Marc Mintel
bcf2d60da6
Some checks failed
Build & Deploy / 🔍 Prepare (push) Successful in 9s
Build & Deploy / 🧪 QA (push) Successful in 3m26s
Build & Deploy / 🏗️ Build (push) Successful in 4m5s
Build & Deploy / 🚀 Deploy (push) Successful in 36s
Build & Deploy / 🧪 Smoke Test (push) Successful in 52s
Build & Deploy / 🛡️ Quality Gates (push) Successful in 1m42s
Build & Deploy / 🔔 Notify (push) Has been cancelled
Build & Deploy / ♿ WCAG (push) Has been cancelled
Build & Deploy / ⚡ Lighthouse (push) Has been cancelled
645 lines
32 KiB
YAML
645 lines
32 KiB
YAML
name: Build & Deploy
|
||
|
||
on:
|
||
push:
|
||
branches:
|
||
- '**'
|
||
tags:
|
||
- 'v*'
|
||
workflow_dispatch:
|
||
inputs:
|
||
skip_checks:
|
||
description: 'Skip tests? (true/false)'
|
||
required: false
|
||
default: 'false'
|
||
|
||
env:
|
||
PUPPETEER_SKIP_DOWNLOAD: "true"
|
||
|
||
concurrency:
|
||
group: ${{ github.workflow }}-${{ (github.ref_type == 'tag' && !contains(github.ref_name, '-')) && 'prod' || (github.ref_name == 'main' && 'testing' || github.ref_name) }}
|
||
cancel-in-progress: true
|
||
|
||
jobs:
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 1: Prepare Environment
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
prepare:
|
||
name: 🔍 Prepare
|
||
runs-on: docker
|
||
outputs:
|
||
target: ${{ steps.determine.outputs.target }}
|
||
image_tag: ${{ steps.determine.outputs.image_tag }}
|
||
env_file: ${{ steps.determine.outputs.env_file }}
|
||
traefik_host: ${{ steps.determine.outputs.traefik_host }}
|
||
traefik_rule: ${{ steps.determine.outputs.traefik_rule }}
|
||
next_public_url: ${{ steps.determine.outputs.next_public_url }}
|
||
directus_url: ${{ steps.determine.outputs.directus_url }}
|
||
project_name: ${{ steps.determine.outputs.project_name }}
|
||
short_sha: ${{ steps.determine.outputs.short_sha }}
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
steps:
|
||
- name: 🧹 Maintenance (High Density Cleanup)
|
||
shell: bash
|
||
run: |
|
||
echo "Purging old build layers and dangling images..."
|
||
docker image prune -f
|
||
docker builder prune -f --filter "until=6h"
|
||
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
with:
|
||
fetch-depth: 2
|
||
|
||
- name: 🔍 Environment ermitteln
|
||
id: determine
|
||
shell: bash
|
||
run: |
|
||
REF="${{ github.ref_name }}"
|
||
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
|
||
DOMAIN="klz-cables.com"
|
||
PRJ="klz"
|
||
|
||
if [[ "${{ github.ref_type }}" == "branch" && "$REF" == "main" ]]; then
|
||
TARGET="testing"
|
||
IMAGE_TAG="main-${SHORT_SHA}"
|
||
ENV_FILE=".env.testing"
|
||
TRAEFIK_HOST="testing.${DOMAIN}"
|
||
elif [[ "${{ github.ref_type }}" == "tag" ]]; then
|
||
if [[ "$REF" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||
TARGET="production"
|
||
IMAGE_TAG="$REF"
|
||
ENV_FILE=".env.prod"
|
||
TRAEFIK_HOST="${DOMAIN}, www.${DOMAIN}"
|
||
else
|
||
TARGET="staging"
|
||
IMAGE_TAG="$REF"
|
||
ENV_FILE=".env.staging"
|
||
TRAEFIK_HOST="staging.${DOMAIN}"
|
||
fi
|
||
else
|
||
TARGET="branch"
|
||
SLUG=$(echo "$REF" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//')
|
||
IMAGE_TAG="branch-${SLUG}-${SHORT_SHA}"
|
||
ENV_FILE=".env.branch-${SLUG}"
|
||
TRAEFIK_HOST="${SLUG}.branch.mintel.me"
|
||
fi
|
||
|
||
# Standardize Traefik Rule
|
||
if [[ "$TRAEFIK_HOST" == *","* ]]; then
|
||
TRAEFIK_RULE=$(echo "$TRAEFIK_HOST" | sed 's/,/ /g' | awk '{for(i=1;i<=NF;i++) printf "Host(\"%s\")%s", $i, (i==NF?"":" || ")}')
|
||
PRIMARY_HOST=$(echo "$TRAEFIK_HOST" | cut -d',' -f1 | sed 's/ //g')
|
||
else
|
||
TRAEFIK_RULE="Host(\"$TRAEFIK_HOST\")"
|
||
PRIMARY_HOST="$TRAEFIK_HOST"
|
||
fi
|
||
|
||
{
|
||
echo "target=$TARGET"
|
||
echo "image_tag=$IMAGE_TAG"
|
||
echo "env_file=$ENV_FILE"
|
||
echo "traefik_host=$PRIMARY_HOST"
|
||
echo "traefik_rule=$TRAEFIK_RULE"
|
||
echo "next_public_url=https://$PRIMARY_HOST"
|
||
echo "directus_url=https://cms.$PRIMARY_HOST"
|
||
if [[ "$TARGET" == "production" ]]; then
|
||
echo "project_name=klz-cablescom"
|
||
else
|
||
echo "project_name=$PRJ-$TARGET"
|
||
fi
|
||
echo "short_sha=$SHORT_SHA"
|
||
} >> "$GITHUB_OUTPUT"
|
||
|
||
# ⏳ Wait for Upstream Packages/Images if Tagged
|
||
if [[ "${{ github.ref_type }}" == "tag" ]]; then
|
||
echo "🔎 Checking for @mintel dependencies in package.json..."
|
||
# Extract any @mintel/ version (they should be synced in monorepo)
|
||
UPSTREAM_VERSION=$(grep -o '"@mintel/.*": "[^"]*"' package.json | grep -v "next-utils" | cut -d'"' -f4 | sed 's/\^//; s/\~//' | sort -V | tail -1)
|
||
TAG_TO_WAIT="v$UPSTREAM_VERSION"
|
||
|
||
if [[ -n "$UPSTREAM_VERSION" && "$UPSTREAM_VERSION" != "workspace:"* ]]; then
|
||
# 1. Discovery (Works without token for public repositories)
|
||
UPSTREAM_SHA=$(git ls-remote --tags https://git.infra.mintel.me/mmintel/at-mintel.git "$TAG_TO_WAIT" | grep "$TAG_TO_WAIT" | tail -n1 | awk '{print $1}')
|
||
|
||
if [[ -z "$UPSTREAM_SHA" ]]; then
|
||
echo "❌ Error: Tag $TAG_TO_WAIT not found in mmintel/at-mintel."
|
||
exit 1
|
||
fi
|
||
echo "✅ Tag verified: Found upstream SHA $UPSTREAM_SHA for $TAG_TO_WAIT"
|
||
|
||
# 2. Status Check (Requires GITEA_PAT for cross-repo API access)
|
||
POLL_TOKEN="${{ secrets.GITEA_PAT || secrets.MINTEL_PRIVATE_TOKEN }}"
|
||
|
||
if [[ -n "$POLL_TOKEN" ]]; then
|
||
echo "⏳ GITEA_PAT found. Checking upstream build status..."
|
||
curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
|
||
"https://git.infra.mintel.me/mmintel/at-mintel/raw/branch/main/packages/infra/scripts/wait-for-upstream.sh" > wait-for-upstream.sh
|
||
chmod +x wait-for-upstream.sh
|
||
GITEA_TOKEN="$POLL_TOKEN" ./wait-for-upstream.sh "mmintel/at-mintel" "$TAG_TO_WAIT"
|
||
else
|
||
echo "ℹ️ No GITEA_PAT secret found. Skipping build status wait (Actions API is restricted)."
|
||
echo " If this build fails, ensure that mmintel/at-mintel $TAG_TO_WAIT has finished its Docker build."
|
||
fi
|
||
fi
|
||
fi
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 2: QA (Lint, Typecheck, Test)
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
qa:
|
||
name: 🧪 QA
|
||
needs: prepare
|
||
if: needs.prepare.outputs.target != 'skip'
|
||
runs-on: docker
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
- name: Setup pnpm
|
||
uses: pnpm/action-setup@v3
|
||
with:
|
||
version: 10
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: 20
|
||
- name: 🔐 Registry Auth
|
||
run: |
|
||
echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc
|
||
echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc
|
||
- name: Install dependencies
|
||
run: pnpm install --frozen-lockfile
|
||
- name: Setup Turbo cache
|
||
uses: actions/cache@v4
|
||
with:
|
||
path: .turbo
|
||
key: ${{ runner.os }}-turbo-global-${{ github.sha }}
|
||
restore-keys: |
|
||
${{ runner.os }}-turbo-global-
|
||
${{ runner.os }}-turbo-
|
||
|
||
- name: 🔒 Security Audit
|
||
run: pnpm audit --audit-level high
|
||
- name: 🧪 QA Checks
|
||
if: github.event.inputs.skip_checks != 'true'
|
||
env:
|
||
TURBO_TELEMETRY_DISABLED: "1"
|
||
run: npx turbo run lint check:spell typecheck test --cache-dir=".turbo"
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 3: Build & Push
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
build:
|
||
name: 🏗️ Build
|
||
needs: [prepare, qa]
|
||
if: needs.prepare.outputs.target != 'skip'
|
||
runs-on: docker
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
- name: 🐳 Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
- name: 🔐 Registry Login
|
||
run: echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin
|
||
- name: 🏗️ Build and Push
|
||
uses: docker/build-push-action@v5
|
||
with:
|
||
context: .
|
||
push: true
|
||
provenance: false
|
||
platforms: linux/arm64
|
||
cache-from: type=gha,scope=nextjs-build-${{ needs.prepare.outputs.target }}
|
||
cache-to: type=gha,mode=max,scope=nextjs-build-${{ needs.prepare.outputs.target }}
|
||
build-args: |
|
||
NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_url }}
|
||
NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
|
||
DIRECTUS_URL=${{ needs.prepare.outputs.directus_url }}
|
||
UMAMI_WEBSITE_ID=${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
|
||
UMAMI_API_ENDPOINT=${{ secrets.UMAMI_API_ENDPOINT || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }}
|
||
NPM_TOKEN=${{ secrets.REGISTRY_PASS }}
|
||
tags: registry.infra.mintel.me/mintel/klz-cables.com:${{ needs.prepare.outputs.image_tag }}
|
||
secrets: |
|
||
"NPM_TOKEN=${{ secrets.REGISTRY_PASS }}"
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 4: Deploy
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
deploy:
|
||
name: 🚀 Deploy
|
||
needs: [prepare, build, qa]
|
||
runs-on: docker
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
env:
|
||
TARGET: ${{ needs.prepare.outputs.target }}
|
||
IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
|
||
PROJECT_NAME: ${{ needs.prepare.outputs.project_name }}
|
||
NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
|
||
DIRECTUS_URL: ${{ needs.prepare.outputs.directus_url }}
|
||
DIRECTUS_HOST: cms.${{ needs.prepare.outputs.traefik_host }}
|
||
TRAEFIK_HOST: ${{ needs.prepare.outputs.traefik_host }}
|
||
|
||
# Secrets mapping (Directus)
|
||
DIRECTUS_KEY: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_KEY) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_KEY) || secrets.DIRECTUS_KEY || vars.DIRECTUS_KEY }}
|
||
DIRECTUS_SECRET: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_SECRET) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_SECRET) || secrets.DIRECTUS_SECRET || vars.DIRECTUS_SECRET }}
|
||
DIRECTUS_ADMIN_EMAIL: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_ADMIN_EMAIL) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_ADMIN_EMAIL) || secrets.DIRECTUS_ADMIN_EMAIL || vars.DIRECTUS_ADMIN_EMAIL || 'admin@mintel.me' }}
|
||
DIRECTUS_ADMIN_PASSWORD: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_ADMIN_PASSWORD) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_ADMIN_PASSWORD) || secrets.DIRECTUS_ADMIN_PASSWORD || vars.DIRECTUS_ADMIN_PASSWORD }}
|
||
DIRECTUS_DB_NAME: ${{ secrets.DIRECTUS_DB_NAME || vars.DIRECTUS_DB_NAME || 'directus' }}
|
||
DIRECTUS_DB_USER: ${{ secrets.DIRECTUS_DB_USER || vars.DIRECTUS_DB_USER || 'directus' }}
|
||
DIRECTUS_DB_PASSWORD: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_DB_PASSWORD) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_DB_PASSWORD) || secrets.DIRECTUS_DB_PASSWORD || vars.DIRECTUS_DB_PASSWORD || 'directus' }}
|
||
DIRECTUS_API_TOKEN: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_API_TOKEN) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_API_TOKEN) || secrets.DIRECTUS_API_TOKEN || vars.DIRECTUS_API_TOKEN }}
|
||
|
||
# Secrets mapping (Mail)
|
||
MAIL_HOST: ${{ secrets.SMTP_HOST || vars.SMTP_HOST }}
|
||
MAIL_PORT: ${{ secrets.SMTP_PORT || vars.SMTP_PORT || '587' }}
|
||
MAIL_USERNAME: ${{ secrets.SMTP_USER || vars.SMTP_USER }}
|
||
MAIL_PASSWORD: ${{ secrets.SMTP_PASS || vars.SMTP_PASS }}
|
||
MAIL_FROM: ${{ secrets.SMTP_FROM || vars.SMTP_FROM }}
|
||
MAIL_RECIPIENTS: ${{ secrets.CONTACT_RECIPIENT || vars.CONTACT_RECIPIENT }}
|
||
|
||
# Monitoring
|
||
SENTRY_DSN: ${{ secrets.SENTRY_DSN || vars.SENTRY_DSN }}
|
||
|
||
# Gatekeeper
|
||
GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
|
||
|
||
# Analytics
|
||
UMAMI_WEBSITE_ID: ${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
|
||
UMAMI_API_ENDPOINT: ${{ secrets.UMAMI_API_ENDPOINT || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }}
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
- name: 📝 Generate Environment
|
||
shell: bash
|
||
env:
|
||
TRAEFIK_RULE: ${{ needs.prepare.outputs.traefik_rule }}
|
||
ENV_FILE: ${{ needs.prepare.outputs.env_file }}
|
||
run: |
|
||
# Middleware Selection Logic
|
||
# Regular app routes get auth on non-production
|
||
# Unprotected routes (/stats, /errors) never get auth
|
||
LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" )
|
||
COOKIE_DOMAIN=.$(echo $NEXT_PUBLIC_BASE_URL | sed 's|https://||')
|
||
STD_MW="${PROJECT_NAME}-ratelimit,${PROJECT_NAME}-forward,${PROJECT_NAME}-compress"
|
||
|
||
if [[ "$TARGET" == "production" ]]; then
|
||
AUTH_MIDDLEWARE="$STD_MW"
|
||
COMPOSE_PROFILES=""
|
||
else
|
||
# Order: Ratelimit -> Forward (Proto) -> Auth -> Compression
|
||
AUTH_MIDDLEWARE="${PROJECT_NAME}-ratelimit,${PROJECT_NAME}-forward,${PROJECT_NAME}-auth,${PROJECT_NAME}-compress"
|
||
COMPOSE_PROFILES="gatekeeper"
|
||
fi
|
||
AUTH_MIDDLEWARE_UNPROTECTED="$STD_MW"
|
||
|
||
# Gatekeeper Origin
|
||
GATEKEEPER_ORIGIN="$NEXT_PUBLIC_BASE_URL/gatekeeper"
|
||
|
||
{
|
||
echo "# Generated by CI - $TARGET"
|
||
echo "IMAGE_TAG=$IMAGE_TAG"
|
||
echo "NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL"
|
||
echo "GATEKEEPER_ORIGIN=$GATEKEEPER_ORIGIN"
|
||
echo "SENTRY_DSN=$SENTRY_DSN"
|
||
echo "LOG_LEVEL=$LOG_LEVEL"
|
||
echo "MAIL_HOST=$MAIL_HOST"
|
||
echo "MAIL_PORT=$MAIL_PORT"
|
||
echo "MAIL_USERNAME=$MAIL_USERNAME"
|
||
echo "MAIL_PASSWORD=$MAIL_PASSWORD"
|
||
echo "MAIL_FROM=$MAIL_FROM"
|
||
echo "MAIL_RECIPIENTS=$MAIL_RECIPIENTS"
|
||
echo ""
|
||
echo "# Directus"
|
||
echo "DIRECTUS_URL=$DIRECTUS_URL"
|
||
echo "DIRECTUS_HOST=$DIRECTUS_HOST"
|
||
echo "DIRECTUS_KEY=$DIRECTUS_KEY"
|
||
echo "DIRECTUS_SECRET=$DIRECTUS_SECRET"
|
||
echo "DIRECTUS_ADMIN_EMAIL=$DIRECTUS_ADMIN_EMAIL"
|
||
echo "DIRECTUS_ADMIN_PASSWORD=$DIRECTUS_ADMIN_PASSWORD"
|
||
echo "DIRECTUS_DB_NAME=$DIRECTUS_DB_NAME"
|
||
echo "DIRECTUS_DB_USER=$DIRECTUS_DB_USER"
|
||
echo "DIRECTUS_DB_PASSWORD=$DIRECTUS_DB_PASSWORD"
|
||
echo "DIRECTUS_DB_CLIENT=pg"
|
||
echo "DIRECTUS_DB_HOST=directus-db"
|
||
echo "DIRECTUS_DB_PORT=5432"
|
||
echo "DIRECTUS_API_TOKEN=$DIRECTUS_API_TOKEN"
|
||
echo "INTERNAL_DIRECTUS_URL=http://directus:8055"
|
||
echo ""
|
||
echo "# Gatekeeper"
|
||
echo "GATEKEEPER_PASSWORD=$GATEKEEPER_PASSWORD"
|
||
echo "AUTH_COOKIE_NAME=klz_gatekeeper_session"
|
||
echo "COOKIE_DOMAIN=$COOKIE_DOMAIN"
|
||
echo ""
|
||
echo "# Analytics"
|
||
echo "UMAMI_WEBSITE_ID=$UMAMI_WEBSITE_ID"
|
||
echo "UMAMI_API_ENDPOINT=$UMAMI_API_ENDPOINT"
|
||
echo ""
|
||
echo "TARGET=$TARGET"
|
||
echo "SENTRY_ENVIRONMENT=$TARGET"
|
||
echo "PROJECT_NAME=$PROJECT_NAME"
|
||
printf 'TRAEFIK_HOST_RULE=%s\n' "$TRAEFIK_RULE"
|
||
echo "TRAEFIK_HOST=$TRAEFIK_HOST"
|
||
echo "TRAEFIK_ENTRYPOINT=websecure"
|
||
echo "TRAEFIK_TLS=true"
|
||
echo "TRAEFIK_CERT_RESOLVER=le"
|
||
echo "ENV_FILE=$ENV_FILE"
|
||
echo "COMPOSE_PROFILES=$COMPOSE_PROFILES"
|
||
echo "AUTH_MIDDLEWARE=$AUTH_MIDDLEWARE"
|
||
echo "AUTH_MIDDLEWARE_UNPROTECTED=$AUTH_MIDDLEWARE_UNPROTECTED"
|
||
} > .env.deploy
|
||
|
||
echo "--- Generated .env.deploy ---"
|
||
cat .env.deploy
|
||
echo "----------------------------"
|
||
|
||
- name: 🚀 SSH Deploy
|
||
shell: bash
|
||
env:
|
||
ENV_FILE: ${{ needs.prepare.outputs.env_file }}
|
||
run: |
|
||
mkdir -p ~/.ssh
|
||
echo "${{ secrets.ALPHA_SSH_KEY }}" > ~/.ssh/id_ed25519
|
||
chmod 600 ~/.ssh/id_ed25519
|
||
ssh-keyscan -H alpha.mintel.me >> ~/.ssh/known_hosts 2>/dev/null
|
||
|
||
# Transfer and Restart
|
||
SITE_DIR="/home/deploy/sites/klz-cables.com"
|
||
ssh root@alpha.mintel.me "mkdir -p $SITE_DIR/directus/schema $SITE_DIR/directus/uploads $SITE_DIR/directus/extensions"
|
||
|
||
scp .env.deploy root@alpha.mintel.me:$SITE_DIR/$ENV_FILE
|
||
scp docker-compose.yml root@alpha.mintel.me:$SITE_DIR/docker-compose.yml
|
||
scp -r directus/schema root@alpha.mintel.me:$SITE_DIR/directus/
|
||
|
||
ssh root@alpha.mintel.me "cd $SITE_DIR && echo '${{ secrets.REGISTRY_PASS }}' | docker login registry.infra.mintel.me -u '${{ secrets.REGISTRY_USER }}' --password-stdin"
|
||
ssh root@alpha.mintel.me "cd $SITE_DIR && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' pull"
|
||
ssh root@alpha.mintel.me "cd $SITE_DIR && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' up -d --remove-orphans"
|
||
|
||
# Apply Directus Schema Snapshot if available
|
||
ssh root@alpha.mintel.me "cd $SITE_DIR && if docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' exec -T directus ls /directus/schema/snapshot.yaml >/dev/null 2>&1; then echo '→ Applying Directus Schema Snapshot...' && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' exec -T directus npx directus schema apply /directus/schema/snapshot.yaml --yes; fi"
|
||
|
||
ssh root@alpha.mintel.me "docker system prune -f --filter 'until=24h'"
|
||
|
||
- name: 🧹 Post-Deploy Cleanup (Runner)
|
||
if: always()
|
||
run: docker builder prune -f --filter "until=1h"
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 5: Smoke Test (OG Images)
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
smoke_test:
|
||
name: 🧪 Smoke Test
|
||
needs: [prepare, deploy]
|
||
continue-on-error: true
|
||
if: needs.deploy.result == 'success' && github.ref_type != 'tag'
|
||
runs-on: docker
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
- name: Setup pnpm
|
||
uses: pnpm/action-setup@v3
|
||
with:
|
||
version: 10
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: 20
|
||
- name: 🔐 Registry Auth
|
||
run: |
|
||
echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc
|
||
echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc
|
||
- name: Install dependencies
|
||
run: pnpm install --frozen-lockfile
|
||
- name: 🚀 Run OG Image Check
|
||
env:
|
||
TEST_URL: ${{ needs.prepare.outputs.next_public_url }}
|
||
run: pnpm run check:og
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 6: Lighthouse (Performance & Accessibility)
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
lighthouse:
|
||
name: ⚡ Lighthouse
|
||
needs: [prepare, deploy]
|
||
continue-on-error: true
|
||
if: success() && needs.prepare.outputs.target != 'skip' && github.ref_type != 'tag'
|
||
runs-on: docker
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
- name: Setup pnpm
|
||
uses: pnpm/action-setup@v3
|
||
with:
|
||
version: 10
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: 20
|
||
- name: 🔐 Registry Auth
|
||
run: |
|
||
echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc
|
||
echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc
|
||
- name: Install dependencies
|
||
run: pnpm install --frozen-lockfile
|
||
- name: Setup APT Cache
|
||
uses: actions/cache@v4
|
||
with:
|
||
path: /var/cache/apt/archives
|
||
key: apt-cache-${{ runner.os }}-${{ hashFiles('package.json') }}
|
||
- name: 🔍 Install Chromium (Native & ARM64)
|
||
run: |
|
||
rm -f /etc/apt/apt.conf.d/docker-clean
|
||
apt-get update
|
||
apt-get install -y gnupg wget ca-certificates
|
||
|
||
# Detect OS
|
||
OS_ID=$(. /etc/os-release && echo $ID)
|
||
CODENAME=$(. /etc/os-release && echo $VERSION_CODENAME)
|
||
|
||
if [ "$OS_ID" = "debian" ]; then
|
||
echo "🎯 Debian detected - installing native chromium"
|
||
apt-get install -y chromium
|
||
else
|
||
echo "🎯 Ubuntu detected - adding xtradeb PPA"
|
||
mkdir -p /etc/apt/keyrings
|
||
KEY_ID="82BB6851C64F6880"
|
||
|
||
# Fetch PPA key
|
||
wget -qO- "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x$KEY_ID" | gpg --dearmor > /etc/apt/keyrings/xtradeb.gpg
|
||
|
||
# Add PPA repository
|
||
echo "deb [signed-by=/etc/apt/keyrings/xtradeb.gpg] http://ppa.launchpad.net/xtradeb/apps/ubuntu $CODENAME main" > /etc/apt/sources.list.d/xtradeb-ppa.list
|
||
|
||
# PRIORITY PINNING: Force PPA over Snap-dummy
|
||
printf "Package: *\nPin: release o=LP-PPA-xtradeb-apps\nPin-Priority: 1001\n" > /etc/apt/preferences.d/xtradeb
|
||
|
||
apt-get update
|
||
apt-get install -y --allow-downgrades chromium
|
||
fi
|
||
|
||
# Standardize binary paths
|
||
[ -f /usr/bin/chromium ] && ln -sf /usr/bin/chromium /usr/bin/google-chrome
|
||
[ -f /usr/bin/chromium ] && ln -sf /usr/bin/chromium /usr/bin/chromium-browser
|
||
- name: ⚡ Run Lighthouse CI
|
||
env:
|
||
NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
|
||
GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
|
||
CHROME_PATH: /usr/bin/chromium
|
||
PAGESPEED_LIMIT: 8
|
||
run: pnpm run pagespeed:test
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 7: WCAG Audit
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
wcag:
|
||
name: ♿ WCAG
|
||
needs: [prepare, deploy, smoke_test]
|
||
continue-on-error: true
|
||
if: success() && needs.prepare.outputs.target != 'skip' && github.ref_type != 'tag'
|
||
runs-on: docker
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
- name: Setup pnpm
|
||
uses: pnpm/action-setup@v3
|
||
with:
|
||
version: 10
|
||
- name: Setup Puppeteer cache
|
||
uses: actions/cache@v4
|
||
with:
|
||
path: ~/.cache/puppeteer
|
||
key: ${{ runner.os }}-puppeteer-${{ hashFiles('**/pnpm-lock.yaml') }}
|
||
restore-keys: |
|
||
${{ runner.os }}-puppeteer-
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: 20
|
||
- name: 🔐 Registry Auth
|
||
run: |
|
||
echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc
|
||
echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc
|
||
- name: Install dependencies
|
||
run: pnpm install --frozen-lockfile
|
||
- name: Setup APT Cache
|
||
uses: actions/cache@v4
|
||
with:
|
||
path: /var/cache/apt/archives
|
||
key: apt-cache-${{ runner.os }}-${{ hashFiles('package.json') }}
|
||
- name: 🔍 Install Chromium (Native & ARM64)
|
||
run: |
|
||
rm -f /etc/apt/apt.conf.d/docker-clean
|
||
apt-get update
|
||
apt-get install -y gnupg wget ca-certificates
|
||
|
||
# Detect OS
|
||
OS_ID=$(. /etc/os-release && echo $ID)
|
||
CODENAME=$(. /etc/os-release && echo $VERSION_CODENAME)
|
||
|
||
if [ "$OS_ID" = "debian" ]; then
|
||
echo "🎯 Debian detected - installing native chromium"
|
||
apt-get install -y chromium
|
||
else
|
||
echo "🎯 Ubuntu detected - adding xtradeb PPA"
|
||
mkdir -p /etc/apt/keyrings
|
||
KEY_ID="82BB6851C64F6880"
|
||
|
||
# Fetch PPA key
|
||
wget -qO- "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x$KEY_ID" | gpg --dearmor > /etc/apt/keyrings/xtradeb.gpg
|
||
|
||
# Add PPA repository
|
||
echo "deb [signed-by=/etc/apt/keyrings/xtradeb.gpg] http://ppa.launchpad.net/xtradeb/apps/ubuntu $CODENAME main" > /etc/apt/sources.list.d/xtradeb-ppa.list
|
||
|
||
# PRIORITY PINNING: Force PPA over Snap-dummy
|
||
printf "Package: *\nPin: release o=LP-PPA-xtradeb-apps\nPin-Priority: 1001\n" > /etc/apt/preferences.d/xtradeb
|
||
|
||
apt-get update
|
||
apt-get install -y --allow-downgrades chromium
|
||
fi
|
||
|
||
# Standardize binary paths
|
||
[ -f /usr/bin/chromium ] && ln -sf /usr/bin/chromium /usr/bin/google-chrome
|
||
[ -f /usr/bin/chromium ] && ln -sf /usr/bin/chromium /usr/bin/chromium-browser
|
||
- name: ♿ Run WCAG Audit
|
||
env:
|
||
NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
|
||
GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
|
||
CHROME_PATH: /usr/bin/chromium
|
||
PAGESPEED_LIMIT: 8
|
||
run: pnpm run check:wcag
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 9: Quality Assertions
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
quality_assertions:
|
||
name: 🛡️ Quality Gates
|
||
needs: [prepare, deploy, smoke_test]
|
||
continue-on-error: true
|
||
if: success() && needs.prepare.outputs.target != 'skip' && github.ref_type != 'tag'
|
||
runs-on: docker
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
- name: Setup pnpm
|
||
uses: pnpm/action-setup@v3
|
||
with:
|
||
version: 10
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: 20
|
||
- name: 🔐 Registry Auth
|
||
run: |
|
||
echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc
|
||
echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc
|
||
- name: Install dependencies
|
||
run: pnpm install --frozen-lockfile
|
||
- name: 🌐 HTML DOM Validation
|
||
env:
|
||
NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
|
||
GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
|
||
run: pnpm check:html
|
||
- name: 🔒 Security Headers Scan
|
||
env:
|
||
NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
|
||
GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
|
||
run: pnpm check:security
|
||
- name: 🔗 Lychee Deep Link Crawl
|
||
env:
|
||
NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
|
||
GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
|
||
run: pnpm check:links
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# JOB 10: Notifications
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
notifications:
|
||
name: 🔔 Notify
|
||
needs: [prepare, deploy, smoke_test, lighthouse, wcag, quality_assertions]
|
||
if: always()
|
||
runs-on: docker
|
||
container:
|
||
image: catthehacker/ubuntu:act-latest
|
||
steps:
|
||
- name: 🔔 Gotify
|
||
run: |
|
||
STATUS="${{ needs.deploy.result }}"
|
||
TITLE="klz-cables.com: $STATUS"
|
||
[[ "$STATUS" == "success" ]] && PRIORITY=5 || PRIORITY=8
|
||
|
||
curl -s -k -X POST "${{ secrets.GOTIFY_URL }}/message?token=${{ secrets.GOTIFY_TOKEN }}" \
|
||
-F "title=$TITLE" \
|
||
-F "message=Deploy to ${{ needs.prepare.outputs.target }} finished with status $STATUS.\nVersion: ${{ needs.prepare.outputs.image_tag }}" \
|
||
-F "priority=$PRIORITY" || true
|