core/.github/workflows/prod-build-deploy-bat-worker.yml at dev · swamphacks/core · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Deploy BAT Worker to Production

on:
  push:
    branches:
      - master
    paths:
      - 'apps/api/**'
      - 'infra/docker-compose.api.yml'
  workflow_dispatch:

permissions:
  contents: read
  packages: write

jobs:
  build-and-push:
    name: Build and Push Docker Image to GHCR
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Docker image
        run: |
          docker build \
            --target prod \
            -f ./apps/api/cmd/BAT_worker/Dockerfile \
            -t ghcr.io/${{ github.repository_owner }}/core-bat-worker:latest \
            ./apps/api
          docker push ghcr.io/${{ github.repository_owner }}/core-bat-worker:latest

  run-migrations:
    name: Run Goose Migrations
    runs-on: ubuntu-latest
    needs: build-and-push

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Goose
        run: |
          curl -fsSL https://raw.githubusercontent.com/pressly/goose/master/install.sh | sh

      - name: Run migrations
        run: |
          goose -dir ./apps/api/internal/db/migrations postgres "${{ secrets.PROD_DB_URL }}" up

  deploy:
    name: Deploy to Production Server
    runs-on: ubuntu-latest
    needs: [build-and-push, run-migrations]

    steps:
      - name: SSH proxy command
        uses: appleboy/ssh-action@v1
        with:
          host: ${{ secrets.API_HOST }}
          username: root
          password: ${{ secrets.API_PASSWORD }}
          script: |
            cd /root/core/infra
            git fetch
            git checkout master
            git reset --hard origin/master
            git pull

            export INFISICAL_TOKEN=$(infisical login \
              --method=universal-auth \
              --client-id='${{ secrets.INFISICAL_CLIENT_ID }}' \
              --client-secret='${{ secrets.INFISICAL_CLIENT_SECRET }}' \
              --silent \
              --plain)

            infisical export \
              --token=$INFISICAL_TOKEN \
              --env=prod \
              --format=dotenv \
              --path="/api" \
              --projectId='${{ secrets.INFISICAL_PROJECT_ID }}' \
              > ./secrets/.env.api

            docker compose -f docker-compose.api.yml pull bat-worker
            docker compose -f docker-compose.api.yml up -d --no-deps --force-recreate bat-worker