216 lines
6.9 KiB
YAML
216 lines
6.9 KiB
YAML
name: deploy-node1-runtime
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
deploy_ref:
|
|
description: "Git ref to deploy on NODA1 (branch/tag/sha)"
|
|
required: false
|
|
type: string
|
|
default: "main"
|
|
redeploy_runtime:
|
|
description: "Rebuild/restart gateway+experience-learner after git sync"
|
|
required: false
|
|
type: boolean
|
|
default: false
|
|
ssh_host:
|
|
description: "NODA1 SSH host override"
|
|
required: false
|
|
type: string
|
|
ssh_user:
|
|
description: "NODA1 SSH user override (default root)"
|
|
required: false
|
|
type: string
|
|
|
|
concurrency:
|
|
group: noda1-runtime-deploy
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
env:
|
|
DEFAULT_SSH_HOST: ${{ secrets.NODA1_SSH_HOST }}
|
|
DEFAULT_SSH_USER: ${{ secrets.NODA1_SSH_USER }}
|
|
DEPLOY_REF: ${{ inputs.deploy_ref }}
|
|
REDEPLOY_RUNTIME: ${{ inputs.redeploy_runtime }}
|
|
steps:
|
|
- name: Resolve SSH target
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
host="${DEFAULT_SSH_HOST:-}"
|
|
user="${DEFAULT_SSH_USER:-root}"
|
|
|
|
if [ -n "${{ inputs.ssh_host }}" ]; then
|
|
host="${{ inputs.ssh_host }}"
|
|
fi
|
|
if [ -n "${{ inputs.ssh_user }}" ]; then
|
|
user="${{ inputs.ssh_user }}"
|
|
fi
|
|
|
|
if [ -z "$host" ]; then
|
|
echo "Missing SSH host (workflow input or secret NODA1_SSH_HOST)" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "SSH_HOST=$host" >> "$GITHUB_ENV"
|
|
echo "SSH_USER=$user" >> "$GITHUB_ENV"
|
|
|
|
- name: Prepare SSH key
|
|
shell: bash
|
|
env:
|
|
SSH_PRIVATE_KEY: ${{ secrets.NODA1_SSH_KEY }}
|
|
run: |
|
|
set -euo pipefail
|
|
set +x
|
|
if [ -z "${SSH_PRIVATE_KEY:-}" ]; then
|
|
echo "Missing secret NODA1_SSH_KEY" >&2
|
|
exit 1
|
|
fi
|
|
mkdir -p ~/.ssh
|
|
chmod 700 ~/.ssh
|
|
key_path=~/.ssh/noda1_ci_key
|
|
if printf '%s' "$SSH_PRIVATE_KEY" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then
|
|
printf '%s\n' "$SSH_PRIVATE_KEY" | tr -d '\r' > "$key_path"
|
|
else
|
|
printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r' | base64 --decode > "$key_path"
|
|
fi
|
|
chmod 600 "$key_path"
|
|
if ! ssh-keygen -y -f "$key_path" >/dev/null 2>&1; then
|
|
echo "Invalid SSH private key in NODA1_SSH_KEY" >&2
|
|
exit 1
|
|
fi
|
|
echo "SSH_KEY_PATH=$key_path" >> "$GITHUB_ENV"
|
|
|
|
- name: Deploy runtime to NODA1
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
set +x
|
|
mkdir -p artifacts
|
|
log="artifacts/deploy-node1-runtime.log"
|
|
ssh \
|
|
-i "${SSH_KEY_PATH}" \
|
|
-o BatchMode=yes \
|
|
-o IdentitiesOnly=yes \
|
|
-o StrictHostKeyChecking=accept-new \
|
|
-o ConnectTimeout=10 \
|
|
"${SSH_USER}@${SSH_HOST}" \
|
|
"set -euo pipefail; \
|
|
cd /opt/microdao-daarion; \
|
|
origin_url=\$(git remote get-url origin 2>/dev/null || true); \
|
|
if [ -n \"\$(git status --porcelain)\" ]; then \
|
|
echo 'WARN: dirty git tree on NODA1; skip checkout/pull and continue with gate'; \
|
|
elif ! printf '%s' \"\$origin_url\" | grep -Eq 'daarion-admin/microdao-daarion(\\.git)?$'; then \
|
|
echo \"WARN: origin remote (\$origin_url) is not deploy-safe; skip checkout/pull and continue with gate\"; \
|
|
else \
|
|
git fetch origin; \
|
|
git checkout '${DEPLOY_REF:-main}'; \
|
|
git pull --ff-only origin '${DEPLOY_REF:-main}'; \
|
|
fi; \
|
|
if [ '${REDEPLOY_RUNTIME:-false}' = 'true' ]; then \
|
|
docker compose -f docker-compose.node1.yml up -d --no-deps --build --force-recreate gateway experience-learner; \
|
|
fi; \
|
|
git rev-parse HEAD" \
|
|
| tee "$log"
|
|
|
|
- name: Print deploy artifact paths
|
|
if: always()
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
ls -la artifacts || true
|
|
|
|
phase6_gate:
|
|
needs: [deploy]
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
env:
|
|
DEFAULT_SSH_HOST: ${{ secrets.NODA1_SSH_HOST }}
|
|
DEFAULT_SSH_USER: ${{ secrets.NODA1_SSH_USER }}
|
|
steps:
|
|
- name: Resolve SSH target
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
host="${DEFAULT_SSH_HOST:-}"
|
|
user="${DEFAULT_SSH_USER:-root}"
|
|
|
|
if [ -n "${{ inputs.ssh_host }}" ]; then
|
|
host="${{ inputs.ssh_host }}"
|
|
fi
|
|
if [ -n "${{ inputs.ssh_user }}" ]; then
|
|
user="${{ inputs.ssh_user }}"
|
|
fi
|
|
|
|
if [ -z "$host" ]; then
|
|
echo "Missing SSH host (workflow input or secret NODA1_SSH_HOST)" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "SSH_HOST=$host" >> "$GITHUB_ENV"
|
|
echo "SSH_USER=$user" >> "$GITHUB_ENV"
|
|
|
|
- name: Prepare SSH key
|
|
shell: bash
|
|
env:
|
|
SSH_PRIVATE_KEY: ${{ secrets.NODA1_SSH_KEY }}
|
|
run: |
|
|
set -euo pipefail
|
|
set +x
|
|
if [ -z "${SSH_PRIVATE_KEY:-}" ]; then
|
|
echo "Missing secret NODA1_SSH_KEY" >&2
|
|
exit 1
|
|
fi
|
|
mkdir -p ~/.ssh
|
|
chmod 700 ~/.ssh
|
|
key_path=~/.ssh/noda1_ci_key
|
|
if printf '%s' "$SSH_PRIVATE_KEY" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then
|
|
printf '%s\n' "$SSH_PRIVATE_KEY" | tr -d '\r' > "$key_path"
|
|
else
|
|
printf '%s' "$SSH_PRIVATE_KEY" | tr -d '\r' | base64 --decode > "$key_path"
|
|
fi
|
|
chmod 600 "$key_path"
|
|
if ! ssh-keygen -y -f "$key_path" >/dev/null 2>&1; then
|
|
echo "Invalid SSH private key in NODA1_SSH_KEY" >&2
|
|
exit 1
|
|
fi
|
|
echo "SSH_KEY_PATH=$key_path" >> "$GITHUB_ENV"
|
|
|
|
- name: Run phase6 smoke (hard gate)
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
set +x
|
|
mkdir -p artifacts
|
|
for attempt in 1 2; do
|
|
log="artifacts/phase6-gate-attempt${attempt}.log"
|
|
if ssh \
|
|
-i "${SSH_KEY_PATH}" \
|
|
-o BatchMode=yes \
|
|
-o IdentitiesOnly=yes \
|
|
-o StrictHostKeyChecking=accept-new \
|
|
-o ConnectTimeout=10 \
|
|
"${SSH_USER}@${SSH_HOST}" \
|
|
"set -euo pipefail; cd /opt/microdao-daarion; git rev-parse HEAD; make phase6-smoke" \
|
|
| tee "$log"; then
|
|
cp "$log" artifacts/phase6-gate.log
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$attempt" -eq 2 ]; then
|
|
echo "phase6 gate failed after retry" >&2
|
|
exit 1
|
|
fi
|
|
sleep 15
|
|
done
|
|
|
|
- name: Print gate artifact paths
|
|
if: always()
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
ls -la artifacts || true
|