|
| 1 | +name: CI-CD (Production) |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + inputs: |
| 6 | + logLevel: |
| 7 | + description: 'Log Level' |
| 8 | + required: false |
| 9 | + default: 'warning' |
| 10 | + environment: |
| 11 | + description: 'Environment to deploy' |
| 12 | + required: false |
| 13 | + default: 'staging' |
| 14 | + |
| 15 | +concurrency: |
| 16 | + group: deploy-to-droplet |
| 17 | + cancel-in-progress: true |
| 18 | + |
| 19 | +jobs: |
| 20 | + deploy: |
| 21 | + environment: staging |
| 22 | + |
| 23 | + runs-on: ubuntu-latest |
| 24 | + |
| 25 | + steps: |
| 26 | + - uses: actions/checkout@v4 |
| 27 | + |
| 28 | + - name: Set up Node |
| 29 | + uses: actions/setup-node@v4 |
| 30 | + with: |
| 31 | + node-version: 20 |
| 32 | + cache: npm |
| 33 | + cache-dependency-path: ${{ vars.FRONTEND_DIR }}/package-lock.json |
| 34 | + |
| 35 | + - name: Build UI |
| 36 | + working-directory: ${{ vars.FRONTEND_DIR }} |
| 37 | + run: | |
| 38 | + npm ci |
| 39 | + npm run build |
| 40 | +
|
| 41 | + - name: Upload backend code via SCP |
| 42 | + |
| 43 | + with: |
| 44 | + host: ${{ vars.URL }} |
| 45 | + username: ${{ secrets.SSH_USER }} |
| 46 | + key: ${{ secrets.SSH_KEY }} |
| 47 | + source: ${{ vars.BACKEND_DIR }}/ |
| 48 | + target: ${{ vars.REMOTE_APP_DIR }} |
| 49 | + rm: true |
| 50 | + |
| 51 | + - name: Upload frontend code via SCP |
| 52 | + |
| 53 | + with: |
| 54 | + host: ${{ vars.URL }} |
| 55 | + username: ${{ secrets.SSH_USER }} |
| 56 | + key: ${{ secrets.SSH_KEY }} |
| 57 | + source: ${{ vars.FRONTEND_DIR }}/dist |
| 58 | + target: ${{ vars.REMOTE_APP_DIR }} |
| 59 | + rm: false # Otherwise we wipe out the backend code |
| 60 | + |
| 61 | + - name: Bootstrap on droplet |
| 62 | + |
| 63 | + with: |
| 64 | + host: ${{ vars.URL }} |
| 65 | + username: ${{ secrets.SSH_USER }} |
| 66 | + key: ${{ secrets.SSH_KEY }} |
| 67 | + script: | |
| 68 | + set -e |
| 69 | + cd ${{ vars.REMOTE_APP_DIR }}/backend/ |
| 70 | + |
| 71 | + # Install uv (fast installer from Astral) if it isn't there |
| 72 | + if ! command -v uv >/dev/null 2>&1; then |
| 73 | + curl -LsSf https://astral.sh/uv/install.sh | sh |
| 74 | + export PATH="$HOME/.local/bin:$PATH" |
| 75 | + fi |
| 76 | + |
| 77 | + # Sync dependencies directly from pyproject.toml |
| 78 | + uv sync |
| 79 | + |
| 80 | + # Inject environment secrets |
| 81 | + sudo mkdir -p /etc/tenantfirstaid |
| 82 | + sudo chmod 750 /etc/tenantfirstaid |
| 83 | + sudo chown root:root /etc/tenantfirstaid |
| 84 | + cat > /etc/tenantfirstaid/env <<EOF |
| 85 | + ENV=${{ vars.ENV }} |
| 86 | + OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }} |
| 87 | + FLASK_SECRET_KEY=${{ secrets.FLASK_SECRET_KEY }} |
| 88 | + DB_HOST=${{secrets.DB_HOST}} |
| 89 | + DB_PASSWORD=${{secrets.DB_PASSWORD}} |
| 90 | + DB_PORT=${{vars.DB_PORT}} |
| 91 | + DB_USER=default |
| 92 | + MODEL_REASONING_EFFORT=high |
| 93 | + VECTOR_STORE_ID=${{secrets.VECTOR_STORE_ID}} |
| 94 | + EOF |
| 95 | + chmod 640 /etc/tenantfirstaid/env |
| 96 | + |
| 97 | + # Ownership, restart, reload |
| 98 | + sudo chown -R $USER:www-data ${{ vars.REMOTE_APP_DIR }} |
| 99 | + sudo systemctl restart ${{ vars.SERVICE_NAME }} |
| 100 | + sudo systemctl reload nginx |
0 commit comments