Enhance Nomad support and security in CORS and system tests (#77) #69
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| push: | |
| branches: [main] | |
| concurrency: | |
| group: deploy | |
| cancel-in-progress: false | |
| env: | |
| REGISTRY: ghcr.io | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| jobs: | |
| validate: | |
| name: Validate Nomad Jobs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Nomad | |
| run: | | |
| curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
| echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \ | |
| | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null | |
| sudo apt-get update && sudo apt-get install -y nomad | |
| - name: Validate HCL and JSON | |
| run: | | |
| find infra/nomad/jobs -name '*.hcl' -print0 | sort -z | while IFS= read -r -d '' f; do | |
| echo "==> $f" | |
| nomad fmt -check "$f" | |
| nomad job validate "$f" | |
| done | |
| find infra/nomad/vault -name '*.json' -print0 | while IFS= read -r -d '' f; do | |
| echo "==> $f" | |
| python3 -m json.tool "$f" > /dev/null | |
| done | |
| build-and-push: | |
| name: Build & Push Images | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| contents: read | |
| strategy: | |
| matrix: | |
| service: | |
| - name: auth-api | |
| dockerfile: services/auth-api/Dockerfile | |
| - name: assistant-api | |
| dockerfile: services/assistant-api/Dockerfile | |
| - name: auth-ui | |
| dockerfile: services/auth-ui/Dockerfile | |
| - name: assistant-ui | |
| dockerfile: services/assistant-ui/Dockerfile | |
| - name: app-ui | |
| dockerfile: services/app-ui/Dockerfile | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Set image prefix (lowercase) | |
| run: echo "IMAGE_PREFIX=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" | |
| - uses: docker/setup-buildx-action@v4 | |
| - uses: docker/login-action@v4 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ${{ matrix.service.dockerfile }} | |
| push: true | |
| tags: | | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/${{ matrix.service.name }}:${{ github.sha }} | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/${{ matrix.service.name }}:latest | |
| cache-from: type=gha,scope=${{ matrix.service.name }} | |
| cache-to: type=gha,mode=max,scope=${{ matrix.service.name }} | |
| deploy: | |
| name: Deploy to Nomad | |
| runs-on: ubuntu-latest | |
| needs: [validate, build-and-push] | |
| permissions: | |
| packages: read | |
| contents: read | |
| environment: production | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Deploy via SSH | |
| uses: appleboy/ssh-action@v1 | |
| env: | |
| NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }} | |
| with: | |
| host: ${{ secrets.DEPLOY_HOST }} | |
| username: ${{ secrets.DEPLOY_USER }} | |
| key: ${{ secrets.DEPLOY_SSH_KEY }} | |
| port: 2222 | |
| command_timeout: 20m | |
| envs: NOMAD_TOKEN | |
| script: | | |
| set -euo pipefail | |
| cd /opt/personal-stack | |
| git fetch origin main | |
| git reset --hard '${{ github.sha }}' | |
| export IMAGE_TAG='${{ github.sha }}' | |
| export IMAGE_REPO="ghcr.io/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" | |
| export NOMAD_TOKEN | |
| : "${NOMAD_TOKEN:?NOMAD_TOKEN secret is required}" | |
| echo "Deploying ${IMAGE_REPO} at ${IMAGE_TAG}" | |
| bash infra/scripts/deploy.sh --phase all --wait |