name: Deploy Customer Main on: push: branches: - main workflow_dispatch: concurrency: group: state-corp-backend-customer-main-${{ github.ref }} cancel-in-progress: true env: CUSTOMER_REGISTRY_HOST: registry.dev.nii-ecos.ru CUSTOMER_REGISTRY_NAMESPACE: avm CUSTOMER_WEB_IMAGE: state-corp-backend-web CUSTOMER_CELERY_IMAGE: state-corp-backend-celery CUSTOMER_DEPLOY_USER: ecos CUSTOMER_DEPLOY_HOST: 10.0.10.174 CUSTOMER_SSH_PROXY_HOST: root@10.10.0.121 CUSTOMER_COMPOSE_FILE: /ecos/docker-compose.yml CUSTOMER_DEPLOY_SCRIPT: /ecos/pull-and-run.sh jobs: deploy: name: Build, Push, Deploy runs-on: ubuntu-latest timeout-minutes: 90 steps: - name: Ensure main branch run: | set -euo pipefail if [ "${GITHUB_REF_NAME}" != "main" ]; then echo "Customer deploy is allowed only from main; current ref is ${GITHUB_REF_NAME}" >&2 exit 1 fi - name: Checkout code run: | set -euo pipefail REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git -c core.hooksPath=/dev/null clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git -c core.hooksPath=/dev/null checkout "${GITHUB_SHA}" - name: Validate deploy inputs env: REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} GITEA_TOKEN: ${{ gitea.token }} CUSTOMER_DEPLOY_SSH_KEY: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY }} CUSTOMER_DEPLOY_SSH_KEY_B64: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY_B64 }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} run: | set -euo pipefail registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-${GITHUB_ACTOR:-}}}" registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-${GITEA_TOKEN:-}}}" home_dir="${HOME:-/root}" if [ -z "${registry_user}" ]; then echo "Missing registry user secret: set REGISTRY_USER or REGISTRY_USERNAME" >&2 exit 1 fi if [ -z "${registry_password}" ]; then echo "Missing registry password secret: set REGISTRY_TOKEN or REGISTRY_PASSWORD" >&2 exit 1 fi if [ -z "${CUSTOMER_DEPLOY_SSH_KEY:-}" ] \ && [ -z "${CUSTOMER_DEPLOY_SSH_KEY_B64:-}" ] \ && [ -z "${DEPLOY_SSH_KEY:-}" ] \ && [ ! -f "${home_dir}/.ssh/ci-key" ] \ && [ ! -f "/root/.ssh/ci-key" ]; then echo "Missing customer SSH key: set CUSTOMER_DEPLOY_SSH_KEY_B64, CUSTOMER_DEPLOY_SSH_KEY, DEPLOY_SSH_KEY, or install ~/.ssh/ci-key on the runner" >&2 exit 1 fi - name: Install crane run: | set -euo pipefail curl -fsSL https://github.com/google/go-containerregistry/releases/download/v0.19.0/go-containerregistry_Linux_x86_64.tar.gz \ | tar xz crane chmod +x crane - name: Build and push customer images env: REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} GITEA_TOKEN: ${{ gitea.token }} run: | set -euo pipefail registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-${GITHUB_ACTOR:-}}}" registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-${GITEA_TOKEN:-}}}" sha_short="$(printf '%s' "${GITHUB_SHA}" | cut -c1-12)" registry_path="${CUSTOMER_REGISTRY_HOST}/${CUSTOMER_REGISTRY_NAMESPACE}" web_ref="${registry_path}/${CUSTOMER_WEB_IMAGE}" celery_ref="${registry_path}/${CUSTOMER_CELERY_IMAGE}" printf '%s' "${registry_password}" \ | ./crane auth login "${CUSTOMER_REGISTRY_HOST}" \ -u "${registry_user}" \ --password-stdin docker build \ --platform linux/amd64 \ -f ./docker/Dockerfile \ --target runtime-web \ --build-arg INSTALL_DEV=false \ -t customer-state-corp-backend-web:local \ . docker save customer-state-corp-backend-web:local -o /tmp/customer-state-corp-backend-web.tar ./crane push /tmp/customer-state-corp-backend-web.tar "${web_ref}:latest" ./crane push /tmp/customer-state-corp-backend-web.tar "${web_ref}:${sha_short}" docker build \ --platform linux/amd64 \ -f ./docker/Dockerfile \ --target runtime-celery \ --build-arg INSTALL_DEV=false \ -t customer-state-corp-backend-celery:local \ . docker save customer-state-corp-backend-celery:local -o /tmp/customer-state-corp-backend-celery.tar ./crane push /tmp/customer-state-corp-backend-celery.tar "${celery_ref}:latest" ./crane push /tmp/customer-state-corp-backend-celery.tar "${celery_ref}:${sha_short}" - name: Deploy customer stack env: CUSTOMER_DEPLOY_SSH_KEY: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY }} CUSTOMER_DEPLOY_SSH_KEY_B64: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY_B64 }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} run: | set -euo pipefail home_dir="${HOME:-/root}" mkdir -p "${home_dir}/.ssh" key_path="${home_dir}/.ssh/customer_deploy_key" if [ -n "${CUSTOMER_DEPLOY_SSH_KEY_B64:-}" ]; then printf '%s' "${CUSTOMER_DEPLOY_SSH_KEY_B64}" | base64 -d > "${key_path}" elif [ -n "${DEPLOY_SSH_KEY:-}" ]; then printf '%s' "${DEPLOY_SSH_KEY}" | base64 -d > "${key_path}" elif [ -n "${CUSTOMER_DEPLOY_SSH_KEY:-}" ]; then printf '%s\n' "${CUSTOMER_DEPLOY_SSH_KEY}" > "${key_path}" elif [ -f "${home_dir}/.ssh/ci-key" ]; then cp "${home_dir}/.ssh/ci-key" "${key_path}" else cp "/root/.ssh/ci-key" "${key_path}" fi chmod 600 "${key_path}" ssh_common=( -i "${key_path}" -o BatchMode=yes -o IdentitiesOnly=yes \ -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=15 ) proxy_command="ssh -i ${key_path} -o BatchMode=yes -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=15 -W %h:%p ${CUSTOMER_SSH_PROXY_HOST}" remote_command="set -euo pipefail cd /ecos FORCE_PULL=1 COMPOSE_FILE='${CUSTOMER_COMPOSE_FILE}' '${CUSTOMER_DEPLOY_SCRIPT}' docker image prune -f" ssh "${ssh_common[@]}" -o "ProxyCommand=${proxy_command}" "${CUSTOMER_DEPLOY_USER}@${CUSTOMER_DEPLOY_HOST}" "true" ssh "${ssh_common[@]}" -o "ProxyCommand=${proxy_command}" "${CUSTOMER_DEPLOY_USER}@${CUSTOMER_DEPLOY_HOST}" "${remote_command}"