name: Push -> main on: push: branches: - main jobs: # ── 1. Build ────────────────────────────────────────────────────────────────── build: name: Build Docker image runs-on: prod-gatehouse-ui outputs: tag: ${{ steps.sha.outputs.tag }} steps: - uses: actions/checkout@v4 - name: Set image tag id: sha run: echo "tag=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" - name: Build ui image run: | # VITE_API_BASE_URL is baked into the static bundle at build time. # Source it from the deployed env on this (prod) runner. set -a; . /opt/gatehouse-ui/.env; set +a docker build \ --build-arg VITE_API_BASE_URL="${VITE_API_BASE_URL}" \ -t "gatehouse-ui:${{ steps.sha.outputs.tag }}" \ -t "gatehouse-ui:latest" \ . - name: Scan ui image for vulnerabilities (Trivy) run: | command -v trivy >/dev/null 2>&1 || \ curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \ | sh -s -- -b /usr/local/bin trivy image \ --exit-code 0 \ --severity HIGH,CRITICAL \ --no-progress \ "gatehouse-ui:${{ steps.sha.outputs.tag }}" # ── 2. Deploy ───────────────────────────────────────────────────────────────── deploy: name: Deploy runs-on: prod-gatehouse-ui needs: build env: COMPOSE_DIR: /opt/gatehouse-ui steps: - uses: actions/checkout@v4 - name: Deploy (docker compose up) run: | cp docker-compose.yml "${COMPOSE_DIR}/docker-compose.yml" cd "${COMPOSE_DIR}" IMAGE_TAG="${{ needs.build.outputs.tag }}" docker compose up -d --remove-orphans # ── 3. Alert ────────────────────────────────────────────────────────────────── alert: name: Notify on result runs-on: prod-gatehouse-ui needs: deploy if: always() steps: - name: Send notification run: | STATUS="${{ needs.deploy.result }}" echo "TODO: send alert — deploy status: ${STATUS}" # curl -X POST "${{ secrets.ALERT_WEBHOOK }}" \ # -H 'Content-Type: application/json' \ # -d "{\"text\": \"[gatehouse-ui] Deploy ${STATUS} — tag: ${{ needs.build.outputs.tag }}\"}"