSTOMER_DEPLOY_HOST}" "${remote_command}"