gitea/devops
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Adjusted artifact version in pipeline
All checks were successful
Build and Deploy Demo App / build-and-deploy (push) Successful in 1m35s
Details

Browse Source
This commit is contained in:
gitea
2025-11-27 11:20:02 +00:00
parent 9f58cec1e4
commit 612b204c9a
1 changed files with 52 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
.gitea/workflows/cicd.yaml
View File

@@ -1,95 +1,20 @@
# .gitea/workflows/cicd.yaml name: Build and Deploy Demo App
name: Build and Deploy Demo App (Artifacts)
on: on:
push: push:
branches: branches:
- main - main
jobs: jobs:
# ---------- TEST ---------- build-and-deploy:
test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Set up Docker Buildx
- name: Set up Python uses: docker/setup-buildx-action@v3
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install deps
run: pip install -r requirements.txt
- name: Run tests (SQLite fallback)
env:
DB_USER: "" # force SQLite fallback in app.py
DB_PASS: ""
DB_NAME: ""
run: pytest
# ---------- BUILD ----------
build:
needs: test
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker image - name: Build Docker image
run: docker build -t demo-app:latest . run: docker build -t demo-app:latest .
- name: Save Docker image to tar - name: Save Docker image to tar
run: docker save demo-app:latest > demo-app.tar run: docker save demo-app:latest > demo-app.tar
- name: Upload image artifact
uses: actions/upload-artifact@v4
with:
name: demo-image
path: demo-app.tar
if-no-files-found: error
# retention-days: 7 # optional; depends on your Gitea settings
# ---------- SCAN ----------
scan:
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download image artifact
uses: actions/download-artifact@v4
with:
name: demo-image
path: .
- name: Load Docker image from artifact
run: docker load -i demo-app.tar
# Trivy via Docker (no marketplace action needed)
- name: Scan image with Trivy
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest \
image --exit-code 1 --severity CRITICAL,HIGH --no-progress demo-app:latest
# ---------- DEPLOY ----------
deploy:
needs: [build, scan]
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download image artifact
uses: actions/download-artifact@v4
with:
name: demo-image
path: .
- name: Set up SSH - name: Set up SSH
run: | run: |
apt update && apt install -y openssh-client apt update && apt install -y openssh-client
@@ -99,51 +24,57 @@ jobs:
eval "$(ssh-agent -s)" eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519 ssh-add ~/.ssh/id_ed25519
ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts
- name: Copy files to server via SCP
- name: Copy files to server
run: | run: |
# Copy image tar scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} demo-app.tar ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}demo-app.tar
scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} \ scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} docker-compose.yml ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}docker-compose.yml
demo-app.tar \ scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} -r nginx_user_conf.d ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}nginx_user_conf.d
${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/demo-app.tar" - name: Deploy on server via SSH
# Copy docker-compose file
scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} \
docker-compose.yml \
${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/docker-compose.yml"
# Copy nginx config directory (used as volume in docker-compose.yml)
scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} -r \
nginx_user_conf.d \
${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/nginx_user_conf.d"
- name: Deploy on server
run: | run: |
ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} \ ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << EOF
${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << EOF cd ${{ secrets.DEPLOY_PATH }}
set -e
cd "${{ secrets.DEPLOY_PATH }}" # Check and install Docker if not present (Ubuntu/Debian assumed)
if ! command -v docker &> /dev/null; then
# Create/update .env with DB secrets sudo apt update -y
echo "DB_USER=${{ secrets.DB_USER }}" > .env sudo apt install -y ca-certificates curl
echo "DB_PASS=${{ secrets.DB_PASS }}" >> .env sudo install -m 0755 -d /etc/apt/keyrings
echo "DB_NAME=${{ secrets.DB_NAME }}" >> .env sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Load the new image from the tarball echo "deb [arch=\$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \$(. /etc/os-release && echo "\$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
docker load -I demo-app.tar || docker load -i demo-app.tar # compatibility sudo apt update -y
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Make sure we actually have a compose file here sudo systemctl start docker
if [ ! -f docker-compose.yml ]; then sudo systemctl enable docker
echo "ERROR: docker-compose.yml not found in \$(pwd)" >&2
ls -la
exit 1
fi fi
# Restart the compose stack # Ensure docker-compose-plugin is installed (for 'docker compose' command)
docker compose -f docker-compose.yml down if ! docker compose version &> /dev/null; then
docker compose -f docker-compose.yml --env-file .env up -d --remove-orphans sudo apt update -y
sudo apt install -y docker-compose-plugin
fi
# Clean up # Load image
rm -f demo-app.tar docker load -i demo-app.tar
EOF
# Graceful stop
docker compose down --remove-orphans -v || true
# Obtain initial cert if not present (standalone mode; ports are free since down)
if [ ! -d "letsencrypt/live/demo.networkwizard.xyz" ]; then
docker run --rm \
-p 80:80 \
-v ${PWD}/letsencrypt:/etc/letsencrypt \
certbot/certbot certonly --standalone \
-d demo.networkwizard.xyz \
--email your@email.com \
--agree-tos \
--non-interactive
fi
# Deploy
docker compose up -d --force-recreate
# Cleanup
rm demo-app.tar
EOF