senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(ci): repair CD pipeline -- use vars.* instead of secrets.* in if conditions, target Dockerfile.production

Browse source
This commit is contained in:
senke 2026-02-22 17:23:43 +01:00
parent 40c31b8c3d
commit eb82e02c83
1 changed files with 35 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
.github/workflows/cd.yml vendored
View file

@ -15,11 +15,10 @@ on:
- production - production
jobs: jobs:
deploy: build:
name: Deploy to ${{ github.event.inputs.environment || 'staging' }} name: Build and push images
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
environment: ${{ github.event.inputs.environment || 'staging' }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@ -31,21 +30,16 @@ jobs:
# Example: DOCKER_REGISTRY=ghcr.io/org/repo or registry.example.com/veza # Example: DOCKER_REGISTRY=ghcr.io/org/repo or registry.example.com/veza
- name: Build Backend Docker Image - name: Build Backend Docker Image
run: | run: |
cd veza-backend-api docker build -t veza-backend-api:${{ github.sha }} -f veza-backend-api/Dockerfile.production veza-backend-api/
docker build -t veza-backend-api:${{ github.sha }} .
- name: Build Frontend Docker Image - name: Build Frontend Docker Image
run: | run: |
cd apps/web docker build -t veza-frontend:${{ github.sha }} -f apps/web/Dockerfile.production apps/web/
docker build -t veza-frontend:${{ github.sha }} .
- name: Build Rust Services Docker Images - name: Build Rust Services Docker Images
run: | run: |
cd veza-chat-server docker build -t veza-chat-server:${{ github.sha }} -f veza-chat-server/Dockerfile.production veza-chat-server/
docker build -t veza-chat-server:${{ github.sha }} . docker build -t veza-stream-server:${{ github.sha }} -f veza-stream-server/Dockerfile.production veza-stream-server/
cd ../veza-stream-server
docker build -t veza-stream-server:${{ github.sha }} .
- name: Trivy vulnerability scan - name: Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/trivy-action@0.28.0
@ -92,41 +86,56 @@ jobs:
path: sbom/ path: sbom/
- name: Push Images to Registry - name: Push Images to Registry
if: ${{ secrets.DOCKER_REGISTRY != '' }} if: vars.DOCKER_REGISTRY != ''
run: | run: |
echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ secrets.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ vars.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin
for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
docker tag "${svc}:${{ github.sha }}" "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
docker tag "${svc}:${{ github.sha }}" "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest" docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest" docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
done done
- name: Install cosign - name: Install cosign
if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }} if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true'
uses: sigstore/cosign-installer@v3 uses: sigstore/cosign-installer@v3
with: with:
cosign-release: 'v2.2.0' cosign-release: 'v2.2.0'
- name: Sign images with cosign - name: Sign images with cosign
if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }} if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true'
env: env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
run: | run: |
for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest" cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
done done
- name: Build Summary
run: |
echo "## Build Summary" >> $GITHUB_STEP_SUMMARY
echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
echo "- Chat Server: veza-chat-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
deploy:
name: Deploy to ${{ github.event.inputs.environment || 'staging' }}
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
environment: ${{ github.event.inputs.environment || 'staging' }}
steps:
- name: Deploy to Kubernetes - name: Deploy to Kubernetes
if: ${{ secrets.KUBE_CONFIG != '' }} if: vars.KUBE_CONFIG_SET == 'true'
run: | run: |
KUBECONFIG="${{ runner.temp }}/kubeconfig" KUBECONFIG="${{ runner.temp }}/kubeconfig"
echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > "$KUBECONFIG" echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > "$KUBECONFIG"
chmod 600 "$KUBECONFIG" chmod 600 "$KUBECONFIG"
export KUBECONFIG export KUBECONFIG
for svc in veza-backend-api veza-chat-server veza-stream-server; do for svc in veza-backend-api veza-chat-server veza-stream-server; do
kubectl set image "deployment/${svc}" "${svc}=${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \ kubectl set image "deployment/${svc}" "${svc}=${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \
-n veza --record || echo "Skipping ${svc} (deployment not found)" -n veza --record || echo "Skipping ${svc} (deployment not found)"
done done
kubectl rollout status deployment/veza-backend-api -n veza --timeout=300s || true kubectl rollout status deployment/veza-backend-api -n veza --timeout=300s || true
@ -135,17 +144,13 @@ jobs:
- name: Deployment Summary - name: Deployment Summary
run: | run: |
echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY
echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
echo "- Chat Server: veza-chat-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
echo "- Environment: ${{ github.event.inputs.environment || 'staging' }}" >> $GITHUB_STEP_SUMMARY echo "- Environment: ${{ github.event.inputs.environment || 'staging' }}" >> $GITHUB_STEP_SUMMARY
smoke-post-deploy: smoke-post-deploy:
name: Smoke tests post-deploy name: Smoke tests post-deploy
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: deploy needs: deploy
if: ${{ secrets.STAGING_URL != '' || vars.STAGING_URL != '' }} if: vars.STAGING_URL != ''
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@ -163,7 +168,7 @@ jobs:
- name: Run smoke tests - name: Run smoke tests
env: env:
PLAYWRIGHT_BASE_URL: ${{ secrets.STAGING_URL || vars.STAGING_URL }} PLAYWRIGHT_BASE_URL: ${{ vars.STAGING_URL }}
run: | run: |
cd apps/web cd apps/web
npx playwright test --config=playwright.config.smoke.ts npx playwright test --config=playwright.config.smoke.ts