diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 9cc229d..d706806 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -7,7 +7,7 @@ # Node.js: admin-compliance, developer-portal # # Workflow: -# Push auf main → Tests → Build → Deploy (Hetzner) +# Push auf main → Tests → Deploy (Coolify) # Pull Request → Lint + Tests (kein Deploy) name: CI/CD @@ -186,10 +186,11 @@ jobs: python scripts/validate-controls.py # ======================================== - # Build & Deploy auf Hetzner (nur main, kein PR) + # Deploy via Coolify (nur main, kein PR) # ======================================== - deploy-hetzner: + deploy-coolify: + name: Deploy runs-on: docker if: github.event_name == 'push' && github.ref == 'refs/heads/main' needs: @@ -198,92 +199,11 @@ jobs: - test-python-document-crawler - test-python-dsms-gateway - validate-canonical-controls - container: docker:27-cli + container: + image: alpine:latest steps: - - name: Deploy + - name: Trigger Coolify deploy run: | - set -euo pipefail - DEPLOY_DIR="/opt/breakpilot-compliance" - COMPOSE_FILES="-f docker-compose.yml -f docker-compose.hetzner.yml" - COMMIT_SHA="${GITHUB_SHA:-unknown}" - SHORT_SHA="${COMMIT_SHA:0:8}" - REPO_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" - - echo "=== BreakPilot Compliance Deploy ===" - echo "Commit: ${SHORT_SHA}" - echo "Deploy Dir: ${DEPLOY_DIR}" - echo "" - - # Der Runner laeuft in einem Container mit Docker-Socket-Zugriff, - # hat aber KEINEN direkten Zugriff auf das Host-Dateisystem. - # Loesung: Alpine-Helper-Container mit Host-Bind-Mount fuer Git-Ops. - - # 1. Repo auf dem Host erstellen/aktualisieren via Helper-Container - echo "=== Updating code on host ===" - docker run --rm \ - -v "${DEPLOY_DIR}:${DEPLOY_DIR}" \ - --entrypoint sh \ - alpine/git:latest \ - -c " - if [ ! -d '${DEPLOY_DIR}/.git' ]; then - echo 'Erstmaliges Klonen nach ${DEPLOY_DIR}...' - git clone '${REPO_URL}' '${DEPLOY_DIR}' - else - cd '${DEPLOY_DIR}' - git fetch origin main - git reset --hard origin/main - fi - " - echo "Code aktualisiert auf ${SHORT_SHA}" - - # 2. .env sicherstellen (muss einmalig manuell angelegt werden) - docker run --rm -v "${DEPLOY_DIR}:${DEPLOY_DIR}" alpine \ - sh -c " - if [ ! -f '${DEPLOY_DIR}/.env' ]; then - echo 'WARNUNG: ${DEPLOY_DIR}/.env fehlt!' - echo 'Bitte einmalig auf dem Host anlegen.' - echo 'Deploy wird fortgesetzt (Services starten ggf. mit Defaults).' - else - echo '.env vorhanden' - fi - " - - # 3. Build + Deploy via Helper-Container mit Docker-Socket + Deploy-Dir - # docker compose muss die YAML-Dateien lesen koennen, daher - # alles in einem Container mit beiden Mounts ausfuehren. - echo "" - echo "=== Building + Deploying ===" - docker run --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v "${DEPLOY_DIR}:${DEPLOY_DIR}" \ - -w "${DEPLOY_DIR}" \ - docker:27-cli \ - sh -c " - COMPOSE_FILES='-f docker-compose.yml -f docker-compose.hetzner.yml' - - echo '=== Building Docker Images ===' - docker compose \${COMPOSE_FILES} build --parallel \ - admin-compliance \ - backend-compliance \ - ai-compliance-sdk \ - developer-portal - - echo '' - echo '=== Starting containers ===' - docker compose \${COMPOSE_FILES} up -d --remove-orphans \ - admin-compliance \ - backend-compliance \ - ai-compliance-sdk \ - developer-portal - - echo '' - echo '=== Health Checks ===' - sleep 10 - for svc in bp-compliance-admin bp-compliance-backend bp-compliance-ai-sdk bp-compliance-developer-portal; do - STATUS=\$(docker inspect --format='{{.State.Status}}' \"\${svc}\" 2>/dev/null || echo 'not found') - echo \"\${svc}: \${STATUS}\" - done - " - - echo "" - echo "=== Deploy abgeschlossen: ${SHORT_SHA} ===" + apk add --no-cache curl + curl -sf "${{ secrets.COOLIFY_WEBHOOK }}" \ + -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"