BTHLABS-63: Production deployment workflow

2025-11-06 20:34:44 +00:00
parent d8bbe57b17
commit e800d0c16c
42 changed files with 786 additions and 97 deletions
--- a/.gitea/workflows/production.yaml
+++ b/.gitea/workflows/production.yaml
@@ -0,0 +1,76 @@
+name: "Production deployment"
+
+on:
+  release:
+    types: ["published"]
+
+jobs:
+  build-for-production:
+    name: "Build"
+    uses: "./.gitea/workflows/build-deployment-images.yaml"
+    with:
+      target: "deployment"
+      platform: "linux/amd64"
+    secrets:
+      VAULT_ROLE_ID: "${{ secrets.VAULT_ROLE_ID }}"
+      VAULT_SECRET_ID: "${{ secrets.VAULT_SECRET_ID }}"
+
+  deploy-to-production:
+    name: "Deploy"
+    runs-on: "ubuntu-latest"
+    needs:
+      - "build-for-production"
+    steps:
+      - name: "Checkout the code"
+        uses: "actions/checkout@v2"
+      - name: "Get build options"
+        id: "get-build-options"
+        uses: "./.gitea/actions/get-build-options"
+      - name: "Get `backend` version"
+        id: "get-backend-version"
+        uses: "./.gitea/actions/get-service-version"
+        with:
+          service: "backend"
+      - name: "Import Secrets"
+        id: "import-secrets"
+        uses: "hashicorp/vault-action@v2"
+        with:
+          url: "https://vault.bthlabs.pl/"
+          method: "approle"
+          roleId: "${{ secrets.VAULT_ROLE_ID }}"
+          secretId: "${{ secrets.VAULT_SECRET_ID }}"
+          secrets: |
+            gitea/data/hotpocket.app ansible_vault_payload | ANSIBLE_VAULT_PAYLOAD ;
+            gitea/data/hotpocket.app ansible_vault_password | ANSIBLE_VAULT_PASSWORD ;
+            gitea/data/hotpocket.app ansible_inventory_payload | ANSIBLE_INVENTORY_PAYLOAD ;
+            gitea/data/hotpocket.app ssh_key_payload | SSH_KEY_PAYLOAD
+      - name: "Setup Ansible"
+        uses: "./.gitea/actions/setup-ansible"
+      - name: "Prepare Ansible secrets"
+        run: |
+          set -x
+
+          mkdir deployment/hotpocket_app/.ci
+          echo "${ANSIBLE_VAULT_PAYLOAD}" | base64 -d >"deployment/hotpocket_app/env_vars/production/vault.yaml"
+          echo "${ANSIBLE_VAULT_PASSWORD}" >"deployment/hotpocket_app/.ci/vault_password"
+          echo "${ANSIBLE_INVENTORY_PAYLOAD}" | base64 -d >"deployment/hotpocket_app/inventory_ci.yaml"
+          echo "${SSH_KEY_PAYLOAD}" | base64 -d >"deployment/hotpocket_app/.ci/ssh_key"
+          chmod 600 deployment/hotpocket_app/.ci/ssh_key
+      - name: "Engage!"
+        env:
+          VERSION: "${{ steps.get-backend-version.outputs.version }}"
+          BUILD: "${{ steps.get-backend-version.outputs.build-number }}"
+        run: |
+          set -x
+
+          (
+            cd deployment/hotpocket_app ;
+            ANSIBLE_HOST_KEY_CHECKING="False" /opt/ansible/bin/ansible-playbook \
+              -i inventory_ci.yaml \
+              --vault-id hotpocket@.ci/vault_password \
+              -e @env_vars/production/vars.yaml \
+              -e @env_vars/production/vault.yaml \
+              -e hotpocket_app_image_tag="deployment-${VERSION}-${BUILD}" \
+              --limit "*.production.hotpocket.app" \
+              deploy.yaml
+          )