101 lines
4.0 KiB
YAML
101 lines
4.0 KiB
YAML
name: Deploy (stellaamor)
|
|
|
|
on:
|
|
push:
|
|
branches: [ "main" ]
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: [ mainhost ] # must match your runner label (e.g. mainhost:host)
|
|
env:
|
|
SSH_HOST: ${{ secrets.SSH_HOST }}
|
|
SSH_USER: ${{ secrets.SSH_USER }}
|
|
SSH_KEY_PATH: ~/.ssh/deploy_stellaamor
|
|
SSH_OPTS: >-
|
|
-o BatchMode=yes -o IdentitiesOnly=yes -o NumberOfPasswordPrompts=0
|
|
-o ServerAliveInterval=15 -o ServerAliveCountMax=3
|
|
-o ConnectTimeout=20 -o StrictHostKeyChecking=no
|
|
APP_ROOT: /var/www/stellaamor
|
|
UPLOADS_DIR: uploads
|
|
KEEP_N: "5"
|
|
HEALTH_URL: https://stellaamor.com/
|
|
SERVICE_RELOAD: "systemctl reload apache2 || true"
|
|
|
|
steps:
|
|
- name: Checkout (pure git)
|
|
run: |
|
|
git init
|
|
git remote add origin "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
|
|
git fetch --depth=1 origin "$GITHUB_SHA"
|
|
git checkout -q "$GITHUB_SHA"
|
|
|
|
- name: Write SSH key
|
|
env:
|
|
SSH_KEY_STELLAAMOR: ${{ secrets.SSH_KEY_STELLAAMOR }}
|
|
run: |
|
|
install -m 700 -d ~/.ssh
|
|
umask 177
|
|
printf '%s' "$SSH_KEY_STELLAAMOR" > ~/.ssh/deploy_stellaamor
|
|
chmod 600 ~/.ssh/deploy_stellaamor
|
|
|
|
- name: Validate private key & show fingerprint
|
|
run: |
|
|
set -euo pipefail
|
|
ls -l ~/.ssh
|
|
# Check permissions
|
|
test -f ~/.ssh/deploy_stellaamor && chmod 600 ~/.ssh/deploy_stellaamor
|
|
# Fail if the key is passphrase-protected (ssh-keygen -y would prompt/fail)
|
|
if ! PUB=$(ssh-keygen -y -f ~/.ssh/deploy_stellaamor 2>/dev/null); then
|
|
echo "❌ The private key appears to be passphrase-protected or invalid."
|
|
exit 1
|
|
fi
|
|
echo "$PUB" > ~/.ssh/deploy_stellaamor.pub
|
|
ssh-keygen -lf ~/.ssh/deploy_stellaamor.pub
|
|
|
|
|
|
|
|
- name: SSH smoke test
|
|
run: ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} true
|
|
|
|
- name: Upload & activate atomically
|
|
run: |
|
|
set -euo pipefail
|
|
REL="$(date -u +%Y%m%d-%H%M%SZ)-${{ github.sha }}"
|
|
echo "REL=$REL" >> $GITHUB_ENV
|
|
TAR="/tmp/${REL}.tar.gz"
|
|
APP="${{ env.APP_ROOT }}"
|
|
SHARED="${APP}/shared"
|
|
RELEASES="${APP}/releases"
|
|
CUR="${APP}/current"
|
|
UPLOADS="${{ env.UPLOADS_DIR }}"
|
|
|
|
tar -czf "$TAR" --exclude-vcs --exclude='./node_modules' --exclude="./${UPLOADS}" --exclude='./release' .
|
|
mkdir -p release && mv "$TAR" "release/${REL}.tar.gz"
|
|
|
|
ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} \
|
|
"set -e; sudo install -d -o ${SSH_USER} -g ${SSH_USER} -m 755 ${RELEASES} ${SHARED} ${SHARED}/${UPLOADS}"
|
|
|
|
scp -O $SSH_OPTS -vvv -i "$SSH_KEY_PATH" "release/${REL}.tar.gz" ${SSH_USER}@${SSH_HOST}:/tmp/${REL}.tar.gz
|
|
|
|
ssh $SSH_OPTS -i "$SSH_KEY_PATH" ${SSH_USER}@${SSH_HOST} '
|
|
set -euo pipefail
|
|
REL="'${REL}'"; APP="'${APP}'"; SHARED="'${SHARED}'"; RELEASES="'${RELEASES}'"; CUR="'${CUR}'"; UPLOADS="'${UPLOADS}'";
|
|
NEW="${RELEASES}/${REL}"
|
|
mkdir -p "${NEW}"
|
|
tar -xzf "/tmp/${REL}.tar.gz" -C "${NEW}" && rm -f "/tmp/${REL}.tar.gz"
|
|
rm -rf "${NEW}/${UPLOADS}" && ln -s "${SHARED}/${UPLOADS}" "${NEW}/${UPLOADS}"
|
|
[ -f "${SHARED}/.env" ] && ln -sf "${SHARED}/.env" "${NEW}/.env" || true
|
|
printf "sha=%s\nbuilt_at=%s\n" "'${{ github.sha }}'" "$(date -u +%FT%TZ)" > "${NEW}/RELEASE"
|
|
PREV="$(readlink -f "${CUR}" || true)"
|
|
ln -sfn "${NEW}" "${CUR}"
|
|
'"${{ env.SERVICE_RELOAD }}"' >/dev/null 2>&1 || true
|
|
if command -v curl >/dev/null 2>&1; then
|
|
curl -fsS --max-time 5 "'"${{ env.HEALTH_URL }}"'" >/dev/null || {
|
|
echo "Health check failed, rolling back..."
|
|
[ -n "${PREV}" ] && ln -sfn "${PREV}" "${CUR}" && '"${{ env.SERVICE_RELOAD }}"' >/dev/null 2>&1 || true
|
|
exit 1
|
|
}
|
|
fi
|
|
cd "${RELEASES}" && ls -1tr | head -n -'${{ env.KEEP_N }}' | xargs -r -I{} rm -rf "{}"
|
|
'
|