334b507476
Fires on `v*` tag push. Tags the built images with the git tag so rollbacks are a one-liner (TAG=<previous> docker compose ... up -d). `up -d --wait` blocks until every service healthcheck reports healthy; a bad release fails the workflow rather than crash-looping silently. The .env.production file containing all Gitea secrets is removed in `if: always()` after the deploy step. Refs #497. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
80 lines
2.4 KiB
YAML
80 lines
2.4 KiB
YAML
name: release
|
|
|
|
# Builds and deploys the production environment on `v*` tag push.
|
|
# Runs on the self-hosted runner via Docker-out-of-Docker; images are
|
|
# tagged with the actual git tag (e.g. v1.0.0) so rollback is
|
|
# `TAG=<previous> docker compose -f docker-compose.prod.yml -p archiv-production up -d --wait`
|
|
#
|
|
# Production environment:
|
|
# - project name: archiv-production
|
|
# - host ports: backend 8080, frontend 3000
|
|
# - profile: (none) — mailpit is excluded; real SMTP relay is used
|
|
#
|
|
# Required Gitea secrets:
|
|
# PROD_POSTGRES_PASSWORD
|
|
# PROD_MINIO_PASSWORD
|
|
# PROD_MINIO_APP_PASSWORD
|
|
# PROD_OCR_TRAINING_TOKEN
|
|
# PROD_APP_ADMIN_USERNAME (CRITICAL: see docs/DEPLOYMENT.md)
|
|
# PROD_APP_ADMIN_PASSWORD (CRITICAL: locked in on first deploy)
|
|
# MAIL_HOST
|
|
# MAIL_PORT
|
|
# MAIL_USERNAME
|
|
# MAIL_PASSWORD
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "v*"
|
|
|
|
env:
|
|
DOCKER_BUILDKIT: "1"
|
|
|
|
jobs:
|
|
deploy-production:
|
|
runs-on: self-hosted
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Write production env file
|
|
run: |
|
|
cat > .env.production <<EOF
|
|
TAG=${{ gitea.ref_name }}
|
|
PORT_BACKEND=8080
|
|
PORT_FRONTEND=3000
|
|
APP_DOMAIN=archiv.raddatz.cloud
|
|
POSTGRES_PASSWORD=${{ secrets.PROD_POSTGRES_PASSWORD }}
|
|
MINIO_PASSWORD=${{ secrets.PROD_MINIO_PASSWORD }}
|
|
MINIO_APP_PASSWORD=${{ secrets.PROD_MINIO_APP_PASSWORD }}
|
|
OCR_TRAINING_TOKEN=${{ secrets.PROD_OCR_TRAINING_TOKEN }}
|
|
APP_ADMIN_USERNAME=${{ secrets.PROD_APP_ADMIN_USERNAME }}
|
|
APP_ADMIN_PASSWORD=${{ secrets.PROD_APP_ADMIN_PASSWORD }}
|
|
MAIL_HOST=${{ secrets.MAIL_HOST }}
|
|
MAIL_PORT=${{ secrets.MAIL_PORT }}
|
|
MAIL_USERNAME=${{ secrets.MAIL_USERNAME }}
|
|
MAIL_PASSWORD=${{ secrets.MAIL_PASSWORD }}
|
|
MAIL_SMTP_AUTH=true
|
|
MAIL_STARTTLS_ENABLE=true
|
|
APP_MAIL_FROM=noreply@raddatz.cloud
|
|
EOF
|
|
|
|
- name: Build images
|
|
run: |
|
|
docker compose \
|
|
-f docker-compose.prod.yml \
|
|
-p archiv-production \
|
|
--env-file .env.production \
|
|
build
|
|
|
|
- name: Deploy production
|
|
run: |
|
|
docker compose \
|
|
-f docker-compose.prod.yml \
|
|
-p archiv-production \
|
|
--env-file .env.production \
|
|
up -d --wait --remove-orphans
|
|
|
|
- name: Cleanup env file
|
|
if: always()
|
|
run: rm -f .env.production
|