From 06377eb33548cbfc34bc474afb901e08496ccfcb Mon Sep 17 00:00:00 2001 From: Md Bayazid Bostame Date: Sat, 28 Mar 2026 23:10:48 +0100 Subject: [PATCH] fix: harden private test deployment workflow --- .env.test.example | 2 +- .github/workflows/deploy-prod.yml | 24 +++++++++++++++++------- .github/workflows/deploy-test.yml | 24 +++++++++++++++++------- scripts/deploy_stack.sh | 1 + 4 files changed, 36 insertions(+), 15 deletions(-) diff --git a/.env.test.example b/.env.test.example index aec0f5e..e1c216c 100644 --- a/.env.test.example +++ b/.env.test.example @@ -1,5 +1,5 @@ DJANGO_SECRET_KEY=change-me-long-random-value -DJANGO_DEBUG=0 +DJANGO_DEBUG=1 DJANGO_ALLOWED_HOSTS=192.168.2.55,localhost,127.0.0.1 DJANGO_CSRF_TRUSTED_ORIGINS=http://192.168.2.55:8088 DJANGO_SECURE_COOKIES=0 diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 557ca5f..a4ce23d 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -12,6 +12,23 @@ jobs: runs-on: ubuntu-latest environment: production steps: + - name: Check out code + uses: actions/checkout@v5 + + - name: Upload release bundle + uses: appleboy/scp-action@v1.0.0 + with: + host: ${{ secrets.PROD_DEPLOY_HOST }} + username: ${{ secrets.PROD_DEPLOY_USER }} + key: ${{ secrets.PROD_DEPLOY_SSH_KEY }} + port: ${{ secrets.PROD_DEPLOY_PORT || 22 }} + source: "." + target: ${{ secrets.PROD_DEPLOY_PATH }} + rm: false + overwrite: true + strip_components: 0 + exclude: ".git,.github,.venv,__pycache__,node_modules,backend/media,backend/staticfiles" + - name: Deploy over SSH uses: appleboy/ssh-action@v1.2.0 with: @@ -21,13 +38,6 @@ jobs: port: ${{ secrets.PROD_DEPLOY_PORT || 22 }} script: | set -e - REPO_URL="git@github.com:${{ github.repository }}.git" DEPLOY_DIR="${{ secrets.PROD_DEPLOY_PATH }}" - if [ ! -d "$DEPLOY_DIR/.git" ]; then - git clone "$REPO_URL" "$DEPLOY_DIR" - fi cd "$DEPLOY_DIR" - git fetch --all --prune - git checkout main || git checkout -b main origin/main - git reset --hard origin/main RUN_DJANGO_CHECK=1 ./scripts/deploy_stack.sh .env.prod docker-compose.prod.yml diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml index a9dcd01..2435b2e 100644 --- a/.github/workflows/deploy-test.yml +++ b/.github/workflows/deploy-test.yml @@ -15,6 +15,23 @@ jobs: runs-on: ubuntu-latest environment: development steps: + - name: Check out code + uses: actions/checkout@v5 + + - name: Upload release bundle + uses: appleboy/scp-action@v1.0.0 + with: + host: ${{ secrets.TEST_DEPLOY_HOST }} + username: ${{ secrets.TEST_DEPLOY_USER }} + key: ${{ secrets.TEST_DEPLOY_SSH_KEY }} + port: ${{ secrets.TEST_DEPLOY_PORT || 22 }} + source: "." + target: ${{ secrets.TEST_DEPLOY_PATH }} + rm: false + overwrite: true + strip_components: 0 + exclude: ".git,.github,.venv,__pycache__,node_modules,backend/media,backend/staticfiles" + - name: Deploy over SSH uses: appleboy/ssh-action@v1.2.0 with: @@ -24,13 +41,6 @@ jobs: port: ${{ secrets.TEST_DEPLOY_PORT || 22 }} script: | set -e - REPO_URL="git@github.com:${{ github.repository }}.git" DEPLOY_DIR="${{ secrets.TEST_DEPLOY_PATH }}" - if [ ! -d "$DEPLOY_DIR/.git" ]; then - git clone "$REPO_URL" "$DEPLOY_DIR" - fi cd "$DEPLOY_DIR" - git fetch --all --prune - git checkout develop || git checkout -b develop origin/develop - git reset --hard ${{ github.sha }} RUN_DJANGO_CHECK=0 DEPLOY_HEALTH_URL="http://127.0.0.1:8088/healthz/" ./scripts/deploy_stack.sh .env.test docker-compose.prod.yml diff --git a/scripts/deploy_stack.sh b/scripts/deploy_stack.sh index 7680bf7..fa9eb0f 100755 --- a/scripts/deploy_stack.sh +++ b/scripts/deploy_stack.sh @@ -15,6 +15,7 @@ fi "${COMPOSE[@]}" build web worker caddy "${COMPOSE[@]}" up -d db redis +"${COMPOSE[@]}" run --rm --user root web sh -c "mkdir -p /app/media/pdfs /app/staticfiles /app/backups && chown -R app:app /app/media /app/staticfiles /app/backups" "${COMPOSE[@]}" run --rm web python manage.py migrate --noinput "${COMPOSE[@]}" run --rm web python manage.py bootstrap_initial_users "${COMPOSE[@]}" run --rm web python manage.py collectstatic --noinput