Skip to content

ci: automated GHCR + EC2 deployment with QA gating#458

Open
saqibmanan wants to merge 5 commits into
devfrom
ci/deploy-workflow
Open

ci: automated GHCR + EC2 deployment with QA gating#458
saqibmanan wants to merge 5 commits into
devfrom
ci/deploy-workflow

Conversation

@saqibmanan

Copy link
Copy Markdown
Contributor

What

Adds automated deployment + QA gating via GitHub Actions.

  • deploy.yml — on push to dev/main (i.e. on merge): build image → push to GHCR → SSH into the environment's EC2 host and docker compose pull + up -d. On dev it then triggers the QA smoke suite against the dev env and waits (the Smoke (dev) check is green only if smoke passes).
  • qa-gate.yml — on PR dev → main: triggers the QA full regression against the dev env and blocks the merge until it passes.

Branch → environment: devdevelopment (tag :dev), mainproduction (tag :prod). Each push also publishes an immutable :<sha> tag for rollback.

The QA suite lives in CivicDataLab/IDS-DRR-QA-Automation and is reused as-is (its dispatch.yml is triggered and awaited — no changes there).

Required setup before this works

GitHub Environments development and production, each with secrets:

  • EC2_HOST, EC2_USER, EC2_SSH_KEY, DEPLOY_PATH (dir on host containing docker-compose.yml)
  • NEXT_PUBLIC_BACKEND_URL, NEXT_PUBLIC_DATA_MANAGEMENT_LAYER_URL (baked into the image at build time, per environment)

Repo-level:

  • secret QA_REPO_PAT — PAT with actions: read+write (+ contents:read) on IDS-DRR-QA-Automation (classic: repo + workflow)
  • variable COMPOSE_SERVICE — the service name in the host docker-compose.yml (e.g. frontend)
  • Branch protection on main: require the qa-gate status check

On each EC2 host: docker + compose v2, the SSH key authorized, and a docker-compose.yml at DEPLOY_PATH whose image is ghcr.io/civicdatalab/ids-drr-frontend:<dev|prod>.

GHCR packages default to private; the host login uses the run's GITHUB_TOKEN (has packages:read), so no extra pull credential is needed.

deploy.yml: on push to dev/main, build & push the runner image to GHCR
(baking NEXT_PUBLIC_* from environment secrets), SSH to the environment's
EC2 host and run docker compose pull/up; on dev, trigger the QA smoke
suite and wait.
qa-gate.yml: on PR to main, run the QA full regression against dev and
block merge until green (set as required check).
Comment thread .github/workflows/qa-gate.yml Fixed
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

…ntain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

@jpmckinney jpmckinney left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow hardcodes CivicDataLab for QA automation so any forks of the IDS-DRR ecosystem for DPG adaptation will have to edit this workflow manually. Please review for reuse outside CDL (I haven’t checked if the workflow still works without eg all secrets and vars configured).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants