state-corp-backend/.gitea/workflows/ci-cd.yml

name: CI/CD Pipeline

on:
  push:
    branches:
      - main
      - develop
      - dev
  pull_request:
    branches:
      - main
      - develop
      - dev

env:
  PYTHON_VERSION: "3.11"

jobs:
  lint:
    name: Code Quality Checks
    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - name: Checkout code
        run: |
          set -euo pipefail
          REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|")
          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
          git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" .
          git checkout "${GITHUB_SHA}"

      - name: Install Python and uv
        run: |
          set -euo pipefail
          PROJECT_PYTHON_VERSION="$(cat .python-version 2>/dev/null || printf '%s' "${PYTHON_VERSION}")"
          PYTHON_BIN="$(./scripts/ensure-ci-python.sh "${PROJECT_PYTHON_VERSION}")"
          printf 'PYTHON_BIN=%s\n' "${PYTHON_BIN}" > .ci-python-env

      - name: Create virtual environment and install dependencies
        run: |
          set -euo pipefail
          . ./.ci-python-env
          "${PYTHON_BIN}" -m venv .venv
          . .venv/bin/activate
          python -m pip install --upgrade pip uv
          uv sync \
            --dev \
            --frozen \
            --active \
            --python "${PYTHON_BIN}" \
            --no-managed-python \
            --no-python-downloads

      - name: Run Ruff linting
        run: |
          set -euo pipefail
          . .venv/bin/activate
          ruff check src tests scripts

      - name: Run Ruff formatting check
        run: |
          set -euo pipefail
          . .venv/bin/activate
          ruff format src tests scripts --check

  test:
    name: Run Tests
    runs-on: ubuntu-latest
    timeout-minutes: 20

    steps:
      - name: Checkout code
        run: |
          set -euo pipefail
          REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|")
          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
          git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" .
          git checkout "${GITHUB_SHA}"

      - name: Install Python and uv
        run: |
          set -euo pipefail
          PROJECT_PYTHON_VERSION="$(cat .python-version 2>/dev/null || printf '%s' "${PYTHON_VERSION}")"
          PYTHON_BIN="$(./scripts/ensure-ci-python.sh "${PROJECT_PYTHON_VERSION}")"
          printf 'PYTHON_BIN=%s\n' "${PYTHON_BIN}" > .ci-python-env

      - name: Create virtual environment and install dependencies
        run: |
          set -euo pipefail
          . ./.ci-python-env
          "${PYTHON_BIN}" -m venv .venv
          . .venv/bin/activate
          python -m pip install --upgrade pip uv
          uv sync \
            --dev \
            --frozen \
            --active \
            --python "${PYTHON_BIN}" \
            --no-managed-python \
            --no-python-downloads

      - name: Run pytest suite
        env:
          DJANGO_SETTINGS_MODULE: settings.test
          SECRET_KEY: test-secret-key-for-ci
        run: |
          set -euo pipefail
          export PYTHONPATH="${PWD}/src:${PYTHONPATH:-}"
          .venv/bin/python -m pytest tests -q

  build:
    name: Build Docker Images
    runs-on: ubuntu-latest
    needs: [lint, test]

    steps:
      - name: Checkout code
        run: |
          set -euo pipefail
          REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|")
          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
          git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" .
          git checkout "${GITHUB_SHA}"

      - name: Build web image
        run: |
          set -euo pipefail
          BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g')
          SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
          docker build \
            -f ./docker/Dockerfile \
            --target runtime-web \
            -t state_corp-web:${BRANCH_TAG} \
            -t state_corp-web:${BRANCH_TAG}-${SHA_SHORT} \
            .

      - name: Build celery image
        run: |
          set -euo pipefail
          BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g')
          SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
          docker build \
            -f ./docker/Dockerfile \
            --target runtime-celery \
            -t state_corp-celery:${BRANCH_TAG} \
            -t state_corp-celery:${BRANCH_TAG}-${SHA_SHORT} \
            .

  push:
    name: Push to Gitea Registry
    runs-on: ubuntu-latest
    needs: [build]
    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/dev'

    steps:
      - name: Checkout code
        run: |
          set -euo pipefail
          REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|")
          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
          git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" .
          git checkout "${GITHUB_SHA}"

      - name: Build and push images
        env:
          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          set -euo pipefail
          curl -sL https://github.com/google/go-containerregistry/releases/download/v0.19.0/go-containerregistry_Linux_x86_64.tar.gz | tar xz crane
          chmod +x crane

          BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g')
          SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
          REGISTRY_HOST="10.10.0.10:3000"
          REGISTRY="${REGISTRY_HOST}/${{ github.repository_owner }}"

          echo "${REGISTRY_PASSWORD}" | ./crane auth login --insecure "${REGISTRY_HOST}" -u "${REGISTRY_USER}" --password-stdin

          docker build -f ./docker/Dockerfile --target runtime-web -t state_corp-web:local .
          docker save state_corp-web:local -o /tmp/web.tar
          ./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:${BRANCH_TAG}"
          ./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:${BRANCH_TAG}-${SHA_SHORT}"
          if [ "${GITHUB_REF_NAME}" = "main" ]; then
            ./crane push --insecure /tmp/web.tar "${REGISTRY}/state_corp-web:latest"
          fi

          docker build -f ./docker/Dockerfile --target runtime-celery -t state_corp-celery:local .
          docker save state_corp-celery:local -o /tmp/celery.tar
          ./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:${BRANCH_TAG}"
          ./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:${BRANCH_TAG}-${SHA_SHORT}"
          if [ "${GITHUB_REF_NAME}" = "main" ]; then
            ./crane push --insecure /tmp/celery.tar "${REGISTRY}/state_corp-celery:latest"
          fi

  deploy:
    name: Deploy to Server
    runs-on: ubuntu-latest
    needs: [push]
    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/dev'

    steps:
      - name: Checkout code
        run: |
          set -euo pipefail
          REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|")
          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
          git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" .
          git checkout "${GITHUB_SHA}"

      - name: Deploy via SSH
        env:
          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          set -euo pipefail
          BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g')

          mkdir -p ~/.ssh
          echo "${DEPLOY_SSH_KEY}" | base64 -d > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null

          scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no docker-compose.prod.yml "${DEPLOY_USER}@${DEPLOY_HOST}:/opt/state-corp-backend/"

          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" "
            set -euo pipefail
            cd /opt/state-corp-backend
            echo '${REGISTRY_PASSWORD}' | docker login --username '${REGISTRY_USER}' --password-stdin 10.10.0.10:3000
            export IMAGE_TAG=${BRANCH_TAG}
            docker compose -f docker-compose.prod.yml pull web celery_worker celery_beat
            docker compose -f docker-compose.prod.yml down --remove-orphans || true
            docker compose -f docker-compose.prod.yml up -d
            docker image prune -f
          "