name: Build & Deploy on: push: branches: - main tags: - 'v*' workflow_dispatch: inputs: skip_checks: description: 'Skip tests? (true/false)' required: false default: 'false' concurrency: group: ${{ github.workflow }}-${{ (github.ref_type == 'tag' && !contains(github.ref_name, '-')) && 'prod' || (github.ref_name == 'main' && 'testing' || github.ref_name) }} cancel-in-progress: true jobs: # ────────────────────────────────────────────────────────────────────────────── # JOB 1: Prepare Environment # ────────────────────────────────────────────────────────────────────────────── prepare: name: 🔍 Prepare runs-on: docker outputs: target: ${{ steps.determine.outputs.target }} image_tag: ${{ steps.determine.outputs.image_tag }} env_file: ${{ steps.determine.outputs.env_file }} traefik_host: ${{ steps.determine.outputs.traefik_host }} traefik_rule: ${{ steps.determine.outputs.traefik_rule }} next_public_url: ${{ steps.determine.outputs.next_public_url }} directus_url: ${{ steps.determine.outputs.directus_url }} project_name: ${{ steps.determine.outputs.project_name }} short_sha: ${{ steps.determine.outputs.short_sha }} container: image: catthehacker/ubuntu:act-latest steps: - name: 🧹 Maintenance (High Density Cleanup) shell: bash run: | echo "Purging old build layers and dangling images..." docker image prune -f docker builder prune -f --filter "until=6h" - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 2 - name: 🔍 Environment ermitteln id: determine shell: bash run: | REF="${{ github.ref_name }}" SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) DOMAIN="mb-grid-solutions.com" PRJ="mb-grid-solutions" if [[ "${{ github.ref_type }}" == "branch" && "$REF" == "main" ]]; then TARGET="testing" IMAGE_TAG="main-${SHORT_SHA}" ENV_FILE=".env.testing" TRAEFIK_HOST="testing.${DOMAIN}" elif [[ "${{ github.ref_type }}" == "tag" ]]; then if [[ "$REF" =~ ^v[0-9]+\.[0-9]+(\.[0-9]+)?$ ]]; then TARGET="production" IMAGE_TAG="$REF" ENV_FILE=".env.prod" TRAEFIK_HOST="${DOMAIN}, www.${DOMAIN}" else TARGET="staging" IMAGE_TAG="$REF" ENV_FILE=".env.staging" TRAEFIK_HOST="staging.${DOMAIN}" fi else TARGET="skip" fi if [[ "$TARGET" != "skip" ]]; then # Standardize Traefik Rule if [[ "$TRAEFIK_HOST" == *","* ]]; then TRAEFIK_RULE=$(echo "$TRAEFIK_HOST" | sed 's/,/ /g' | awk '{for(i=1;i<=NF;i++) printf "Host(\`%s\`)%s", $i, (i==NF?"":" || ")}') PRIMARY_HOST=$(echo "$TRAEFIK_HOST" | cut -d',' -f1 | sed 's/ //g') else TRAEFIK_RULE="Host(\`$TRAEFIK_HOST\`)" PRIMARY_HOST="$TRAEFIK_HOST" fi { echo "target=$TARGET" echo "image_tag=$IMAGE_TAG" echo "env_file=$ENV_FILE" echo "traefik_host=$PRIMARY_HOST" echo "traefik_rule=$TRAEFIK_RULE" echo "next_public_url=https://$PRIMARY_HOST" echo "directus_url=https://cms.$PRIMARY_HOST" echo "project_name=$PRJ-$TARGET" echo "short_sha=$SHORT_SHA" } >> "$GITHUB_OUTPUT" # ⏳ Wait for Upstream Packages/Images if Tagged if [[ "${{ github.ref_type }}" == "tag" ]]; then echo "🔎 Checking for @mintel dependencies in package.json..." # Extract any @mintel/ version (they should be synced in monorepo) UPSTREAM_VERSION=$(grep -o '"@mintel/.*": "[^"]*"' package.json | head -1 | cut -d'"' -f4 | sed 's/\^//; s/\~//') TAG_TO_WAIT="v$UPSTREAM_VERSION" if [[ -n "$UPSTREAM_VERSION" && "$UPSTREAM_VERSION" != "workspace:"* ]]; then echo "⏳ This release depends on @mintel v$UPSTREAM_VERSION. Waiting for upstream build..." # Fetch script from monorepo (main) curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ "https://git.infra.mintel.me/mmintel/at-mintel/raw/branch/main/packages/infra/scripts/wait-for-upstream.sh" > wait-for-upstream.sh chmod +x wait-for-upstream.sh GITEA_TOKEN=${{ secrets.GITHUB_TOKEN }} ./wait-for-upstream.sh "mmintel/at-mintel" "$TAG_TO_WAIT" fi fi else echo "target=skip" >> "$GITHUB_OUTPUT" fi # ────────────────────────────────────────────────────────────────────────────── # JOB 2: QA (Lint, Build Test) # ────────────────────────────────────────────────────────────────────────────── qa: name: 🧪 QA needs: prepare if: needs.prepare.outputs.target != 'skip' runs-on: docker container: image: catthehacker/ubuntu:act-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 20 - name: Setup pnpm uses: pnpm/action-setup@v3 with: version: 10 - name: 🔐 Registry Auth run: | echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc - name: Install dependencies run: pnpm install --frozen-lockfile - name: 🧪 QA Checks if: github.event.inputs.skip_checks != 'true' run: | pnpm lint pnpm exec tsc --noEmit pnpm test run - name: 🏗️ Build Test if: github.event.inputs.skip_checks != 'true' run: pnpm build # ────────────────────────────────────────────────────────────────────────────── # JOB 3: Build & Push # ────────────────────────────────────────────────────────────────────────────── build: name: 🏗️ Build needs: prepare if: needs.prepare.outputs.target != 'skip' runs-on: docker container: image: catthehacker/ubuntu:act-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: 🐳 Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: 🔐 Registry Login run: echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin - name: 🏗️ Build and Push uses: docker/build-push-action@v5 with: context: . push: true platforms: linux/arm64 build-args: | NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_url }} NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }} DIRECTUS_URL=${{ needs.prepare.outputs.directus_url }} NPM_TOKEN=${{ secrets.REGISTRY_PASS }} tags: registry.infra.mintel.me/mintel/mb-grid-solutions:${{ needs.prepare.outputs.image_tag }} cache-from: type=registry,ref=registry.infra.mintel.me/mintel/mb-grid-solutions:buildcache cache-to: type=registry,ref=registry.infra.mintel.me/mintel/mb-grid-solutions:buildcache,mode=max secrets: | "NPM_TOKEN=${{ secrets.REGISTRY_PASS }}" # ────────────────────────────────────────────────────────────────────────────── # JOB 4: Deploy # ────────────────────────────────────────────────────────────────────────────── deploy: name: 🚀 Deploy needs: [prepare, build, qa] runs-on: docker container: image: catthehacker/ubuntu:act-latest env: TARGET: ${{ needs.prepare.outputs.target }} IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }} PROJECT_NAME: ${{ needs.prepare.outputs.project_name }} NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }} DIRECTUS_URL: ${{ needs.prepare.outputs.directus_url }} DIRECTUS_HOST: cms.${{ needs.prepare.outputs.traefik_host }} # Secrets mapping (Directus) DIRECTUS_KEY: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_KEY) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_KEY) || secrets.DIRECTUS_KEY || vars.DIRECTUS_KEY }} DIRECTUS_SECRET: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_SECRET) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_SECRET) || secrets.DIRECTUS_SECRET || vars.DIRECTUS_SECRET }} DIRECTUS_ADMIN_EMAIL: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_ADMIN_EMAIL) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_ADMIN_EMAIL) || secrets.DIRECTUS_ADMIN_EMAIL || vars.DIRECTUS_ADMIN_EMAIL || 'admin@mintel.me' }} DIRECTUS_ADMIN_PASSWORD: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_ADMIN_PASSWORD) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_ADMIN_PASSWORD) || secrets.DIRECTUS_ADMIN_PASSWORD || vars.DIRECTUS_ADMIN_PASSWORD }} DIRECTUS_DB_NAME: ${{ secrets.DIRECTUS_DB_NAME || vars.DIRECTUS_DB_NAME || 'directus' }} DIRECTUS_DB_USER: ${{ secrets.DIRECTUS_DB_USER || vars.DIRECTUS_DB_USER || 'directus' }} DIRECTUS_DB_PASSWORD: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_DB_PASSWORD) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_DB_PASSWORD) || secrets.DIRECTUS_DB_PASSWORD || vars.DIRECTUS_DB_PASSWORD || 'directus' }} DIRECTUS_API_TOKEN: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_API_TOKEN) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_API_TOKEN) || secrets.DIRECTUS_API_TOKEN || vars.DIRECTUS_API_TOKEN }} # Secrets mapping (Mail) MAIL_HOST: ${{ secrets.SMTP_HOST || vars.SMTP_HOST }} MAIL_PORT: ${{ secrets.SMTP_PORT || vars.SMTP_PORT || '587' }} MAIL_USERNAME: ${{ secrets.SMTP_USER || vars.SMTP_USER }} MAIL_PASSWORD: ${{ secrets.SMTP_PASS || vars.SMTP_PASS }} MAIL_FROM: ${{ secrets.SMTP_FROM || vars.SMTP_FROM }} MAIL_RECIPIENTS: ${{ secrets.CONTACT_RECIPIENT || vars.CONTACT_RECIPIENT }} # Authentication GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || vars.GATEKEEPER_PASSWORD }} AUTH_COOKIE_NAME: ${{ secrets.AUTH_COOKIE_NAME || vars.AUTH_COOKIE_NAME || 'mintel_gatekeeper_session' }} COOKIE_DOMAIN: ${{ secrets.COOKIE_DOMAIN || vars.COOKIE_DOMAIN || '.mb-grid-solutions.com' }} # Monitoring & Services SENTRY_DSN: ${{ secrets.SENTRY_DSN || vars.SENTRY_DSN }} UMAMI_WEBSITE_ID: ${{ secrets.UMAMI_WEBSITE_ID || secrets.NEXT_PUBLIC_UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID || vars.NEXT_PUBLIC_UMAMI_WEBSITE_ID }} UMAMI_API_ENDPOINT: ${{ secrets.UMAMI_API_ENDPOINT || secrets.NEXT_PUBLIC_UMAMI_SCRIPT_URL || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }} PROJECT_COLOR: ${{ secrets.PROJECT_COLOR || vars.PROJECT_COLOR || '#82ed20' }} steps: - name: Checkout repository uses: actions/checkout@v4 - name: 📝 Generate Environment shell: bash env: TRAEFIK_RULE: ${{ needs.prepare.outputs.traefik_rule }} TRAEFIK_HOST: ${{ needs.prepare.outputs.traefik_host }} ENV_FILE: ${{ needs.prepare.outputs.env_file }} run: | # Middleware & Auth Logic LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" ) STD_MW="${PROJECT_NAME}-forward,compress" if [[ "$TARGET" == "production" ]]; then AUTH_MIDDLEWARE="$STD_MW" COMPOSE_PROFILES="" else # Order: Forward (Proto) -> Auth -> Compression AUTH_MIDDLEWARE="${PROJECT_NAME}-forward,${PROJECT_NAME}-auth,compress" COMPOSE_PROFILES="gatekeeper" fi # Gatekeeper Origin GATEKEEPER_ORIGIN="$NEXT_PUBLIC_BASE_URL/gatekeeper" # Generate Environment File cat > .env.deploy << EOF # Generated by CI - $TARGET IMAGE_TAG=$IMAGE_TAG NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL GATEKEEPER_ORIGIN=$GATEKEEPER_ORIGIN SENTRY_DSN=$SENTRY_DSN PROJECT_COLOR=$PROJECT_COLOR LOG_LEVEL=$LOG_LEVEL # Directus DIRECTUS_URL=$DIRECTUS_URL DIRECTUS_HOST=$DIRECTUS_HOST DIRECTUS_KEY=$DIRECTUS_KEY DIRECTUS_SECRET=$DIRECTUS_SECRET DIRECTUS_ADMIN_EMAIL=$DIRECTUS_ADMIN_EMAIL DIRECTUS_ADMIN_PASSWORD=$DIRECTUS_ADMIN_PASSWORD DIRECTUS_DB_NAME=$DIRECTUS_DB_NAME DIRECTUS_DB_USER=$DIRECTUS_DB_USER DIRECTUS_DB_PASSWORD=$DIRECTUS_DB_PASSWORD DIRECTUS_API_TOKEN=$DIRECTUS_API_TOKEN INTERNAL_DIRECTUS_URL=http://directus:8055 # Mail MAIL_HOST=$MAIL_HOST MAIL_PORT=$MAIL_PORT MAIL_USERNAME=$MAIL_USERNAME MAIL_PASSWORD=$MAIL_PASSWORD MAIL_FROM=$MAIL_FROM MAIL_RECIPIENTS=$MAIL_RECIPIENTS # Authentication GATEKEEPER_PASSWORD=$GATEKEEPER_PASSWORD AUTH_COOKIE_NAME=$AUTH_COOKIE_NAME COOKIE_DOMAIN=$COOKIE_DOMAIN # Analytics UMAMI_WEBSITE_ID=$UMAMI_WEBSITE_ID NEXT_PUBLIC_UMAMI_WEBSITE_ID=$UMAMI_WEBSITE_ID UMAMI_API_ENDPOINT=$UMAMI_API_ENDPOINT TARGET=$TARGET SENTRY_ENVIRONMENT=$TARGET PROJECT_NAME=$PROJECT_NAME ENV_FILE=$ENV_FILE TRAEFIK_RULE="${TRAEFIK_RULE}" TRAEFIK_HOST="${TRAEFIK_HOST}" COMPOSE_PROFILES=$COMPOSE_PROFILES TRAEFIK_MIDDLEWARES=$AUTH_MIDDLEWARE EOF - name: 🚀 SSH Deploy shell: bash env: ENV_FILE: ${{ needs.prepare.outputs.env_file }} run: | mkdir -p ~/.ssh echo "${{ secrets.ALPHA_SSH_KEY }}" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ssh-keyscan -H alpha.mintel.me >> ~/.ssh/known_hosts 2>/dev/null # Transfer and Restart SITE_DIR="/home/deploy/sites/mb-grid-solutions.com" ssh root@alpha.mintel.me "mkdir -p $SITE_DIR/directus/schema $SITE_DIR/directus/uploads $SITE_DIR/directus/extensions" scp .env.deploy root@alpha.mintel.me:$SITE_DIR/$ENV_FILE scp docker-compose.yaml root@alpha.mintel.me:$SITE_DIR/docker-compose.yaml ssh root@alpha.mintel.me "cd $SITE_DIR && echo '${{ secrets.REGISTRY_PASS }}' | docker login registry.infra.mintel.me -u '${{ secrets.REGISTRY_USER }}' --password-stdin" ssh root@alpha.mintel.me "cd $SITE_DIR && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' pull" ssh root@alpha.mintel.me "cd $SITE_DIR && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' up -d --remove-orphans" # Apply Directus Schema Snapshot if available ssh root@alpha.mintel.me "cd $SITE_DIR && if docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' exec -T directus ls /directus/schema/snapshot.yaml >/dev/null 2>&1; then echo '→ Applying Directus Schema Snapshot...' && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' exec -T directus npx directus schema apply /directus/schema/snapshot.yaml --yes; fi" ssh root@alpha.mintel.me "docker system prune -f --filter 'until=24h'" - name: 🧹 Post-Deploy Cleanup (Runner) if: always() run: docker builder prune -f --filter "until=1h" # ────────────────────────────────────────────────────────────────────────────── # JOB 5: Health Check # ────────────────────────────────────────────────────────────────────────────── healthcheck: name: 🩺 Health Check needs: [prepare, deploy] if: needs.deploy.result == 'success' runs-on: docker container: image: catthehacker/ubuntu:act-latest steps: - name: 🔍 Smoke Test run: | URL="${{ needs.prepare.outputs.next_public_url }}" echo "Checking health of $URL..." for i in {1..12}; do if curl -s -f "$URL" > /dev/null; then echo "✅ Health check passed!" exit 0 fi echo "Waiting for service to be ready... ($i/12)" sleep 10 done echo "❌ Health check failed after 2 minutes." exit 1 # ────────────────────────────────────────────────────────────────────────────── # JOB 6: Notifications # ────────────────────────────────────────────────────────────────────────────── notifications: name: 🔔 Notify needs: [prepare, deploy, healthcheck] if: always() runs-on: docker container: image: catthehacker/ubuntu:act-latest steps: - name: 🔔 Gotify run: | STATUS="${{ needs.deploy.result }}" TITLE="mb-grid-solutions.com: $STATUS" [[ "$STATUS" == "success" ]] && PRIORITY=5 || PRIORITY=8 curl -s -k -X POST "${{ secrets.GOTIFY_URL }}/message?token=${{ secrets.GOTIFY_TOKEN }}" \ -F "title=$TITLE" \ -F "message=Deploy to ${{ needs.prepare.outputs.target }} finished with status $STATUS.\nVersion: ${{ needs.prepare.outputs.image_tag }}" \ -F "priority=$PRIORITY" || true