59349dfe93
Runs daily at 02:00 (and on workflow_dispatch). Builds the prod compose stack with BuildKit, writes a transient .env.staging from Gitea secrets, then `docker compose up -d --wait` so the job fails loudly if any service's healthcheck never reports healthy. The --profile staging flag starts the mailpit catcher in place of a real SMTP relay; no production SMTP credentials touch the staging environment. The .env.staging file is cleaned up in `if: always()` to avoid leaving secrets in the runner workspace between runs. Refs #497. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
81 lines
2.4 KiB
YAML
81 lines
2.4 KiB
YAML
name: nightly
|
|
|
|
# Builds and deploys the staging environment from main every night.
|
|
# Runs on the self-hosted runner using Docker-out-of-Docker (the docker
|
|
# socket is mounted in), so `docker compose build` produces images on
|
|
# the host daemon and `docker compose up` consumes them directly — no
|
|
# registry hop.
|
|
#
|
|
# Staging environment isolation:
|
|
# - project name: archiv-staging
|
|
# - host ports: backend 8081, frontend 3001
|
|
# - profile: staging (starts mailpit instead of a real SMTP relay)
|
|
#
|
|
# Required Gitea secrets:
|
|
# STAGING_POSTGRES_PASSWORD
|
|
# STAGING_MINIO_PASSWORD
|
|
# STAGING_MINIO_APP_PASSWORD
|
|
# STAGING_OCR_TRAINING_TOKEN
|
|
# STAGING_APP_ADMIN_USERNAME
|
|
# STAGING_APP_ADMIN_PASSWORD
|
|
|
|
on:
|
|
schedule:
|
|
- cron: "0 2 * * *"
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
# Ensures the backend Dockerfile's `RUN --mount=type=cache` lines are
|
|
# honoured (Maven cache survives between runs).
|
|
DOCKER_BUILDKIT: "1"
|
|
|
|
jobs:
|
|
deploy-staging:
|
|
runs-on: self-hosted
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Write staging env file
|
|
run: |
|
|
cat > .env.staging <<EOF
|
|
TAG=nightly
|
|
PORT_BACKEND=8081
|
|
PORT_FRONTEND=3001
|
|
APP_DOMAIN=staging.raddatz.cloud
|
|
POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }}
|
|
MINIO_PASSWORD=${{ secrets.STAGING_MINIO_PASSWORD }}
|
|
MINIO_APP_PASSWORD=${{ secrets.STAGING_MINIO_APP_PASSWORD }}
|
|
OCR_TRAINING_TOKEN=${{ secrets.STAGING_OCR_TRAINING_TOKEN }}
|
|
APP_ADMIN_USERNAME=${{ secrets.STAGING_APP_ADMIN_USERNAME }}
|
|
APP_ADMIN_PASSWORD=${{ secrets.STAGING_APP_ADMIN_PASSWORD }}
|
|
MAIL_HOST=mailpit
|
|
MAIL_PORT=1025
|
|
MAIL_USERNAME=
|
|
MAIL_PASSWORD=
|
|
MAIL_SMTP_AUTH=false
|
|
MAIL_STARTTLS_ENABLE=false
|
|
APP_MAIL_FROM=noreply@staging.raddatz.cloud
|
|
EOF
|
|
|
|
- name: Build images
|
|
run: |
|
|
docker compose \
|
|
-f docker-compose.prod.yml \
|
|
-p archiv-staging \
|
|
--env-file .env.staging \
|
|
--profile staging \
|
|
build
|
|
|
|
- name: Deploy staging
|
|
run: |
|
|
docker compose \
|
|
-f docker-compose.prod.yml \
|
|
-p archiv-staging \
|
|
--env-file .env.staging \
|
|
--profile staging \
|
|
up -d --wait --remove-orphans
|
|
|
|
- name: Cleanup env file
|
|
if: always()
|
|
run: rm -f .env.staging
|