admin/the-pet-loft
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
777c3b34bc5a10b785531ccb8960ac7a46a2f17a
the-pet-loft/.gitea/workflows/deploy-staging.yml
ianshaloom 777c3b34bc
All checks were successful
Deploy — Staging / Detect changed apps (push) Successful in 16s
Details
Deploy — Staging / Lint, Typecheck & Test (push) Successful in 1m29s
Details
Deploy — Staging / Build & push — storefront (push) Has been skipped
Details
Deploy — Staging / Build & push — admin (push) Has been skipped
Details
Deploy — Staging / Deploy to staging VPS (push) Has been skipped
Details
fix(ci): replace dynamic matrix with explicit per-app jobs 
Gitea Actions does not evaluate fromJson() in matrix strategy — matrix.app
was always empty, breaking turbo prune. Replaced with two explicit jobs
(build-storefront, build-admin) each with a plain if: condition.

The deploy job uses always() + !contains(needs.*.result, 'failure') so it
runs when either build succeeded and skips when a build was cancelled/failed.
Parallelism is preserved — both apps still build simultaneously when both change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-08 16:35:10 +03:00

259 lines
11 KiB
YAML
Raw Blame History

name: Deploy — Staging
on:
push:
branches:
- staging
# Gitea Actions has no environment-level secrets (unlike GitHub Actions).
# Staging and production secrets live at repo level, distinguished by prefix.
# Production workflow uses the same names with PROD_ prefix.
#
# Required secrets (repo → Settings → Secrets and Variables → Actions):
# STAGING_REGISTRY — host:port/owner
# STAGING_REGISTRY_USER — Gitea username
# STAGING_REGISTRY_TOKEN — Gitea PAT (package:write)
# STAGING_SSH_HOST — host.containers.internal
# STAGING_SSH_USER — SSH user on the VPS
# STAGING_SSH_KEY — SSH private key (full PEM)
# STAGING_SSH_PORT — (optional) defaults to 22
# STAGING_NEXT_PUBLIC_CONVEX_URL
# STAGING_STOREFRONT_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
# STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
# STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME
# STAGING_NEXT_PUBLIC_CLOUDINARY_API_KEY
# STAGING_NEXT_PUBLIC_IMAGE_PROCESSING_API_URL
# STAGING_NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
# STAGING_STOREFRONT_CLERK_SECRET_KEY
# STAGING_ADMIN_CLERK_SECRET_KEY
# STAGING_CLOUDINARY_API_SECRET
jobs:
# ── 0. Detect changes ────────────────────────────────────────────────────────
# Determines which apps need to be rebuilt on this push.
# Shared paths (packages/, convex/, root config) mark both apps as changed.
changes:
name: Detect changed apps
runs-on: ubuntu-latest
outputs:
storefront: ${{ steps.detect.outputs.storefront }}
admin: ${{ steps.detect.outputs.admin }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Determine affected apps
id: detect
run: |
BASE=$(git rev-parse HEAD~1 2>/dev/null || git hash-object -t tree /dev/null)
CHANGED=$(git diff --name-only "$BASE" HEAD)
STOREFRONT=false
ADMIN=false
# Shared paths affect both apps
if echo "$CHANGED" | grep -qE '^(package\.json|package-lock\.json|turbo\.json|packages/|convex/)'; then
STOREFRONT=true
ADMIN=true
fi
echo "$CHANGED" | grep -q '^apps/storefront/' && STOREFRONT=true || true
echo "$CHANGED" | grep -q '^apps/admin/' && ADMIN=true || true
echo "storefront=${STOREFRONT}" >> "$GITHUB_OUTPUT"
echo "admin=${ADMIN}" >> "$GITHUB_OUTPUT"
# ── 1. CI ───────────────────────────────────────────────────────────────────
ci:
name: Lint, Typecheck & Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- run: npm ci
- run: npm run lint
- run: npm run type-check
- run: npm run test:once
# ── 2a. Build storefront ─────────────────────────────────────────────────────
build-storefront:
name: Build & push — storefront
needs: [ci, changes]
if: needs.changes.outputs.storefront == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- run: npm ci
- name: Prune workspace
run: |
npx turbo prune storefront --docker
cp -r convex out/full/convex
cp package-lock.json out/package-lock.json
- name: Authenticate with registry
run: |
mkdir -p ~/.docker
AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1)
echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
- name: Build & push
env:
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.STAGING_STOREFRONT_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY }}
run: |
SHORT_SHA="${GITHUB_SHA::7}"
IMAGE="${{ secrets.STAGING_REGISTRY }}/storefront"
docker build \
-f apps/storefront/Dockerfile \
--build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY" \
--build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
--build-arg NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY" \
--load -t "${IMAGE}:staging" ./out
docker tag "${IMAGE}:staging" "${IMAGE}:sha-${SHORT_SHA}"
docker push "${IMAGE}:staging"
docker push "${IMAGE}:sha-${SHORT_SHA}"
# ── 2b. Build admin ──────────────────────────────────────────────────────────
build-admin:
name: Build & push — admin
needs: [ci, changes]
if: needs.changes.outputs.admin == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- run: npm ci
- name: Prune workspace
run: |
npx turbo prune admin --docker
cp -r convex out/full/convex
cp package-lock.json out/package-lock.json
- name: Authenticate with registry
run: |
mkdir -p ~/.docker
AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1)
echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
- name: Build & push
env:
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }}
NEXT_PUBLIC_CLOUDINARY_API_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_API_KEY }}
NEXT_PUBLIC_IMAGE_PROCESSING_API_URL: ${{ secrets.STAGING_NEXT_PUBLIC_IMAGE_PROCESSING_API_URL }}
run: |
SHORT_SHA="${GITHUB_SHA::7}"
IMAGE="${{ secrets.STAGING_REGISTRY }}/admin"
docker build \
-f apps/admin/Dockerfile \
--build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY" \
--build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
--build-arg NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME="$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME" \
--build-arg NEXT_PUBLIC_CLOUDINARY_API_KEY="$NEXT_PUBLIC_CLOUDINARY_API_KEY" \
--build-arg NEXT_PUBLIC_IMAGE_PROCESSING_API_URL="$NEXT_PUBLIC_IMAGE_PROCESSING_API_URL" \
--load -t "${IMAGE}:staging" ./out
docker tag "${IMAGE}:staging" "${IMAGE}:sha-${SHORT_SHA}"
docker push "${IMAGE}:staging"
docker push "${IMAGE}:sha-${SHORT_SHA}"
# ── 3. Deploy ────────────────────────────────────────────────────────────────
# Runs when at least one app changed and no build failed.
# `always()` is required so the job isn't auto-skipped when one build job
# was skipped (Gitea/GitHub skip downstream jobs of skipped jobs by default).
deploy:
name: Deploy to staging VPS
needs: [build-storefront, build-admin, changes]
if: |
always() &&
(needs.changes.outputs.storefront == 'true' || needs.changes.outputs.admin == 'true') &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Write SSH key
run: |
mkdir -p ~/.ssh
echo "${{ secrets.STAGING_SSH_KEY }}" > ~/.ssh/staging
chmod 600 ~/.ssh/staging
- name: Pull & restart containers on VPS
env:
REGISTRY: ${{ secrets.STAGING_REGISTRY }}
REGISTRY_USER: ${{ secrets.STAGING_REGISTRY_USER }}
REGISTRY_TOKEN: ${{ secrets.STAGING_REGISTRY_TOKEN }}
SSH_HOST: ${{ secrets.STAGING_SSH_HOST }}
SSH_USER: ${{ secrets.STAGING_SSH_USER }}
SSH_PORT: ${{ secrets.STAGING_SSH_PORT }}
CLERK_SECRET_KEY: ${{ secrets.STAGING_STOREFRONT_CLERK_SECRET_KEY }}
ADMIN_CLERK_SECRET_KEY: ${{ secrets.STAGING_ADMIN_CLERK_SECRET_KEY }}
CLOUDINARY_API_SECRET: ${{ secrets.STAGING_CLOUDINARY_API_SECRET }}
STOREFRONT_CHANGED: ${{ needs.changes.outputs.storefront }}
ADMIN_CHANGED: ${{ needs.changes.outputs.admin }}
run: |
REGISTRY_HOST=$(echo "$REGISTRY" | cut -d'/' -f1)
COMPOSE_B64=$(sed "s|\${REGISTRY}|${REGISTRY}|g" deploy/staging/compose.yml | base64 -w 0)
ssh -i ~/.ssh/staging \
-p "${SSH_PORT:-22}" \
-o StrictHostKeyChecking=accept-new \
"${SSH_USER}@${SSH_HOST}" bash -s << EOF
set -euo pipefail
echo "${REGISTRY_TOKEN}" \
| podman login "${REGISTRY_HOST}" \
-u "${REGISTRY_USER}" --password-stdin --tls-verify=false
[ "${STOREFRONT_CHANGED}" = "true" ] && podman pull --tls-verify=false "${REGISTRY}/storefront:staging"
[ "${ADMIN_CHANGED}" = "true" ] && podman pull --tls-verify=false "${REGISTRY}/admin:staging"
mkdir -p /opt/staging
echo "${COMPOSE_B64}" | base64 -d > /opt/staging/compose.yml
printf 'CLERK_SECRET_KEY=%s\nADMIN_CLERK_SECRET_KEY=%s\nCLOUDINARY_API_SECRET=%s\n' \
"${CLERK_SECRET_KEY}" "${ADMIN_CLERK_SECRET_KEY}" "${CLOUDINARY_API_SECRET}" \
> /opt/staging/.env
chmod 600 /opt/staging/.env
SERVICES=""
[ "${STOREFRONT_CHANGED}" = "true" ] && SERVICES="\${SERVICES} storefront"
[ "${ADMIN_CHANGED}" = "true" ] && SERVICES="\${SERVICES} admin"
cd /opt/staging
podman compose up -d --force-recreate --remove-orphans \${SERVICES}
podman image prune -f
EOF
Reference in New Issue View Git Blame Copy Permalink