name: deploy-node1-runtime on: workflow_dispatch: inputs: deploy_ref: description: "Git ref to deploy on NODA1 (branch/tag/sha)" required: false type: string default: "main" redeploy_runtime: description: "Rebuild/restart gateway+experience-learner after git sync" required: false type: boolean default: false ssh_host: description: "NODA1 SSH host override" required: false type: string ssh_user: description: "NODA1 SSH user override (default root)" required: false type: string concurrency: group: noda1-runtime-deploy cancel-in-progress: false jobs: deploy: runs-on: ubuntu-latest timeout-minutes: 10 env: DEFAULT_SSH_HOST: ${{ secrets.NODA1_SSH_HOST }} DEFAULT_SSH_USER: ${{ secrets.NODA1_SSH_USER }} DEPLOY_REF: ${{ inputs.deploy_ref }} REDEPLOY_RUNTIME: ${{ inputs.redeploy_runtime }} steps: - name: Resolve SSH target shell: bash run: | set -euo pipefail host="${DEFAULT_SSH_HOST:-}" user="${DEFAULT_SSH_USER:-root}" if [ -n "${{ inputs.ssh_host }}" ]; then host="${{ inputs.ssh_host }}" fi if [ -n "${{ inputs.ssh_user }}" ]; then user="${{ inputs.ssh_user }}" fi if [ -z "$host" ]; then echo "Missing SSH host (workflow input or secret NODA1_SSH_HOST)" >&2 exit 1 fi echo "SSH_HOST=$host" >> "$GITHUB_ENV" echo "SSH_USER=$user" >> "$GITHUB_ENV" - name: Prepare SSH key shell: bash env: SSH_PRIVATE_KEY: ${{ secrets.NODA1_SSH_KEY }} run: | set -euo pipefail set +x if [ -z "${SSH_PRIVATE_KEY:-}" ]; then echo "Missing secret NODA1_SSH_KEY" >&2 exit 1 fi mkdir -p ~/.ssh chmod 700 ~/.ssh key_path=~/.ssh/noda1_ci_key if printf '%s' "$SSH_PRIVATE_KEY" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then printf '%s\n' "$SSH_PRIVATE_KEY" | tr -d '\r' > "$key_path" else printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r' | base64 --decode > "$key_path" fi chmod 600 "$key_path" if ! ssh-keygen -y -f "$key_path" >/dev/null 2>&1; then echo "Invalid SSH private key in NODA1_SSH_KEY" >&2 exit 1 fi echo "SSH_KEY_PATH=$key_path" >> "$GITHUB_ENV" - name: Deploy runtime to NODA1 shell: bash run: | set -euo pipefail set +x mkdir -p artifacts log="artifacts/deploy-node1-runtime.log" ssh \ -i "${SSH_KEY_PATH}" \ -o BatchMode=yes \ -o IdentitiesOnly=yes \ -o StrictHostKeyChecking=accept-new \ -o ConnectTimeout=10 \ "${SSH_USER}@${SSH_HOST}" \ "set -euo pipefail; \ cd /opt/microdao-daarion; \ if [ -n \"\$(git status --porcelain)\" ]; then \ echo 'WARN: dirty git tree on NODA1; skip checkout/pull and continue with gate'; \ else \ git fetch origin; \ git checkout '${DEPLOY_REF:-main}'; \ git pull --ff-only origin '${DEPLOY_REF:-main}'; \ fi; \ if [ '${REDEPLOY_RUNTIME:-false}' = 'true' ]; then \ docker compose -f docker-compose.node1.yml up -d --no-deps --build --force-recreate gateway experience-learner; \ fi; \ git rev-parse HEAD" \ | tee "$log" - name: Print deploy artifact paths if: always() shell: bash run: | set -euo pipefail ls -la artifacts || true phase6_gate: needs: [deploy] runs-on: ubuntu-latest timeout-minutes: 10 env: DEFAULT_SSH_HOST: ${{ secrets.NODA1_SSH_HOST }} DEFAULT_SSH_USER: ${{ secrets.NODA1_SSH_USER }} steps: - name: Resolve SSH target shell: bash run: | set -euo pipefail host="${DEFAULT_SSH_HOST:-}" user="${DEFAULT_SSH_USER:-root}" if [ -n "${{ inputs.ssh_host }}" ]; then host="${{ inputs.ssh_host }}" fi if [ -n "${{ inputs.ssh_user }}" ]; then user="${{ inputs.ssh_user }}" fi if [ -z "$host" ]; then echo "Missing SSH host (workflow input or secret NODA1_SSH_HOST)" >&2 exit 1 fi echo "SSH_HOST=$host" >> "$GITHUB_ENV" echo "SSH_USER=$user" >> "$GITHUB_ENV" - name: Prepare SSH key shell: bash env: SSH_PRIVATE_KEY: ${{ secrets.NODA1_SSH_KEY }} run: | set -euo pipefail set +x if [ -z "${SSH_PRIVATE_KEY:-}" ]; then echo "Missing secret NODA1_SSH_KEY" >&2 exit 1 fi mkdir -p ~/.ssh chmod 700 ~/.ssh key_path=~/.ssh/noda1_ci_key if printf '%s' "$SSH_PRIVATE_KEY" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then printf '%s\n' "$SSH_PRIVATE_KEY" | tr -d '\r' > "$key_path" else printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r' | base64 --decode > "$key_path" fi chmod 600 "$key_path" if ! ssh-keygen -y -f "$key_path" >/dev/null 2>&1; then echo "Invalid SSH private key in NODA1_SSH_KEY" >&2 exit 1 fi echo "SSH_KEY_PATH=$key_path" >> "$GITHUB_ENV" - name: Run phase6 smoke (hard gate) shell: bash run: | set -euo pipefail set +x mkdir -p artifacts for attempt in 1 2; do log="artifacts/phase6-gate-attempt${attempt}.log" if ssh \ -i "${SSH_KEY_PATH}" \ -o BatchMode=yes \ -o IdentitiesOnly=yes \ -o StrictHostKeyChecking=accept-new \ -o ConnectTimeout=10 \ "${SSH_USER}@${SSH_HOST}" \ "set -euo pipefail; cd /opt/microdao-daarion; git rev-parse HEAD; make phase6-smoke" \ | tee "$log"; then cp "$log" artifacts/phase6-gate.log exit 0 fi if [ "$attempt" -eq 2 ]; then echo "phase6 gate failed after retry" >&2 exit 1 fi sleep 15 done - name: Print gate artifact paths if: always() shell: bash run: | set -euo pipefail ls -la artifacts || true