diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index ec164f3..3fec162 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -5,9 +5,6 @@ on: branches: ["production", "staging"] workflow_dispatch: -env: - SERVER_HOSTNAME: "dothq-org" - jobs: build: runs-on: ubuntu-latest @@ -29,18 +26,53 @@ jobs: yarn build - name: Test + if: github.ref == 'refs/heads/production' run: | yarn dev & SERVER_PID=$! - while ! nc -z localhost 3000; do + while ! nc -z localhost 3000; do sleep 0.1 done yarn test - deploy: + # Staging deployments + deploy-staging: + runs-on: ubuntu-latest + needs: build + if: github.ref == 'refs/heads/staging' + environment: + name: Staging + url: "http://dothq.local" + permissions: + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Deploy to staging server + uses: ./.github/actions/run-via-ssh + with: + ts_hostname: ${{ vars.SERVER_HOSTNAME }} + ts_oauth_client_id: ${{ secrets.TS_OAUTH_CLIENT_ID }} + ts_oauth_secret: ${{ secrets.TS_OAUTH_SECRET }} + ts_tags: tag:ci + ssh_username: ci + ssh_private_key: ${{ secrets.CI_PRIVATE_KEY }} + run: | + cd /app + git reset --hard + git pull + ./scripts/rebuild_docker.sh + + # Production deployments + deploy-production: runs-on: ubuntu-latest needs: build if: github.ref == 'refs/heads/production' + environment: + name: Production + url: "https://www.dothq.org" permissions: contents: read @@ -51,7 +83,7 @@ jobs: - name: Deploy to production server uses: ./.github/actions/run-via-ssh with: - ts_hostname: ${{ env.SERVER_HOSTNAME }} + ts_hostname: ${{ vars.SERVER_HOSTNAME }} ts_oauth_client_id: ${{ secrets.TS_OAUTH_CLIENT_ID }} ts_oauth_secret: ${{ secrets.TS_OAUTH_SECRET }} ts_tags: tag:ci diff --git a/.github/workflows/renew.yml b/.github/workflows/renew.yml index 7e4750d..244d9c2 100644 --- a/.github/workflows/renew.yml +++ b/.github/workflows/renew.yml @@ -1,16 +1,15 @@ -name: Renew certificates +name: Renew production certificates on: workflow_dispatch: schedule: - cron: "0 5 * * *" # every day at 5am -env: - SERVER_ID: "32657111668989263" - jobs: renew: runs-on: ubuntu-latest + environment: + name: Production permissions: contents: read @@ -18,29 +17,15 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Retrieve server hostname - run: | - TS_JSON=$(curl "https://api.tailscale.com/api/v2/device/${{ env.SERVER_ID }}" -u "${{ secrets.TS_KEY }}:") - HOSTNAME=$(echo $TS_JSON | jq -r '.name') - echo "SERVER_HOSTNAME=$HOSTNAME" >> $GITHUB_ENV - - - name: Connect to Tailscale network - uses: tailscale/github-action@v2 + - name: Renew production certificates + uses: ./.github/actions/run-via-ssh with: - oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} - oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} - tags: tag:ci - version: "1.46.0" - - - name: Install SSH key - run: | - install -m 600 -D /dev/null ~/.ssh/id_rsa - echo "${{ secrets.CI_PRIVATE_KEY }}" > ~/.ssh/id_rsa - ssh-keyscan -H ${{ env.SERVER_HOSTNAME }} > ~/.ssh/known_hosts - - - name: Connect over SSH and deploy - run: | - ssh -t ci@${{ env.SERVER_HOSTNAME }} "cd /app && ./scripts/renew_certificates_docker.sh" - - - name: Nuke SSH keys - run: rm -rf ~/.ssh + ts_hostname: ${{ vars.SERVER_HOSTNAME }} + ts_oauth_client_id: ${{ secrets.TS_OAUTH_CLIENT_ID }} + ts_oauth_secret: ${{ secrets.TS_OAUTH_SECRET }} + ts_tags: tag:ci + ssh_username: ci + ssh_private_key: ${{ secrets.CI_PRIVATE_KEY }} + run: | + cd /app + ./scripts/renew_certificates_docker.sh