From 295793ad7f15bf2b8f6a9a21a12d931cef308d3c Mon Sep 17 00:00:00 2001 From: eddie Date: Wed, 8 Oct 2025 04:04:51 -0400 Subject: [PATCH] Update .gitea/workflows/deploy.yml --- .gitea/workflows/deploy.yml | 95 ++++++++++++++++--------------------- 1 file changed, 40 insertions(+), 55 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index f92dfc5..455db36 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -2,71 +2,66 @@ name: Deploy (stellaamor) on: push: - branches: [ "main" ] # change if you use main + branches: [ "main" ] jobs: deploy: - runs-on: [ self-hosted, mainhost, docker ] + runs-on: [ mainhost, docker ] concurrency: group: deploy-stellaamor cancel-in-progress: false env: - # ---- required (set these as repo/org SECRETS) ---- - SSH_HOST: ${{ secrets.SSH_HOST }} # e.g. 192.168.122.50 (the stellaamor VM) - SSH_USER: ${{ secrets.SSH_USER }} # e.g. deploy - SSH_KEY: ${{ secrets.SSH_KEY }} # private key (ed25519), one line - # optional but recommended: known_hosts entry for your VM + SSH_HOST: ${{ secrets.SSH_HOST }} + SSH_USER: ${{ secrets.SSH_USER }} + SSH_KEY: ${{ secrets.SSH_KEY }} SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }} - # ---- repo-scoped settings (safe to commit) ---- - APP_ROOT: /var/www/stellaamor # base dir on the VM - UPLOADS_DIR: uploads # relative to shared/ - KEEP_N: "5" # how many releases to keep - HEALTH_URL: https://stellaamor.com/ # simple GET should return 200 + APP_ROOT: /var/www/stellaamor + UPLOADS_DIR: uploads + KEEP_N: "5" + HEALTH_URL: https://stellaamor.com/ SERVICE_RELOAD: "systemctl reload apache2 || true" steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout (pure git) + run: | + git init + git remote add origin "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" + git fetch --depth=1 origin "$GITHUB_SHA" + git checkout -q "$GITHUB_SHA" - # only build assets if you actually have a package.json with build script - - name: Maybe build frontend (Vue/etc) + # Build only if package.json exists — run Node inside a throwaway container + - name: Build frontend (if present) if: hashFiles('package.json') != '' - uses: actions/setup-node@v4 - with: - node-version: "20" - - name: npm ci - if: hashFiles('package.json') != '' - run: npm ci - - name: npm build - if: hashFiles('package.json') != '' - run: npm run build + run: | + docker run --rm -v "$PWD:/app" -w /app node:20 bash -lc " + npm ci + npm run build + " - name: Prepare release tarball run: | set -euo pipefail REL="$(date -u +%Y%m%d-%H%M%SZ)-${{ github.sha }}" echo "REL=$REL" >> $GITHUB_ENV - mkdir -p release - # include everything except VCS, node dev dirs, and your uploads (they live in shared/) - tar \ - --exclude-vcs \ - --exclude='./node_modules' \ - --exclude='./${{ env.UPLOADS_DIR }}' \ - -czf "release/${REL}.tar.gz" \ - . + UPLOADS="${{ env.UPLOADS_DIR }}" + tar --exclude-vcs --exclude='./node_modules' --exclude="./${UPLOADS}" \ + -czf "release/${REL}.tar.gz" . - name: Write SSH key run: | - umask 077 - printf "%s" "${SSH_KEY}" > ~/.ssh/id_ed25519 + set -eu + install -d -m 700 ~/.ssh + printf '%s\n' "${SSH_KEY}" > ~/.ssh/id_ed25519 + sed -i 's/\r$//' ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 if [ -n "${SSH_KNOWN_HOSTS}" ]; then - printf "%s\n" "${SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts + printf '%s\n' "${SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts + chmod 644 ~/.ssh/known_hosts else - # fall back only if you must (less secure) - echo "StrictHostKeyChecking no" >> ~/.ssh/config + printf 'StrictHostKeyChecking no\n' >> ~/.ssh/config fi - name: Upload & activate atomically @@ -78,47 +73,39 @@ jobs: SHARED="${APP}/shared" RELEASES="${APP}/releases" CUR="${APP}/current" + UPLOADS="${{ env.UPLOADS_DIR }}" # ensure layout exists ssh -i ~/.ssh/id_ed25519 ${SSH_USER}@${SSH_HOST} " set -e - sudo install -d -o ${SSH_USER} -g ${SSH_USER} -m 755 ${RELEASES} ${SHARED} - sudo install -d -o ${SSH_USER} -g ${SSH_USER} -m 755 ${SHARED}/${{ env.UPLOADS_DIR }} + sudo install -d -o ${SSH_USER} -g ${SSH_USER} -m 755 ${RELEASES} ${SHARED} ${SHARED}/${UPLOADS} " # upload tar scp -i ~/.ssh/id_ed25519 ${TAR} ${SSH_USER}@${SSH_HOST}:/tmp/${REL}.tar.gz - # unpack to new release, link shared, write metadata, flip symlink, reload, health check + # unpack, link shared, flip symlink, reload, health check, prune ssh -i ~/.ssh/id_ed25519 ${SSH_USER}@${SSH_HOST} ' set -euo pipefail - REL="'${REL}'"; APP="'${APP}'"; SHARED="'${SHARED}'"; RELEASES="'${RELEASES}'"; CUR="'${CUR}'"; + REL="'${REL}'"; APP="'${APP}'"; SHARED="'${SHARED}'"; RELEASES="'${RELEASES}'"; CUR="'${CUR}'"; UPLOADS="'${UPLOADS}'"; NEW="${RELEASES}/${REL}" mkdir -p "${NEW}" tar -xzf "/tmp/${REL}.tar.gz" -C "${NEW}" rm -f "/tmp/${REL}.tar.gz" - # link shared paths (uploads, env/config if you keep one there) - rm -rf "${NEW}/${UPLOADS_DIR:-'${{ env.UPLOADS_DIR }}'}" - ln -s "${SHARED}/${UPLOADS_DIR:-'${{ env.UPLOADS_DIR }}'}" "${NEW}/${UPLOADS_DIR:-'${{ env.UPLOADS_DIR }}'}" + rm -rf "${NEW}/${UPLOADS}" + ln -s "${SHARED}/${UPLOADS}" "${NEW}/${UPLOADS}" - # optional: link a shared .env if you use one - if [ -f "${SHARED}/.env" ]; then - ln -sf "${SHARED}/.env" "${NEW}/.env" - fi + if [ -f "${SHARED}/.env" ]; then ln -sf "${SHARED}/.env" "${NEW}/.env"; fi - # metadata printf "sha=%s\nbuilt_at=%s\n" "'${{ github.sha }}'" "$(date -u +%FT%TZ)" > "${NEW}/RELEASE" - # keep previous target for rollback PREV="$(readlink -f "${CUR}" || true)" ln -sfn "${NEW}" "${CUR}" - # reload services '"${{ env.SERVICE_RELOAD }}"' >/dev/null 2>&1 || true - # health check (simple GET) if command -v curl >/dev/null 2>&1; then curl -fsS --max-time 5 "'"${{ env.HEALTH_URL }}"'" >/dev/null || { echo "Health check failed, rolling back..." @@ -127,8 +114,6 @@ jobs: } fi - # prune old releases cd "${RELEASES}" ls -1tr | head -n -'${{ env.KEEP_N }}' | xargs -r -I{} rm -rf "{}" ' -