Valery Petrov
77267619ad
backend-ci-cd / parse-tag (push) Has been cancelled
backend-ci-cd / test (push) Has been cancelled
backend-ci-cd / test-prod-skip (push) Has been cancelled
backend-ci-cd / build-and-push (push) Has been cancelled
backend-ci-cd / deploy-gitops (push) Has been cancelled
155 lines
5.9 KiB
YAML
155 lines
5.9 KiB
YAML
name: backend-ci-cd
|
|
|
|
# CI/CD: только push git-тега. Pre-deploy tests на test|stage; prod — без тестов (ручной аппрув релиза).
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'backend-v*'
|
|
|
|
env:
|
|
REGISTRY: gitea-http.gitea.svc.cluster.local:3000
|
|
IMAGE: gitea-http.gitea.svc.cluster.local:3000/sova/backend
|
|
IMAGE_DEPLOY: git.sova.local/sova/backend
|
|
|
|
jobs:
|
|
parse-tag:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
full_tag: ${{ steps.meta.outputs.full_tag }}
|
|
env: ${{ steps.meta.outputs.env }}
|
|
version: ${{ steps.meta.outputs.version }}
|
|
steps:
|
|
- name: Parse tag
|
|
id: meta
|
|
run: |
|
|
TAG="${GITHUB_REF#refs/tags/}"
|
|
echo "full_tag=$TAG" >> "$GITHUB_OUTPUT"
|
|
echo "env=$(echo "$TAG" | sed -E 's/backend-v([0-9.]+)-([a-z]+)/\2/')" >> "$GITHUB_OUTPUT"
|
|
echo "version=$(echo "$TAG" | sed -E 's/backend-v([0-9.]+).*/\1/')" >> "$GITHUB_OUTPUT"
|
|
|
|
test:
|
|
needs: [parse-tag]
|
|
if: needs.parse-tag.outputs.env != 'prod'
|
|
runs-on: ubuntu-latest
|
|
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
env:
|
|
POSTGRES_USER: ci
|
|
POSTGRES_PASSWORD: ci
|
|
POSTGRES_DB: ci
|
|
ports:
|
|
- 5432:5432
|
|
options: >-
|
|
--health-cmd "pg_isready -U ci -d ci"
|
|
--health-interval 5s
|
|
--health-timeout 5s
|
|
--health-retries 10
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Setup PHP
|
|
uses: shivammathur/setup-php@v2
|
|
with:
|
|
php-version: '8.4'
|
|
extensions: pdo_pgsql, redis, intl, zip, gd
|
|
coverage: xdebug
|
|
- name: Prepare CI environment
|
|
run: |
|
|
cp .env.ci .env.local
|
|
mkdir -p config/jwt var/coverage
|
|
openssl genrsa -out config/jwt/private.pem 2048
|
|
openssl rsa -pubout -in config/jwt/private.pem -out config/jwt/public.pem
|
|
- run: composer install --prefer-dist --no-interaction
|
|
- name: Unit tests + coverage
|
|
run: composer phpunit:coverage
|
|
- name: Integration tests (test contour only)
|
|
if: needs.parse-tag.outputs.env == 'test'
|
|
continue-on-error: true
|
|
run: |
|
|
php bin/console doctrine:database:create --if-not-exists --env=test || true
|
|
php bin/console doctrine:migrations:migrate --no-interaction --env=test || true
|
|
composer phpunit:integration
|
|
- name: Upload coverage
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: backend-coverage-${{ needs.parse-tag.outputs.full_tag }}
|
|
path: var/coverage/
|
|
retention-days: 14
|
|
- run: composer audit || true
|
|
|
|
test-prod-skip:
|
|
needs: [parse-tag]
|
|
if: needs.parse-tag.outputs.env == 'prod'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo "Prod tag — automated tests skipped (no tests on production contour)."
|
|
|
|
build-and-push:
|
|
needs: [parse-tag, test, test-prod-skip]
|
|
if: always() && (needs.test.result == 'success' || needs.test.result == 'skipped') && (needs.test-prod-skip.result == 'success' || needs.test-prod-skip.result == 'skipped')
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Docker login
|
|
env:
|
|
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
|
|
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
|
|
run: |
|
|
echo "${REGISTRY_PASSWORD}" | docker login "$REGISTRY" -u "${REGISTRY_USER}" --password-stdin
|
|
- name: Build and push
|
|
run: |
|
|
TAG="${{ needs.parse-tag.outputs.full_tag }}"
|
|
docker build -f Dockerfile -t "$IMAGE:${TAG}" -t "$IMAGE:${{ needs.parse-tag.outputs.version }}" .
|
|
docker push "$IMAGE:${TAG}"
|
|
docker push "$IMAGE:${{ needs.parse-tag.outputs.version }}"
|
|
|
|
deploy-gitops:
|
|
needs: [build-and-push, parse-tag]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Bump image tag in sova-deploy
|
|
env:
|
|
DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
|
|
DEPLOY_USER: ${{ secrets.REGISTRY_USER }}
|
|
run: |
|
|
REPO_URL="http://${DEPLOY_USER}:${DEPLOY_TOKEN}@gitea-http.gitea.svc.cluster.local:3000/sova/sova-deploy.git"
|
|
ENV="${{ needs.parse-tag.outputs.env }}"
|
|
TAG="${{ needs.parse-tag.outputs.full_tag }}"
|
|
case "${ENV}" in
|
|
test|stage|prod) ;;
|
|
*) echo "Unknown env from tag: ${ENV} (expected test|stage|prod)"; exit 1 ;;
|
|
esac
|
|
git clone --branch "${ENV}" --single-branch "${REPO_URL}" sova-deploy 2>/dev/null \
|
|
|| { git clone "${REPO_URL}" sova-deploy && cd sova-deploy && git checkout -B "${ENV}"; }
|
|
cd sova-deploy
|
|
git config user.email "ci-bot@sova.local"
|
|
git config user.name "sova-ci"
|
|
MAX_RETRIES=5
|
|
case "$(uname -m)" in
|
|
x86_64|amd64) YQ_ARCH=amd64 ;;
|
|
aarch64|arm64) YQ_ARCH=arm64 ;;
|
|
*) echo "Unsupported arch: $(uname -m)"; exit 1 ;;
|
|
esac
|
|
curl -sSL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_${YQ_ARCH}"
|
|
chmod +x /usr/local/bin/yq
|
|
for attempt in $(seq 1 $MAX_RETRIES); do
|
|
git pull --rebase origin "${ENV}"
|
|
yq -i ".image.repository = \"${IMAGE_DEPLOY}\"" "apps/backend/values-${ENV}.yaml"
|
|
yq -i ".image.tag = \"${TAG}\"" "apps/backend/values-${ENV}.yaml"
|
|
yq -i ".image.pullPolicy = \"IfNotPresent\"" "apps/backend/values-${ENV}.yaml"
|
|
git add "apps/backend/values-${ENV}.yaml"
|
|
git diff --cached --quiet && { echo "No changes"; exit 0; }
|
|
git commit -m "chore(backend): bump ${ENV} to ${TAG}"
|
|
if git push origin "${ENV}"; then
|
|
echo "Push OK on attempt ${attempt}"
|
|
exit 0
|
|
fi
|
|
echo "Push failed, retry ${attempt}/${MAX_RETRIES}..."
|
|
git reset --hard HEAD~1
|
|
sleep $((attempt * 2))
|
|
done
|
|
echo "Failed to push after ${MAX_RETRIES} attempts"
|
|
exit 1
|