fix: harden private test deployment workflow

2026-03-28 23:10:48 +01:00
parent 2b9b46bd15
commit 06377eb335
4 changed files with 36 additions and 15 deletions
--- a/.env.test.example
+++ b/.env.test.example
@@ -1,5 +1,5 @@
 DJANGO_SECRET_KEY=change-me-long-random-value
-DJANGO_DEBUG=0
+DJANGO_DEBUG=1
 DJANGO_ALLOWED_HOSTS=192.168.2.55,localhost,127.0.0.1
 DJANGO_CSRF_TRUSTED_ORIGINS=http://192.168.2.55:8088
 DJANGO_SECURE_COOKIES=0
--- a/.github/workflows/deploy-prod.yml
+++ b/.github/workflows/deploy-prod.yml
@@ -12,6 +12,23 @@ jobs:
    runs-on: ubuntu-latest
    environment: production
    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - name: Upload release bundle
+        uses: appleboy/scp-action@v1.0.0
+        with:
+          host: ${{ secrets.PROD_DEPLOY_HOST }}
+          username: ${{ secrets.PROD_DEPLOY_USER }}
+          key: ${{ secrets.PROD_DEPLOY_SSH_KEY }}
+          port: ${{ secrets.PROD_DEPLOY_PORT || 22 }}
+          source: "."
+          target: ${{ secrets.PROD_DEPLOY_PATH }}
+          rm: false
+          overwrite: true
+          strip_components: 0
+          exclude: ".git,.github,.venv,__pycache__,node_modules,backend/media,backend/staticfiles"
+
      - name: Deploy over SSH
        uses: appleboy/ssh-action@v1.2.0
        with:
@@ -21,13 +38,6 @@ jobs:
          port: ${{ secrets.PROD_DEPLOY_PORT || 22 }}
          script: |
            set -e
-            REPO_URL="git@github.com:${{ github.repository }}.git"
            DEPLOY_DIR="${{ secrets.PROD_DEPLOY_PATH }}"
-            if [ ! -d "$DEPLOY_DIR/.git" ]; then
-              git clone "$REPO_URL" "$DEPLOY_DIR"
-            fi
            cd "$DEPLOY_DIR"
-            git fetch --all --prune
-            git checkout main || git checkout -b main origin/main
-            git reset --hard origin/main
            RUN_DJANGO_CHECK=1 ./scripts/deploy_stack.sh .env.prod docker-compose.prod.yml
--- a/.github/workflows/deploy-test.yml
+++ b/.github/workflows/deploy-test.yml
@@ -15,6 +15,23 @@ jobs:
    runs-on: ubuntu-latest
    environment: development
    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - name: Upload release bundle
+        uses: appleboy/scp-action@v1.0.0
+        with:
+          host: ${{ secrets.TEST_DEPLOY_HOST }}
+          username: ${{ secrets.TEST_DEPLOY_USER }}
+          key: ${{ secrets.TEST_DEPLOY_SSH_KEY }}
+          port: ${{ secrets.TEST_DEPLOY_PORT || 22 }}
+          source: "."
+          target: ${{ secrets.TEST_DEPLOY_PATH }}
+          rm: false
+          overwrite: true
+          strip_components: 0
+          exclude: ".git,.github,.venv,__pycache__,node_modules,backend/media,backend/staticfiles"
+
      - name: Deploy over SSH
        uses: appleboy/ssh-action@v1.2.0
        with:
@@ -24,13 +41,6 @@ jobs:
          port: ${{ secrets.TEST_DEPLOY_PORT || 22 }}
          script: |
            set -e
-            REPO_URL="git@github.com:${{ github.repository }}.git"
            DEPLOY_DIR="${{ secrets.TEST_DEPLOY_PATH }}"
-            if [ ! -d "$DEPLOY_DIR/.git" ]; then
-              git clone "$REPO_URL" "$DEPLOY_DIR"
-            fi
            cd "$DEPLOY_DIR"
-            git fetch --all --prune
-            git checkout develop || git checkout -b develop origin/develop
-            git reset --hard ${{ github.sha }}
            RUN_DJANGO_CHECK=0 DEPLOY_HEALTH_URL="http://127.0.0.1:8088/healthz/" ./scripts/deploy_stack.sh .env.test docker-compose.prod.yml
--- a/scripts/deploy_stack.sh
+++ b/scripts/deploy_stack.sh
@@ -15,6 +15,7 @@ fi

 "${COMPOSE[@]}" build web worker caddy
 "${COMPOSE[@]}" up -d db redis
+"${COMPOSE[@]}" run --rm --user root web sh -c "mkdir -p /app/media/pdfs /app/staticfiles /app/backups && chown -R app:app /app/media /app/staticfiles /app/backups"
 "${COMPOSE[@]}" run --rm web python manage.py migrate --noinput
 "${COMPOSE[@]}" run --rm web python manage.py bootstrap_initial_users
 "${COMPOSE[@]}" run --rm web python manage.py collectstatic --noinput