adding back deployment with more security #37
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Develop | |
| on: | |
| push: | |
| # branches: | |
| # - main | |
| jobs: | |
| ### | |
| ### BUILD DISTRIBUTABLES | |
| ### | |
| build_backend: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| actions: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '21' | |
| distribution: 'corretto' | |
| server-id: github | |
| settings-path: ${{ github.workspace }} | |
| cache: 'maven' | |
| # Step 3: Cache Maven dependencies | |
| - name: Cache Maven dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-maven- | |
| - name: Build with Maven | |
| run: ./mvnw -B package --file pom.xml -Dproject.version=${{ github.sha }} | |
| - name: Upload Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: backend | |
| path: | | |
| target/billtracker-backend-${{ github.sha }}.jar | |
| build_frontend: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| actions: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Cache npm dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Navigate and Install Dependencies | |
| run: cd src/main/svelte && npm i | |
| - name: Build Distributable | |
| run: cd src/main/svelte && npm run build | |
| - name: Upload Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: frontend | |
| path: | | |
| src/main/svelte/build | |
| ### | |
| ### PUBLISH PACKAGES | |
| ### | |
| publish_backend_oci_image: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build_backend | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: backend | |
| - name: Build Container Image | |
| run: docker build . -t ghcr.io/kerosene-labs/billtracker-backend:${{ github.sha }} --build-arg PROJECT_VERSION=${{ github.sha }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.ACCESS_TOKEN }} | |
| - name: Push Container Image | |
| run: docker push ghcr.io/kerosene-labs/billtracker-backend:${{ github.sha }} | |
| ### | |
| ### DEPLOYMENT | |
| ### | |
| deploy: | |
| needs: | |
| - publish_backend_oci_image | |
| - build_frontend | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: develop | |
| steps: | |
| - name: Write Keys | |
| run: mkdir -p ~/.ssh && echo "${{secrets.BASTION_PRIVATE_KEY}}" >> ~/.ssh/bastion && echo "${{secrets.DEPLOYMENT_PRIVATE_KEY}}" >> ~/.ssh/deployment | |
| - name: Set Key Permissions | |
| run: chmod 600 ~/.ssh/bastion && chmod 600 ~/.ssh/deployment | |
| # - run: ssh -T -i ~/.ssh/bastion -o "StrictHostKeyChecking no" ${{secrets.BASTION_SSH_URI}} | |
| - name: Start ssh-agent and add keys | |
| run: | | |
| eval "$(ssh-agent -s)" | |
| ssh-add ~/.ssh/bastion | |
| ssh-add ~/.ssh/deployment | |
| echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $GITHUB_ENV | |
| echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> $GITHUB_ENV | |
| - uses: actions/download-artifact@v4 | |
| name: Download Frontend Artifact | |
| with: | |
| name: frontend | |
| - name: Test port 2222 | |
| run: nc -zv ${{secrets.BASTION_SSH_URI}} 2222 | |
| - name: Update Frontend | |
| run: scp -o "StrictHostKeyChecking no" -A -R -J ${{secrets.BASTION_SSH_URI}}:2222 . ${{secrets.DEPLOYMENT_TARGET}}:/home/infra/frontend_content | |
| - name: Update Backend | |
| run: ssh -o "StrictHostKeyChecking no" -A -J ${{secrets.BASTION_SSH_URI}}:2222 ${{secrets.DEPLOYMENT_TARGET}} "bash -c \"cd billtracker && export BILLTRACKER_VERSION=${{ github.sha }} && docker compose pull app && docker compose up -d app\"" |