name: Push -> main on: push: branches: - main jobs: # ── 1. Build ────────────────────────────────────────────────────────────────── build: name: Build Docker images runs-on: prod-gatehouse-api outputs: tag: ${{ steps.sha.outputs.tag }} steps: - uses: actions/checkout@v4 - name: Set image tag id: sha run: echo "tag=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - name: Build api image run: | docker build \ -t "gatehouse-api:${{ steps.sha.outputs.tag }}" \ -t "gatehouse-api:latest" \ . - name: Build job image run: | docker build \ -f Dockerfile.job \ -t "gatehouse-api-job:${{ steps.sha.outputs.tag }}" \ -t "gatehouse-api-job:latest" \ . - name: Scan api image for vulnerabilities (Trivy) run: | command -v trivy >/dev/null 2>&1 || \ curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \ | sh -s -- -b /usr/local/bin trivy image \ --exit-code 0 \ --severity HIGH,CRITICAL \ --no-progress \ "gatehouse-api:${{ steps.sha.outputs.tag }}" # ── 2. Deploy ───────────────────────────────────────────────────────────────── deploy: name: Rolling deploy runs-on: prod-gatehouse-api needs: build env: COMPOSE_DIR: /opt/gatehouse-api steps: - uses: actions/checkout@v4 - name: Deploy (rolling restart) run: | cp docker-compose.yml "${COMPOSE_DIR}/docker-compose.yml" bash deploy/deploy.sh "${{ needs.build.outputs.tag }}" # ── 3. Alert ────────────────────────────────────────────────────────────────── alert: name: Notify on result runs-on: prod-gatehouse-api needs: deploy if: always() steps: - name: Send notification run: | STATUS="${{ needs.deploy.result }}" echo "TODO: send alert — deploy status: ${STATUS}" # curl -X POST "${{ secrets.ALERT_WEBHOOK }}" \ # -H 'Content-Type: application/json' \ # -d "{\"text\": \"[gatehouse-api] Deploy ${STATUS} — tag: ${{ needs.build.outputs.tag }}\"}"