backend/.gitea/workflows/build.yml

name: backend-ci-cd

on:
  push:
    tags:
      - 'backend-v*'
  pull_request:
    branches: [main]

env:
  REGISTRY: git.sova.local
  IMAGE: git.sova.local/sova/backend

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.4'
          extensions: pdo_pgsql, redis, intl, zip, gd
      - name: Prepare CI environment
        run: |
          cp .env.ci .env.local
          mkdir -p config/jwt var
          openssl genrsa -out config/jwt/private.pem 2048
          openssl rsa -pubout -in config/jwt/private.pem -out config/jwt/public.pem
      - run: composer install --prefer-dist --no-interaction
      - run: composer phpunit || true
      - run: composer audit || true

  parse-tag:
    if: startsWith(github.ref, 'refs/tags/backend-v')
    runs-on: ubuntu-latest
    outputs:
      full_tag: ${{ steps.meta.outputs.full_tag }}
      env: ${{ steps.meta.outputs.env }}
      version: ${{ steps.meta.outputs.version }}
    steps:
      - name: Parse tag
        id: meta
        run: |
          TAG="${GITHUB_REF#refs/tags/}"
          echo "full_tag=$TAG" >> "$GITHUB_OUTPUT"
          echo "env=$(echo "$TAG" | sed -E 's/backend-v([0-9.]+)-([a-z]+)/\2/')" >> "$GITHUB_OUTPUT"
          echo "version=$(echo "$TAG" | sed -E 's/backend-v([0-9.]+).*/\1/')" >> "$GITHUB_OUTPUT"

  build-and-push:
    needs: [test, parse-tag]
    if: startsWith(github.ref, 'refs/tags/backend-v')
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Docker login
        env:
          GITEA_HOST_IP: ${{ secrets.GITEA_HOST_IP }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
        run: |
          echo "${GITEA_HOST_IP} git.sova.local" | tee -a /etc/hosts
          echo "${REGISTRY_PASSWORD}" | docker login "$REGISTRY" -u sova-ci --password-stdin
      - name: Build and push
        run: |
          TAG="${{ needs.parse-tag.outputs.full_tag }}"
          docker build -f Dockerfile -t "$IMAGE:${TAG}" -t "$IMAGE:${{ needs.parse-tag.outputs.version }}" .
          docker push "$IMAGE:${TAG}"
          docker push "$IMAGE:${{ needs.parse-tag.outputs.version }}"

  deploy-gitops:
    needs: [build-and-push, parse-tag]
    if: startsWith(github.ref, 'refs/tags/backend-v')
    runs-on: ubuntu-latest
    steps:
      - name: Bump image tag in sova-deploy
        env:
          DEPLOY_KEY: ${{ secrets.SOVA_DEPLOY_KEY }}
          GITEA_HOST_IP: ${{ secrets.GITEA_HOST_IP }}
        run: |
          echo "${GITEA_HOST_IP} git.sova.local" | tee -a /etc/hosts
          eval "$(ssh-agent -s)"
          echo "$DEPLOY_KEY" | ssh-add -
          mkdir -p ~/.ssh
          ssh-keyscan -H git.sova.local >> ~/.ssh/known_hosts 2>/dev/null || true
          git clone git@git.sova.local:sova/sova-deploy.git
          cd sova-deploy
          ENV="${{ needs.parse-tag.outputs.env }}"
          TAG="${{ needs.parse-tag.outputs.full_tag }}"
          git config user.email "ci-bot@sova.local"
          git config user.name "sova-ci"
          MAX_RETRIES=5
          for attempt in $(seq 1 $MAX_RETRIES); do
            git pull --rebase origin main
            yq -i ".image.tag = \"${TAG}\"" "apps/backend/values-${ENV}.yaml"
            git add "apps/backend/values-${ENV}.yaml"
            git diff --cached --quiet && { echo "No changes"; exit 0; }
            git commit -m "chore(backend): bump ${ENV} to ${TAG}"
            if git push origin main; then
              echo "Push OK on attempt ${attempt}"
              exit 0
            fi
            echo "Push failed, retry ${attempt}/${MAX_RETRIES}..."
            git reset --hard HEAD~1
            sleep $((attempt * 2))
          done
          echo "Failed to push after ${MAX_RETRIES} attempts"
          exit 1