.github/workflows/build.yaml
---
name: Build and deploy
on:
push:
branches: ['master']
tags: ['v*']
jobs:
build-concrexit:
name: Build concrexit image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Checkout repository
uses: actions/checkout@v4
- name: Docker meta
# Defines tags and labels for the Docker image based on git metadata.
# This will tag 'latest' and e.g. 'v37.1' when a tag v37.1 is pushed,
# and 'master' when something is pushed to master.
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/svthalia/concrexit
- name: Build and push Docker image
uses: docker/build-push-action@v5.3.0
with:
context: ./
file: ./infra/concrexit/Dockerfile
push: true
build-args: |
SOURCE_COMMIT=${{ github.sha }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=${{ github.ref }}-concrexit
cache-to: type=gha,mode=max,scope=${{ github.ref }}-concrexit
build-nginx:
name: Build nginx image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Checkout repository
uses: actions/checkout@v4
- name: Docker meta
# Defines tags and labels for the Docker image based on git metadata.
# This will tag 'latest' and e.g. 'v37.1' when a tag v37.1 is pushed,
# and 'master' when something is pushed to master.
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/svthalia/concrexit-nginx
- name: Build and push Docker image
uses: docker/build-push-action@v5.3.0
with:
context: ./infra/nginx
push: true
build-args: |
SOURCE_COMMIT=${{ github.sha }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=${{ github.ref }}-concrexit-nginx
cache-to: type=gha,mode=max,scope=${{ github.ref }}-concrexit-nginx
deploy-staging:
name: Deploy to staging
if: github.ref == 'refs/heads/master'
environment:
name: staging
url: https://staging.thalia.nu
runs-on: ubuntu-latest
needs: [build-concrexit, build-nginx]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up SSH
run: |
mkdir ~/.ssh
echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
echo "$DEPLOY_SSH_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
env:
SSH_KNOWN_HOSTS: ${{ vars.SSH_KNOWN_HOSTS }}
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
- name: Create env files
run: |
cp infra/env.public.staging infra/env.public
echo "$SECRETS_FILE" > infra/env.secret
echo "TAG=$TAG" > infra/.env
env:
SECRETS_FILE: ${{ secrets.SECRETS_FILE }}
TAG: master
- name: Update env files
run: |
rsync infra/.env deploy@staging.thalia.nu:/var/lib/concrexit/.env
rsync infra/env.public deploy@staging.thalia.nu:/var/lib/concrexit/env.public
rsync infra/env.secret deploy@staging.thalia.nu:/var/lib/concrexit/env.secret
rsync infra/docker-compose.yml deploy@staging.thalia.nu:/var/lib/concrexit/docker-compose.yml
- name: Restart containers
run: |
ssh deploy@staging.thalia.nu << EOF
set -e
cd /var/lib/concrexit
sudo docker compose pull
sudo docker compose up -d
sudo docker system prune -f
EOF
deploy-production:
name: Deploy to production
if: startsWith(github.ref, 'refs/tags/v')
environment:
name: production
url: https://thalia.nu
runs-on: ubuntu-latest
needs: [build-concrexit, build-nginx]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up SSH
run: |
mkdir ~/.ssh
echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
echo "$DEPLOY_SSH_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
env:
SSH_KNOWN_HOSTS: ${{ vars.SSH_KNOWN_HOSTS }}
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
- name: Create env files
run: |
cp infra/env.public.production infra/env.public
echo "$SECRETS_FILE" > infra/env.secret
echo "TAG=$TAG" > infra/.env
env:
SECRETS_FILE: ${{ secrets.SECRETS_FILE }}
TAG: latest
- name: Update env files
run: |
rsync infra/.env deploy@thalia.nu:/var/lib/concrexit/.env
rsync infra/env.public deploy@thalia.nu:/var/lib/concrexit/env.public
rsync infra/env.secret deploy@thalia.nu:/var/lib/concrexit/env.secret
rsync infra/docker-compose.yml deploy@thalia.nu:/var/lib/concrexit/docker-compose.yml
- name: Restart containers
run: |
ssh deploy@thalia.nu << EOF
set -e
cd /var/lib/concrexit
sudo docker compose pull
sudo docker compose up -d
sudo docker system prune -f
EOF