github-actions-workflows/.github/workflows/deploy-docker.yml at 7c00a1ad4e35ebaafc99f79f6f58c0a73229eeaa · iExecBlockchainComputing/github-actions-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: Build & Deploy Docker

on:
  workflow_call:
    inputs:
      dockerfile:
        description: "Path to Dockerfile"
        default: "Dockerfile"
        required: false
        type: string
      image_name:
        description: "Full image name (e.g. org/my-api)"
        required: true
        type: string
      image_tag:
        description: "Optional tag override (defaults to pushed Git tag)"
        required: false
        type: string
      remote_host:
        description: "SSH host (user@host)"
        required: true
        type: string
      remote_path:
        description: "Remote path where compose files live"
        required: true
        type: string
      runner_group:
        description: "Runner group or label"
        required: false
        default: "ubuntu-latest"
        type: string
    secrets:
      dockerhub_username:
        required: true
      dockerhub_password:
        required: true
      ssh_private_key:
        required: true
    outputs:
      tag:
        description: "Tag effectively built/deployed"
        value: ${{ jobs.get-tag.outputs.tag }}

permissions:
  id-token: write
  contents: read

jobs:
  get-tag:
    runs-on: ${{ inputs.runner_group }}
    outputs:
      tag: ${{ steps.out.outputs.tag }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Compute tag
        id: out
        run: |
          TAG="${{ inputs.image_tag }}"
          if [ -z "$TAG" ]; then
            TAG="${GITHUB_REF##*/}"   # refs/tags/v1.2.3 → v1.2.3
          fi
          echo "tag=$TAG" >> "$GITHUB_OUTPUT"

  build:
    needs: get-tag
    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.2.0
    with:
      dockerfile: ${{ inputs.dockerfile }}
      image-name: ${{ inputs.image_name }}
      image-tag: ${{ needs.get-tag.outputs.tag }}
      hadolint: false
      security-scan: false
      push: true
    secrets:
      username: ${{ secrets.dockerhub_username }}
      password: ${{ secrets.dockerhub_password }}

  deploy:
    needs: [build, get-tag]
    runs-on: ${{ inputs.runner_group }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install SSH key
        uses: webfactory/ssh-agent@v0.9.0
        with:
          ssh-private-key: ${{ secrets.ssh_private_key }}

      - name: Add remote host to known_hosts
        run: ssh-keyscan -H "${{ inputs.remote_host#*@ }}" >> ~/.ssh/known_hosts

      - name: Prepare .env for Compose
        run: |
          cat <<EOF > .env
IMAGE_NAME=${{ inputs.image_name }}
IMAGE_TAG=${{ needs.get-tag.outputs.tag }}
DOCKERHUB_USERNAME=${{ secrets.dockerhub_username }}
DOCKERHUB_PASSWORD=${{ secrets.dockerhub_password }}
EOF

      - name: Copy compose files
        run: |
          scp docker-compose.yml .env "${{ inputs.remote_host }}":"${{ inputs.remote_path }}/"

      - name: Pull & restart containers
        run: |
          ssh "${{ inputs.remote_host }}" bash -s <<'REMOTE'
            cd "${{ inputs.remote_path }}"
            set -e
            export \$(grep -v '^#' .env | xargs)
            echo "$DOCKERHUB_PASSWORD" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin
            docker compose pull
            docker compose up -d
REMOTE