143 lines
4.7 KiB
YAML
143 lines
4.7 KiB
YAML
name: Deploy Pounce (Auto)
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install deploy tooling
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends openssh-client rsync ca-certificates
|
|
|
|
- name: Setup SSH key
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/deploy_key
|
|
chmod 600 ~/.ssh/deploy_key
|
|
ssh-keyscan -H "${{ secrets.DEPLOY_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null
|
|
|
|
- name: Sync repository to server
|
|
run: |
|
|
rsync -az --delete \
|
|
-e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=yes" \
|
|
--exclude ".git" \
|
|
--exclude "frontend/node_modules" \
|
|
--exclude "frontend/.next" \
|
|
--exclude "**/__pycache__" \
|
|
--exclude "**/*.pyc" \
|
|
./ \
|
|
"${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ secrets.DEPLOY_PATH }}/"
|
|
|
|
- name: Generate backend env file (from secrets)
|
|
env:
|
|
DATABASE_URL: ${{ secrets.DATABASE_URL }}
|
|
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
|
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
|
|
STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
|
|
STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
|
|
GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
|
|
GH_OAUTH_SECRET: ${{ secrets.GH_OAUTH_SECRET }}
|
|
CZDS_USERNAME: ${{ secrets.CZDS_USERNAME }}
|
|
CZDS_PASSWORD: ${{ secrets.CZDS_PASSWORD }}
|
|
run: |
|
|
python3 - <<'PY'
|
|
import os
|
|
from pathlib import Path
|
|
|
|
env = {
|
|
# Core
|
|
"ENVIRONMENT": "production",
|
|
"ENABLE_SCHEDULER": "true",
|
|
"COOKIE_SECURE": "true",
|
|
"CORS_ORIGINS": "https://pounce.ch,https://www.pounce.ch",
|
|
"SITE_URL": "https://pounce.ch",
|
|
"FRONTEND_URL": "https://pounce.ch",
|
|
|
|
# Data dirs
|
|
"CZDS_DATA_DIR": "/data/czds",
|
|
"SWITCH_DATA_DIR": "/data/switch",
|
|
"ZONE_RETENTION_DAYS": "3",
|
|
|
|
# DB/Redis
|
|
"DATABASE_URL": os.environ["DATABASE_URL"],
|
|
"REDIS_URL": "redis://pounce-redis:6379/0",
|
|
|
|
# Auth
|
|
"SECRET_KEY": os.environ["SECRET_KEY"],
|
|
"JWT_SECRET": os.environ["SECRET_KEY"],
|
|
|
|
# SMTP
|
|
"SMTP_HOST": "smtp.zoho.eu",
|
|
"SMTP_PORT": "465",
|
|
"SMTP_USER": "hello@pounce.ch",
|
|
"SMTP_PASSWORD": os.environ["SMTP_PASSWORD"],
|
|
"SMTP_FROM_EMAIL": "hello@pounce.ch",
|
|
"SMTP_FROM_NAME": "pounce",
|
|
"SMTP_USE_TLS": "false",
|
|
"SMTP_USE_SSL": "true",
|
|
|
|
# Stripe
|
|
"STRIPE_SECRET_KEY": os.environ["STRIPE_SECRET_KEY"],
|
|
"STRIPE_PUBLISHABLE_KEY": "pk_live_51ScLbjCtFUamNRpNeFugrlTIYhszbo8GovSGiMnPwHpZX9p3SGtgG8iRHYRIlAtg9M9sl3mvT5r8pwXP3mOsPALG00Wk3j0wH4",
|
|
"STRIPE_PRICE_TRADER": "price_1ScRlzCtFUamNRpNQdMpMzxV",
|
|
"STRIPE_PRICE_TYCOON": "price_1SdwhSCtFUamNRpNEXTSuGUc",
|
|
"STRIPE_WEBHOOK_SECRET": os.environ["STRIPE_WEBHOOK_SECRET"],
|
|
|
|
# OAuth
|
|
"GOOGLE_CLIENT_ID": "865146315769-vi7vcu91d3i7huv8ikjun52jo9ob7spk.apps.googleusercontent.com",
|
|
"GOOGLE_CLIENT_SECRET": os.environ["GOOGLE_CLIENT_SECRET"],
|
|
"GOOGLE_REDIRECT_URI": "https://pounce.ch/api/v1/oauth/google/callback",
|
|
|
|
"GITHUB_CLIENT_ID": "Ov23liBjROk39vYXi3G5",
|
|
"GITHUB_CLIENT_SECRET": os.environ["GH_OAUTH_SECRET"],
|
|
"GITHUB_REDIRECT_URI": "https://pounce.ch/api/v1/oauth/github/callback",
|
|
|
|
# CZDS
|
|
"CZDS_USERNAME": os.environ["CZDS_USERNAME"],
|
|
"CZDS_PASSWORD": os.environ["CZDS_PASSWORD"],
|
|
}
|
|
|
|
lines = []
|
|
for k, v in env.items():
|
|
if v is None:
|
|
continue
|
|
lines.append(f"{k}={v}")
|
|
|
|
Path("backend.env").write_text("\n".join(lines) + "\n")
|
|
PY
|
|
|
|
- name: Upload backend env to server
|
|
run: |
|
|
rsync -az \
|
|
-e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=yes" \
|
|
./backend.env \
|
|
"${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:/tmp/pounce-backend.env"
|
|
|
|
- name: Deploy on server (pounce-deploy)
|
|
run: |
|
|
ssh -i ~/.ssh/deploy_key "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}" << 'DEPLOY_EOF'
|
|
set -euo pipefail
|
|
mkdir -p /data/pounce/env
|
|
# Move env file into place (requires no password due to sudoers rule)
|
|
sudo mv /tmp/pounce-backend.env /data/pounce/env/backend.env
|
|
sudo chmod 600 /data/pounce/env/backend.env
|
|
sudo /usr/local/bin/pounce-deploy
|
|
DEPLOY_EOF
|
|
|
|
- name: Summary
|
|
run: |
|
|
echo "=========================================="
|
|
echo "🎉 AUTO DEPLOY COMPLETED"
|
|
echo "=========================================="
|
|
echo "Commit: ${{ github.sha }}"
|
|
echo "Backend: https://api.pounce.ch"
|
|
echo "Web: https://pounce.ch"
|
|
echo "=========================================="
|