name: CI/CD Pipeline on: push: branches: - main - develop - dev pull_request: branches: - main - develop - dev env: PYTHON_VERSION: "3.11" jobs: lint: name: Code Quality Checks runs-on: ubuntu-latest timeout-minutes: 15 steps: - name: Checkout code run: | set -euo pipefail REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Install Python and uv run: | set -euo pipefail PROJECT_PYTHON_VERSION="$(cat .python-version 2>/dev/null || printf '%s' "${PYTHON_VERSION}")" PYTHON_BIN="$(./scripts/ensure-ci-python.sh "${PROJECT_PYTHON_VERSION}")" printf 'PYTHON_BIN=%s\n' "${PYTHON_BIN}" > .ci-python-env - name: Create virtual environment and install dependencies run: | set -euo pipefail . ./.ci-python-env "${PYTHON_BIN}" -m venv .venv . .venv/bin/activate python -m pip install --upgrade pip uv uv sync \ --dev \ --frozen \ --active \ --python "${PYTHON_BIN}" \ --no-managed-python \ --no-python-downloads - name: Run Ruff linting run: | set -euo pipefail . .venv/bin/activate ruff check src tests scripts - name: Run Ruff formatting check run: | set -euo pipefail . .venv/bin/activate ruff format src tests scripts --check test: name: Run Tests runs-on: ubuntu-latest timeout-minutes: 20 steps: - name: Checkout code run: | set -euo pipefail REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Install Python and uv run: | set -euo pipefail PROJECT_PYTHON_VERSION="$(cat .python-version 2>/dev/null || printf '%s' "${PYTHON_VERSION}")" PYTHON_BIN="$(./scripts/ensure-ci-python.sh "${PROJECT_PYTHON_VERSION}")" printf 'PYTHON_BIN=%s\n' "${PYTHON_BIN}" > .ci-python-env - name: Create virtual environment and install dependencies run: | set -euo pipefail . ./.ci-python-env "${PYTHON_BIN}" -m venv .venv . .venv/bin/activate python -m pip install --upgrade pip uv uv sync \ --dev \ --frozen \ --active \ --python "${PYTHON_BIN}" \ --no-managed-python \ --no-python-downloads - name: Run pytest suite env: DJANGO_SETTINGS_MODULE: settings.test SECRET_KEY: test-secret-key-for-ci run: | set -euo pipefail export PYTHONPATH="${PWD}/src:${PYTHONPATH:-}" .venv/bin/python -m pytest tests -q build: name: Build Docker Images runs-on: ubuntu-latest needs: [lint, test] steps: - name: Checkout code run: | set -euo pipefail REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Build web image run: | set -euo pipefail BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7) docker build \ -f ./docker/Dockerfile \ --target runtime-web \ -t state_corp-web:${BRANCH_TAG} \ -t state_corp-web:${BRANCH_TAG}-${SHA_SHORT} \ . - name: Build celery image run: | set -euo pipefail BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7) docker build \ -f ./docker/Dockerfile \ --target runtime-celery \ -t state_corp-celery:${BRANCH_TAG} \ -t state_corp-celery:${BRANCH_TAG}-${SHA_SHORT} \ . push: name: Push to Gitea Registry runs-on: ubuntu-latest needs: [build] if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/dev' steps: - name: Checkout code run: | set -euo pipefail REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Build and push images env: REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} run: | set -euo pipefail if [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then echo "Registry credentials are not configured; skipping image push." exit 0 fi curl -sL https://github.com/google/go-containerregistry/releases/download/v0.19.0/go-containerregistry_Linux_x86_64.tar.gz | tar xz crane chmod +x crane BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7) REGISTRY_HOST="10.10.0.10:3000" REGISTRY="${REGISTRY_HOST}/${{ github.repository_owner }}" echo "${REGISTRY_PASSWORD}" | ./crane auth login --insecure "${REGISTRY_HOST}" -u "${REGISTRY_USER}" --password-stdin docker build -f ./docker/Dockerfile --target runtime-web -t state_corp-web:local . docker save state_corp-web:local -o /tmp/web.tar ./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:${BRANCH_TAG}" ./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:${BRANCH_TAG}-${SHA_SHORT}" if [ "${GITHUB_REF_NAME}" = "dev" ]; then ./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:latest" fi docker build -f ./docker/Dockerfile --target runtime-celery -t state_corp-celery:local . docker save state_corp-celery:local -o /tmp/celery.tar ./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:${BRANCH_TAG}" ./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:${BRANCH_TAG}-${SHA_SHORT}" if [ "${GITHUB_REF_NAME}" = "dev" ]; then ./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:latest" fi deploy: name: Deploy to Server runs-on: ubuntu-latest needs: [push] if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/dev' steps: - name: Checkout code run: | set -euo pipefail REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|") BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" . git checkout "${GITHUB_SHA}" - name: Deploy via SSH env: DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} DEPLOY_USER: ${{ secrets.DEPLOY_USER }} DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }} REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} run: | set -euo pipefail if [ -z "${DEPLOY_HOST:-}" ] || [ -z "${DEPLOY_USER:-}" ] || [ -z "${DEPLOY_SSH_KEY:-}" ] || [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then echo "Deploy credentials are not configured; skipping deploy." exit 0 fi BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g') mkdir -p ~/.ssh echo "${DEPLOY_SSH_KEY}" | base64 -d > ~/.ssh/deploy_key chmod 600 ~/.ssh/deploy_key ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no docker-compose.prod.yml "${DEPLOY_USER}@${DEPLOY_HOST}:/opt/state-corp-backend/" ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" " set -euo pipefail cd /opt/state-corp-backend echo '${REGISTRY_PASSWORD}' | docker login --username '${REGISTRY_USER}' --password-stdin 10.10.0.10:3000 REGISTRY=10.10.0.10:3000/${{ github.repository_owner }} export WEB_IMAGE=\${REGISTRY}/state_corp-web:${BRANCH_TAG} export CELERY_IMAGE=\${REGISTRY}/state_corp-celery:${BRANCH_TAG} docker compose --env-file .env.prod -f docker-compose.prod.yml pull web celery_worker celery_beat docker compose --env-file .env.prod -f docker-compose.prod.yml down --remove-orphans || true docker compose --env-file .env.prod -f docker-compose.prod.yml up -d docker image prune -f "