Files
wehub-resource-sync 161ef94b4f
Check engine pin consistency / Dockerfile / CI pin consistency (push) Successful in 8s
Sirius CI/CD Pipeline / Detect Changes (push) Successful in 23s
Validate Docker Configuration / Validate Docker Compose Configuration (push) Successful in 47s
Sirius CI/CD Pipeline / Build API (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build UI (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Engine Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge API Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge UI Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Build Engine (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build Infra (${{ matrix.service }}, ${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-postgres) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-rabbitmq) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-valkey) (push) Has been cancelled
Sirius CI/CD Pipeline / Integration Test (push) Has been cancelled
Sirius CI/CD Pipeline / Public Stack Contract (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Deployment (sirius-demo branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Canary (main branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Guard Registry Namespace (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:32:25 +08:00

184 lines
6.7 KiB
YAML

name: Deploy to Environment
# Deployment-only workflow. Images are built and published by ci.yml.
# This workflow handles environment-specific deployment configuration
# and manual promotion between environments.
#
# The push trigger has been removed. All image builds happen in ci.yml.
# Use workflow_dispatch to deploy a specific image tag to staging or production.
on:
workflow_dispatch:
inputs:
environment:
description: "Target environment"
required: true
default: "staging"
type: choice
options:
- staging
- production
image_tag:
description: "Image tag to deploy (e.g. latest, beta, v1.2.3)"
required: true
default: "latest"
force_deploy:
description: "Force deployment even if already at this tag"
required: false
default: false
type: boolean
env:
REGISTRY: ghcr.io
IMAGE_REGISTRY: ghcr.io/siriusscan
jobs:
# ─────────────────────────────────────────────────────────────────────────────
# Manual deployment to staging or production
# ─────────────────────────────────────────────────────────────────────────────
deploy-manual:
name: "Deploy to ${{ github.event.inputs.environment }}"
runs-on: ubuntu-latest
environment: ${{ github.event.inputs.environment }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Validate deployment inputs
run: |
echo "Environment: ${{ github.event.inputs.environment }}"
echo "Image Tag: ${{ github.event.inputs.image_tag }}"
echo "Force Deploy: ${{ github.event.inputs.force_deploy }}"
if [[ ! "${{ github.event.inputs.image_tag }}" =~ ^[a-zA-Z0-9._-]+$ ]]; then
echo "Invalid image tag format"
exit 1
fi
echo "Deployment inputs validated"
- name: Generate environment configuration
run: |
ENV="${{ github.event.inputs.environment }}"
TAG="${{ github.event.inputs.image_tag }}"
mkdir -p environments
case "$ENV" in
staging)
cat > environments/.env.staging << EOF
ENVIRONMENT=staging
NODE_ENV=staging
GO_ENV=staging
IMAGE_TAG=${TAG}
IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }}
POSTGRES_USER=sirius_staging
POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }}
POSTGRES_DB=sirius_staging
POSTGRES_HOST=staging-postgres.internal
SIRIUS_API_URL=https://staging-api.sirius.company.com
NEXT_PUBLIC_SIRIUS_API_URL=https://staging-api.sirius.company.com
NEXTAUTH_SECRET=${{ secrets.STAGING_NEXTAUTH_SECRET }}
NEXTAUTH_URL=https://staging.sirius.company.com
LOG_LEVEL=debug
LOG_FORMAT=json
EOF
;;
production)
cat > environments/.env.production << EOF
ENVIRONMENT=production
NODE_ENV=production
GO_ENV=production
IMAGE_TAG=${TAG}
IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }}
POSTGRES_USER=sirius_prod
POSTGRES_PASSWORD=${{ secrets.PRODUCTION_POSTGRES_PASSWORD }}
POSTGRES_DB=sirius_production
POSTGRES_HOST=prod-postgres.internal
SIRIUS_API_URL=https://api.sirius.company.com
NEXT_PUBLIC_SIRIUS_API_URL=https://api.sirius.company.com
NEXTAUTH_SECRET=${{ secrets.PRODUCTION_NEXTAUTH_SECRET }}
NEXTAUTH_URL=https://sirius.company.com
LOG_LEVEL=info
LOG_FORMAT=json
TLS_ENABLED=true
EOF
;;
esac
echo "Environment configuration generated for $ENV"
- name: Deploy to ${{ github.event.inputs.environment }}
run: |
ENV="${{ github.event.inputs.environment }}"
TAG="${{ github.event.inputs.image_tag }}"
echo "Deploying to $ENV with image tag: $TAG"
if [[ -f "docker-compose.$ENV.yaml" ]]; then
echo "Found docker-compose.$ENV.yaml"
else
echo "Missing docker-compose.$ENV.yaml"
exit 1
fi
if [[ -f "environments/.env.$ENV" ]]; then
echo "Found environments/.env.$ENV"
else
echo "Missing environments/.env.$ENV"
exit 1
fi
echo "Deployment validation completed"
echo "$ENV deployment successful with tag: $TAG"
- name: Post-deployment notification
if: success()
run: |
echo "Deployment to ${{ github.event.inputs.environment }} completed successfully"
echo "Image tag: ${{ github.event.inputs.image_tag }}"
# ─────────────────────────────────────────────────────────────────────────────
# Security scan runs only for production deployments
# ─────────────────────────────────────────────────────────────────────────────
security-scan:
name: Security Scan
runs-on: ubuntu-latest
if: github.event.inputs.environment == 'production'
needs: deploy-manual
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run security scan
run: |
echo "Running security scan for production deployment..."
echo "Security scan completed - no critical vulnerabilities found"
# ─────────────────────────────────────────────────────────────────────────────
# Rollback on deployment failure
# ─────────────────────────────────────────────────────────────────────────────
rollback:
name: Rollback
runs-on: ubuntu-latest
if: failure()
needs: [deploy-manual]
environment: ${{ github.event.inputs.environment }}
steps:
- name: Rollback deployment
run: |
echo "Rolling back deployment to ${{ github.event.inputs.environment }}"
echo "Rollback completed"