ci: migrate API build and deployment to gha

PierreJeanjacquot · PierreJeanjacquot · commit 4afe25b93b0d · 2025-07-17T11:55:05.000+02:00
diff --git a/.drone-consider b/.drone-consider
diff --git a/.github/workflows/api-deploy-release.yml b/.github/workflows/api-deploy-release.yml
@@ -0,0 +1,46 @@
+name: API deploy release
+description: Build and deploy the API when a release is published
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  get-version:
+    # only run for releases with tag 'iapp-api-v*' as created by release-please for API
+    if: startsWith(github.ref_name,'iapp-api-v')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Set publish version
+        id: set-publish-version
+        working-directory: api
+        run: |
+          VERSION=$(npm pkg get version | tr -d '"')
+          echo "VERSION=${VERSION}" | tee -a $GITHUB_OUTPUT
+    outputs:
+      version: ${{ steps.set-publish-version.outputs.VERSION }}
+
+  docker-publish:
+    if: startsWith(github.ref_name,'iapp-api-v')
+    needs: get-version
+    uses: ./.github/workflows/reusable-api-docker.yml
+    with:
+      tag: ${{ needs.get-version.outputs.version }}
+    secrets:
+      docker-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      docker-password: ${{ secrets.DOCKERHUB_PAT }}
+
+  deploy:
+    if: startsWith(github.ref_name,'iapp-api-v')
+    needs: get-version
+    uses: ./.github/workflows/reusable-api-deploy.yml
+    with:
+      tag: ${{ needs.get-version.outputs.version }}
+    secrets:
+      host: ${{ secrets.API_HOST }}
diff --git a/.github/workflows/api-deploy-rollback.yml b/.github/workflows/api-deploy-rollback.yml
@@ -0,0 +1,19 @@
+name: API deploy rollback
+description: Rollback the API deployment to a previous version
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version Tag to rollback to'
+        required: true
+        type: string
+
+jobs:
+  deploy:
+    if: ${{ github.ref_name == 'main' }}
+    uses: ./.github/workflows/reusable-api-deploy.yml
+    with:
+      tag: ${{ inputs.version }}
+    secrets:
+      host: ${{ secrets.API_HOST }}
diff --git a/.github/workflows/api-docker-staging.yml b/.github/workflows/api-docker-staging.yml
@@ -0,0 +1,20 @@
+name: API docker publish staging
+description: Publish a staging version of the API on Docker Hub
+
+on:
+  workflow_dispatch:
+
+jobs:
+  compute-staging-version:
+    uses: ./.github/workflows/reusable-compute-staging-version.yml
+    with:
+      working-directory: api
+
+  docker-publish:
+    needs: compute-staging-version
+    uses: ./.github/workflows/reusable-api-docker.yml
+    with:
+      tag: ${{ needs.compute-staging-version.outputs.version }}
+    secrets:
+      docker-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      docker-password: ${{ secrets.DOCKERHUB_PAT }}
diff --git a/.github/workflows/reusable-api-deploy.yml b/.github/workflows/reusable-api-deploy.yml
@@ -0,0 +1,85 @@
+name: deploy API
+description: reusable docker compose deployment workflow for this project
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: 'Tag of Docker Image to deploy'
+        required: true
+        type: string
+      host:
+        description: 'Remote host to deploy to'
+        required: true
+        type: string
+
+env:
+  IMAGE_NAME: 'iexechub/iexec-iapp-api'
+
+jobs:
+  deploy:
+    runs-on:
+      group: Azure_runners
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Verify SSH key exists on runner
+        run: |
+          if [ ! -f ~/.ssh/ghrunnerci ]; then
+            echo "SSH key not found at ~/.ssh/ghrunnerci on the runner"
+            exit 1
+          fi
+          chmod 600 ~/.ssh/ghrunnerci
+        shell: bash
+
+      - name: Add remote host to known_hosts
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keyscan ${{ inputs.host }} >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
+        shell: bash
+
+      - name: Check for docker-compose.yml in workspace
+        run: |
+          if [ ! -f ./api/docker-compose.yml ]; then
+            echo "docker-compose.yml not found in the repository"
+            exit 1
+          fi
+        shell: bash
+
+      - name: Check image exists on Docker registry
+        run: |
+          if ! docker manifest inspect "${{ env.IMAGE_NAME }}:${{ inputs.tag }}"; then
+            echo "Docker image ${{ env.IMAGE_NAME }}:${{ inputs.tag }} not found on Docker registry"
+            exit 1
+          fi
+        shell: bash
+
+      - name: Prepare .env for Compose
+        run: |
+          printf "IMAGE_NAME=%s\nIMAGE_TAG=%s\n" "${{ env.IMAGE_NAME }}" "${{ inputs.tag }}"> .env
+        shell: bash
+
+      - name: Copy files to remote server
+        run: |
+          sudo scp -o StrictHostKeyChecking=no \
+              -i ~/.ssh/ghrunnerci \
+              ./api/docker-compose.yml ./.env \
+              ${{ inputs.host }}:/opt/iapp-api/
+        shell: bash
+
+      - name: Run Docker Compose on remote server
+        run: |
+          ssh -o StrictHostKeyChecking=no \
+              -i ~/.ssh/ghrunnerci \
+              ${{ inputs.host }} << 'EOF'
+            cd /opt/iapp-api
+            docker compose pull
+            docker compose down --remove-orphans
+            sleep 5
+            docker compose up -d
+          EOF
+        shell: bash
diff --git a/.github/workflows/reusable-api-docker.yml b/.github/workflows/reusable-api-docker.yml
@@ -27,8 +27,8 @@ jobs:
   docker-publish:
     uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.3.1
     with:
-      image-name: 'iexec-iapp-api'
-      registry: 'docker-regis.iex.ec'
+      image-name: 'iexechub/iexec-iapp-api'
+      registry: 'docker.io'
       dockerfile: 'api/Dockerfile'
       context: 'api'
       security-scan: true
diff --git a/api/.drone.yml b/api/.drone.yml
diff --git a/api/docker-compose.yml b/api/docker-compose.yml
@@ -1,12 +1,30 @@
 services:
-  iapp-api:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    image: iapp-api
-    container_name: iapp-api
+  iapp:
+    image: ${IMAGE_NAME}:${TAG}
+    container_name: iapp
+    restart: unless-stopped
     ports:
       - '3000:3000'
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - ./.env:/app/.env
+      # .env.app already on the server
+      - ./.env.app:/app/.env
+    healthcheck:
+      test: ['CMD', 'curl', '-f', 'http://localhost:3000/health']
+      interval: 30s
+      timeout: 1m
+      retries: 3
+      start_period: 20s
+    labels:
+      - autoheal=true
+
+  autoheal:
+    image: willfarrell/autoheal:1.2.0
+    container_name: autoheal
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    restart: unless-stopped
+    environment:
+      - AUTOHEAL_START_PERIOD=20
+      - AUTOHEAL_INTERVAL=30
+      - AUTOHEAL_ONLY_MONITOR_RUNNING=true
