groombook-paperclip[bot]
3b7b2b346f
Adds a deploy job that runs after Docker images are pushed to GHCR. It checks out groombook/infra, updates all image SHA tags in the Kubernetes manifests, and commits directly to main. This ensures Flux always picks up new images after a successful build, preventing the previous issue where :latest tags caused no manifest diff and pods weren't updated. Requires INFRA_DEPLOY_TOKEN secret with push access to groombook/infra. Co-authored-by: Groom Book CTO <cto@groombook.dev> Co-authored-by: Paperclip <noreply@paperclip.ing>
219 lines
5.7 KiB
YAML
219 lines
5.7 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
lint-typecheck:
|
|
name: Lint & Typecheck
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: pnpm/action-setup@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Typecheck
|
|
run: pnpm typecheck
|
|
|
|
- name: Lint
|
|
run: pnpm lint
|
|
|
|
test:
|
|
name: Test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: pnpm/action-setup@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Run tests
|
|
run: pnpm test
|
|
|
|
e2e:
|
|
name: E2E Tests
|
|
runs-on: ubuntu-latest
|
|
needs: [lint-typecheck, test]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: pnpm/action-setup@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Install Playwright browsers
|
|
run: pnpm --filter @groombook/e2e exec playwright install --with-deps chromium
|
|
|
|
- name: Start Docker Compose stack
|
|
run: docker compose up -d --wait
|
|
timeout-minutes: 5
|
|
|
|
- name: Run E2E tests
|
|
run: pnpm --filter @groombook/e2e test
|
|
|
|
- name: Upload Playwright report
|
|
if: failure()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: playwright-report
|
|
path: apps/e2e/playwright-report/
|
|
retention-days: 7
|
|
|
|
- name: Stop Docker Compose stack
|
|
if: always()
|
|
run: docker compose down
|
|
|
|
build:
|
|
name: Build
|
|
runs-on: ubuntu-latest
|
|
needs: [lint-typecheck, test]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: pnpm/action-setup@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Build all packages
|
|
run: pnpm build
|
|
|
|
docker:
|
|
name: Build & Push Docker Images
|
|
runs-on: ubuntu-latest
|
|
needs: [build]
|
|
if: github.ref == 'refs/heads/main'
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build and push API image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: apps/api/Dockerfile
|
|
target: runner
|
|
push: true
|
|
tags: |
|
|
ghcr.io/groombook/api:${{ github.sha }}
|
|
ghcr.io/groombook/api:latest
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Build and push Migrate image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: apps/api/Dockerfile
|
|
target: migrate
|
|
push: true
|
|
tags: |
|
|
ghcr.io/groombook/migrate:${{ github.sha }}
|
|
ghcr.io/groombook/migrate:latest
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Build and push Seed image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: apps/api/Dockerfile
|
|
target: seed
|
|
push: true
|
|
tags: |
|
|
ghcr.io/groombook/seed:${{ github.sha }}
|
|
ghcr.io/groombook/seed:latest
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Build and push Web image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: apps/web/Dockerfile
|
|
push: true
|
|
tags: |
|
|
ghcr.io/groombook/web:${{ github.sha }}
|
|
ghcr.io/groombook/web:latest
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
deploy:
|
|
name: Update Infra Image Tags
|
|
runs-on: ubuntu-latest
|
|
needs: [docker]
|
|
if: github.ref == 'refs/heads/main'
|
|
steps:
|
|
- name: Checkout infra repo
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: groombook/infra
|
|
token: ${{ secrets.INFRA_DEPLOY_TOKEN }}
|
|
path: infra
|
|
|
|
- name: Update image tags
|
|
run: |
|
|
cd infra
|
|
SHA="${{ github.sha }}"
|
|
sed -i "s|ghcr.io/groombook/api:[a-f0-9]\{40\}|ghcr.io/groombook/api:${SHA}|g" apps/groombook/api.yaml
|
|
sed -i "s|ghcr.io/groombook/web:[a-f0-9]\{40\}|ghcr.io/groombook/web:${SHA}|g" apps/groombook/web.yaml
|
|
sed -i "s|ghcr.io/groombook/migrate:[a-f0-9]\{40\}|ghcr.io/groombook/migrate:${SHA}|g" apps/groombook/migrate-job.yaml
|
|
sed -i "s|ghcr.io/groombook/seed:[a-f0-9]\{40\}|ghcr.io/groombook/seed:${SHA}|g" apps/groombook/seed-job.yaml
|
|
sed -i "s|groombook.dev/image-sha: \"[a-f0-9]\{40\}\"|groombook.dev/image-sha: \"${SHA}\"|g" apps/groombook/api.yaml apps/groombook/web.yaml
|
|
|
|
- name: Commit and push
|
|
run: |
|
|
cd infra
|
|
git config user.name "groombook-ci[bot]"
|
|
git config user.email "ci@groombook.dev"
|
|
if git diff --quiet; then
|
|
echo "No changes to commit"
|
|
exit 0
|
|
fi
|
|
git add -A
|
|
git commit -m "deploy: update images to groombook/groombook@${GITHUB_SHA::7}
|
|
|
|
Source: https://github.com/groombook/groombook/commit/${GITHUB_SHA}"
|
|
git push
|