name: backend-ci-cd on: push: tags: - 'backend-v*' pull_request: branches: [main] env: REGISTRY: gitea-http.gitea.svc.cluster.local:3000 IMAGE: gitea-http.gitea.svc.cluster.local:3000/sova/backend jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: '8.4' extensions: pdo_pgsql, redis, intl, zip, gd - name: Prepare CI environment run: | cp .env.ci .env.local mkdir -p config/jwt var openssl genrsa -out config/jwt/private.pem 2048 openssl rsa -pubout -in config/jwt/private.pem -out config/jwt/public.pem - run: composer install --prefer-dist --no-interaction - run: composer phpunit || true - run: composer audit || true parse-tag: if: startsWith(github.ref, 'refs/tags/backend-v') runs-on: ubuntu-latest outputs: full_tag: ${{ steps.meta.outputs.full_tag }} env: ${{ steps.meta.outputs.env }} version: ${{ steps.meta.outputs.version }} steps: - name: Parse tag id: meta run: | TAG="${GITHUB_REF#refs/tags/}" echo "full_tag=$TAG" >> "$GITHUB_OUTPUT" echo "env=$(echo "$TAG" | sed -E 's/backend-v([0-9.]+)-([a-z]+)/\2/')" >> "$GITHUB_OUTPUT" echo "version=$(echo "$TAG" | sed -E 's/backend-v([0-9.]+).*/\1/')" >> "$GITHUB_OUTPUT" build-and-push: needs: [test, parse-tag] if: startsWith(github.ref, 'refs/tags/backend-v') runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Docker login env: REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} run: | echo "${REGISTRY_PASSWORD}" | docker login "$REGISTRY" -u "${REGISTRY_USER}" --password-stdin - name: Build and push run: | TAG="${{ needs.parse-tag.outputs.full_tag }}" docker build -f Dockerfile -t "$IMAGE:${TAG}" -t "$IMAGE:${{ needs.parse-tag.outputs.version }}" . docker push "$IMAGE:${TAG}" docker push "$IMAGE:${{ needs.parse-tag.outputs.version }}" deploy-gitops: needs: [build-and-push, parse-tag] if: startsWith(github.ref, 'refs/tags/backend-v') runs-on: ubuntu-latest steps: - name: Bump image tag in sova-deploy env: DEPLOY_KEY: ${{ secrets.SOVA_DEPLOY_KEY }} HOST_IP: ${{ secrets.HOST_IP }} run: | echo "${HOST_IP} git.sova.local" | tee -a /etc/hosts eval "$(ssh-agent -s)" echo "$DEPLOY_KEY" | ssh-add - mkdir -p ~/.ssh ssh-keyscan -H git.sova.local >> ~/.ssh/known_hosts 2>/dev/null || true git clone git@git.sova.local:sova/sova-deploy.git cd sova-deploy ENV="${{ needs.parse-tag.outputs.env }}" TAG="${{ needs.parse-tag.outputs.full_tag }}" git config user.email "ci-bot@sova.local" git config user.name "sova-ci" MAX_RETRIES=5 curl -sSL -o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 chmod +x /usr/local/bin/yq for attempt in $(seq 1 $MAX_RETRIES); do git pull --rebase origin main yq -i ".image.repository = \"${IMAGE}\"" "apps/backend/values-${ENV}.yaml" yq -i ".image.tag = \"${TAG}\"" "apps/backend/values-${ENV}.yaml" yq -i ".image.pullPolicy = \"IfNotPresent\"" "apps/backend/values-${ENV}.yaml" git add "apps/backend/values-${ENV}.yaml" git diff --cached --quiet && { echo "No changes"; exit 0; } git commit -m "chore(backend): bump ${ENV} to ${TAG}" if git push origin main; then echo "Push OK on attempt ${attempt}" exit 0 fi echo "Push failed, retry ${attempt}/${MAX_RETRIES}..." git reset --hard HEAD~1 sleep $((attempt * 2)) done echo "Failed to push after ${MAX_RETRIES} attempts" exit 1