# .github/workflows/deploy.yml# Builds, pushes images, and deploys to producti

1. # .github/workflows/deploy.yml
2. # Builds, pushes images, and deploys to production server on push to main branch.
3. # FriendlyRussian666
4.  
5. name: Build and Deploy to Production
6.  
7. on:
8. push:
9. branches:
10. - main
11.  
12. jobs:
13. build-push-deploy:
14. name: Build, Push Docker Images and Deploy
15. runs-on: ubuntu-latest
16. permissions:
17. contents: read
18. packages: write # Needed to push to GHCR
19.  
20. steps:
21. - name: Checkout code
22. uses: actions/checkout@v4
23.  
24. # --- Docker Setup ---
25. - name: Set up Docker Buildx
26. uses: docker/setup-buildx-action@v3
27.  
28. - name: Log in to Github Container Registry
29. uses: docker/login-action@v3
30. with:
31. registry: ghcr.io
32. username: ${{ github.actor }}
33. password: ${{ secrets.GITHUB_TOKEN }}
34.  
35. # --- Metadata for Image Tagging ---
36. - name: Extract metadata (tags, labels) for Docker
37. id: meta # Single metadata step for all images
38. uses: docker/metadata-action@v5
39. with:
40. images: | # List all images to be built
41. ghcr.io/${{ github.repository }}/backend
42. ghcr.io/${{ github.repository }}/frontend
43. ghcr.io/${{ github.repository }}/nginx
44. tags: | # Define tags for the images
45. type=sha
46. type=raw,value=latest
47.  
48. # --- Build and Push Each Image ---
49. - name: Build and push Backend image
50. uses: docker/build-push-action@v5
51. with:
52. context: ./backend
53. file: ./backend/Dockerfile
54. push: true
55. tags: ${{ steps.meta.outputs.tags }}
56. labels: ${{ steps.meta.outputs.labels }}
57. image-name: ghcr.io/${{ github.repository }}/backend
58. cache-from: type=gha
59. cache-to: type=gha,mode=max
60.  
61. - name: Build and push Frontend image
62. uses: docker/build-push-action@v5
63. with:
64. context: ./frontend
65. file: ./frontend/Dockerfile
66. push: true
67. tags: ${{ steps.meta.outputs.tags }}
68. labels: ${{ steps.meta.outputs.labels }}
69. image-name: ghcr.io/${{ github.repository }}/frontend
70. cache-from: type=gha
71. cache-to: type=gha,mode=max
72.  
73. - name: Build and push Nginx image
74. uses: docker/build-push-action@v5
75. with:
76. context: ./nginx
77. file: ./nginx/Dockerfile
78. push: true
79. tags: ${{ steps.meta.outputs.tags }}
80. labels: ${{ steps.meta.outputs.labels }}
81. image-name: ghcr.io/${{ github.repository }}/nginx
82. cache-from: type=gha
83. cache-to: type=gha,mode=max
84.  
85. # --- Deploy to server ---
86. - name: Configure SSH
87. uses: webfactory/[email protected]
88. with:
89. ssh-private-key: ${{ secrets.PRODUCTION_SSH_PRIVATE_KEY }}
90.  
91. - name: Add Production Server to Known Hosts
92. run: |
93. mkdir -p ~/.ssh
94. ssh-keyscan -H ${{ secrets.PRODUCTION_SSH_HOST }} >> ~/.ssh/known_hosts
95. chmod 600 ~/.ssh/known_hosts ~/.ssh/config || true # Handle config file potentially not existing
96.  
97. - name: Deploy Application via SSH
98. env:
99. # Pass production secrets/env vars needed on the server
100. PRODUCTION_ENV_FILE_CONTENT: ${{ secrets.PRODUCTION_ENV_FILE }} # Full .env content
101. # Use the commit SHA for image tags during deployment
102. # This ensures we deploy the exact image we just built
103. IMAGE_TAG: ${{ github.sha }}
104. GHCR_USER: ${{ github.actor }}
105. GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
106. run: |
107. # Use ssh -T to prevent pseudo-terminal allocation issues
108. # Use single quotes around EOF to prevent local shell expansion
109. ssh -T ${{ secrets.PRODUCTION_SSH_USER }}@${{ secrets.PRODUCTION_SSH_HOST }} << 'EOF'
110. # Navigate to app directory on the server
111. # IMPORTANT: Set this path correctly! Verify it on your server.
112. export DEPLOY_DIR=/dev/project/yourprojectname # <------------------------ !!!
113. echo "Deploying to: $DEPLOY_DIR"
114. cd $DEPLOY_DIR || exit 1 # Exit if directory doesn't exist
115.  
116. # Stop execution if any command fails
117. set -e
118.  
119. # Create the .env file from the secret
120. echo "Creating .env file..."
121. # printf for safer handling of special characters in the secret
122. printf "%s\n" "$PRODUCTION_ENV_FILE_CONTENT" > .env
123. echo "Deployed SHA: $IMAGE_TAG at $(date)" >> .env
124.  
125. # Set image tags for docker-compose using environment variables
126. # Ensure docker-compose.yml uses these like image: ghcr.io/...:${IMAGE_TAG:-latest}
127. # These vars are exported for the subsequent docker compose commands
128. export IMAGE_TAG=$IMAGE_TAG # Use the commit SHA tag
129.  
130. # Login to GHCR on the server
131. echo "Logging into GHCR..."
132. echo $GHCR_TOKEN | docker login ghcr.io -u $GHCR_USER --password-stdin
133.  
134. # Pull the specific images tagged with the commit SHA
135. # Use the production docker-compose file (docker-compose.yml, I also have docker-compose.dev.yml, so this is important)
136. echo "Pulling images with tag: $IMAGE_TAG"
137. # Make sure your docker-compose.yml references the images like:
138. # image: ghcr.io/your_user/your_repo/backend:${IMAGE_TAG:-latest}
139. docker compose -f docker-compose.yml pull
140.  
141. # Stop/remove old containers, start new ones based on pulled images
142. echo "Starting application containers..."
143. docker compose -f docker-compose.yml up -d --remove-orphans
144.  
145. # Run Django migrations
146. echo "Running Database Migrations..."
147. # Use -T to disable pseudo-tty allocation for exec
148. docker compose -f docker-compose.yml exec -T backend python manage.py migrate --noinput
149.  
150. # If you want: Prune old Docker images/containers to save space
151. echo "Pruning Docker resources..."
152. docker image prune -af || true # Allow prune to fail harmlessly if nothing to prune
153. docker container prune -f || true
154. # Be cautious with volume prune in production - only if you are SURE you don't need old unnamed volumes
155. # docker volume prune -f || true
156.  
157. echo "Production Deployment Complete!"
158. EOF
159.