SvcWatch/.github/workflows/deploy-frontend.yml at main · brettoak/SvcWatch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Build and Deploy Frontend

# ==============================================================================
# 🚀 SvcWatch Frontend Deployment Workflow
# ==============================================================================
# ⚠️ MIGRATION & SETUP CHECKS:
# When moving to a new server, ensure these are configured in GitHub Settings:
#
# 1️⃣ REPOSITORY SECRETS (Settings → Secrets and variables → Actions → Secrets)
# - SERVER_SSH_KEY : (Private Key) Must be authorized on the target server.
# - FRONTEND_HOST  : IP address or hostname of the frontend server.
# - FRONTEND_USER  : SSH username (e.g. ubuntu).
#
# 2️⃣ SERVER PREREQUISITES:
# - DNS must point watch.dongyuhan.com to the FRONTEND_HOST IP.
# - SSL cert must be issued via: sudo certbot --nginx -d watch.dongyuhan.com
# - User must have passwordless sudo for Nginx reloads.
# ==============================================================================

on:
  push:
    branches: [ "main" ]
    paths:
      - "frontend/**"
      - ".github/workflows/deploy-frontend.yml"

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'
          cache-dependency-path: frontend/package-lock.json

      - name: Install dependencies
        working-directory: frontend
        run: npm install

      - name: Build frontend
        working-directory: frontend
        run: npm run build

      - name: Upload frontend artifact
        uses: actions/upload-artifact@v4
        with:
          name: frontend-dist
          path: frontend/dist

  deploy:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Download frontend dist
        uses: actions/download-artifact@v4
        with:
          name: frontend-dist
          path: ./dist

      - name: Ensure target directory exists on server
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.FRONTEND_HOST }}
          username: ${{ secrets.FRONTEND_USER }}
          key: ${{ secrets.SERVER_SSH_KEY }}
          script: |
             mkdir -p /home/${{ secrets.FRONTEND_USER }}/app/frontend

      - name: Copy frontend dist to server
        uses: appleboy/scp-action@master
        with:
          host: ${{ secrets.FRONTEND_HOST }}
          username: ${{ secrets.FRONTEND_USER }}
          key: ${{ secrets.SERVER_SSH_KEY }}
          source: "dist/*"
          target: "/home/${{ secrets.FRONTEND_USER }}/app/frontend"

      - name: Configure Nginx & Reload
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.FRONTEND_HOST }}
          username: ${{ secrets.FRONTEND_USER }}
          key: ${{ secrets.SERVER_SSH_KEY }}
          script: |
            DOMAIN="watch.dongyuhan.com"
            CERT_DIR="/etc/letsencrypt/live/$DOMAIN"
            FRONTEND_DIR="/home/${{ secrets.FRONTEND_USER }}/app/frontend/dist"

            # Service URLs (Matched to production requirements)
            PASSPORT_SERVICE_URL="http://127.0.0.1:8089"
            BACKEND_SERVICE_URL="http://127.0.0.1:8081"

            # Fix permissions: Nginx needs +x on the home dir tree and 755 on the app dir
            sudo chmod +x /home/${{ secrets.FRONTEND_USER }}
            sudo chmod -R 755 /home/${{ secrets.FRONTEND_USER }}/app/frontend

            if sudo test -f "$CERT_DIR/fullchain.pem"; then
              cat > /tmp/svcwatch_frontend.conf << NGINX_EOF
            server {
                listen 443 ssl;
                listen [::]:443 ssl;
                server_name $DOMAIN;

                ssl_certificate $CERT_DIR/fullchain.pem;
                ssl_certificate_key $CERT_DIR/privkey.pem;
                include /etc/letsencrypt/options-ssl-nginx.conf;
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

                root $FRONTEND_DIR;
                index index.html;

                location / {
                    try_files \$uri \$uri/ /index.html;
                }

                # Proxy to Passport Service
                location /api/passport/ {
                    proxy_pass $PASSPORT_SERVICE_URL/api/v1/;
                    proxy_set_header Host \$host;
                    proxy_set_header X-Real-IP \$remote_addr;
                    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto \$scheme;
                }

                # Proxy to Backend Service
                location /api/sev/ {
                    proxy_pass $BACKEND_SERVICE_URL/api/v1/sev/;
                    proxy_set_header Host \$host;
                    proxy_set_header X-Real-IP \$remote_addr;
                    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto \$scheme;
                }
            }
            NGINX_EOF
              sudo cp /tmp/svcwatch_frontend.conf /etc/nginx/conf.d/svcwatch-frontend.conf
              sudo nginx -t && sudo nginx -s reload
              echo "✅ Nginx configured for https://$DOMAIN"
            else
              echo "⚠️ SSL cert not found for $DOMAIN — skipping nginx config."
              echo "   Run: sudo certbot --nginx -d $DOMAIN  to issue the cert."
            fi