ci: automated GHCR + EC2 deployment with QA gating#458
Open
saqibmanan wants to merge 5 commits into
Open
Conversation
deploy.yml: on push to dev/main, build & push the runner image to GHCR (baking NEXT_PUBLIC_* from environment secrets), SSH to the environment's EC2 host and run docker compose pull/up; on dev, trigger the QA smoke suite and wait. qa-gate.yml: on PR to main, run the QA full regression against dev and block merge until green (set as required check).
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
…ntain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
jpmckinney
reviewed
Jun 12, 2026
Collaborator
There was a problem hiding this comment.
The workflow hardcodes CivicDataLab for QA automation so any forks of the IDS-DRR ecosystem for DPG adaptation will have to edit this workflow manually. Please review for reuse outside CDL (I haven’t checked if the workflow still works without eg all secrets and vars configured).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds automated deployment + QA gating via GitHub Actions.
deploy.yml— on push todev/main(i.e. on merge): build image → push to GHCR → SSH into the environment's EC2 host anddocker compose pull+up -d. Ondevit then triggers the QA smoke suite against the dev env and waits (theSmoke (dev)check is green only if smoke passes).qa-gate.yml— on PRdev → main: triggers the QA full regression against the dev env and blocks the merge until it passes.Branch → environment:
dev→development(tag:dev),main→production(tag:prod). Each push also publishes an immutable:<sha>tag for rollback.The QA suite lives in CivicDataLab/IDS-DRR-QA-Automation and is reused as-is (its
dispatch.ymlis triggered and awaited — no changes there).Required setup before this works
GitHub Environments
developmentandproduction, each with secrets:EC2_HOST,EC2_USER,EC2_SSH_KEY,DEPLOY_PATH(dir on host containingdocker-compose.yml)NEXT_PUBLIC_BACKEND_URL,NEXT_PUBLIC_DATA_MANAGEMENT_LAYER_URL(baked into the image at build time, per environment)Repo-level:
QA_REPO_PAT— PAT withactions: read+write(+contents:read) onIDS-DRR-QA-Automation(classic:repo+workflow)COMPOSE_SERVICE— the service name in the hostdocker-compose.yml(e.g.frontend)main: require theqa-gatestatus checkOn each EC2 host: docker + compose v2, the SSH key authorized, and a
docker-compose.ymlatDEPLOY_PATHwhose image isghcr.io/civicdatalab/ids-drr-frontend:<dev|prod>.