jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jcoakley:0d6b3c2e5ba3b4cba7f99734df0f4794b57f1258
Branches Tags
jcoakley:master
...
compare: jcoakley:7a423b909cdc3ddd37d951882fd5b5c2cc1a90ac
Branches Tags
jcoakley:master

2 Commits
0d6b3c2e5b ... 7a423b909c

Author SHA1 Message Date
Josh
7a423b909c pipeline build v26 - TAG in GCP 2025-07-31 15:56:52 +00:00
Josh
5a1817e4f5 pipline build v26 - TAG GCP added, deploy_all.sh updated 2025-07-31 15:42:36 +00:00
3 changed files with 51 additions and 58 deletions
Show Stats Expand all files Collapse all files

2
.env
View File

@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
SERVER1_PORT=5000 SERVER1_PORT=5000
SERVER2_PORT=5001 SERVER2_PORT=5001
SERVER3_PORT=5002 SERVER3_PORT=5002
IMG_TAG=202507301457 IMG_TAG=202507311547

75
.woodpecker.yml
View File

@ -1,52 +1,43 @@
steps: - name: ssh-test
ssh-test: image: google/cloud-sdk:latest
image: google/cloud-sdk:latest entrypoint:
entrypoint: - bash
- bash - -c
- -c - |
- | set -euo pipefail
set -euo pipefail
mkdir -p ~/.ssh mkdir -p ~/.ssh
# ── Inject known-hosts and SSH key ────────────────────────────── # ── Inject known-hosts and SSH key ──────────────────────────────
gcloud secrets versions access latest \ gcloud secrets versions access latest \
--secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \ --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
| base64 -d > ~/.ssh/known_hosts | base64 -d > ~/.ssh/known_hosts
chmod 644 ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts
gcloud secrets versions access latest \ gcloud secrets versions access latest \
--secret=STAGING_SSH_KEY --project=aptivaai-dev \ --secret=STAGING_SSH_KEY --project=aptivaai-dev \
| base64 -d > ~/.ssh/id_ed25519 | base64 -d > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519
echo "🔑 SSH prerequisites installed" echo "🔑 SSH prerequisites installed"
# ── Grab full commit SHA and slice tag ────────────────────────── # ── Fetch canonical IMG_TAG ──────────────────────────────────────
echo "📦 CI_COMMIT_SHA: ${CI_COMMIT_SHA:-unset}" IMG_TAG=$(gcloud secrets versions access latest \
TAG="${CI_COMMIT_SHA:-}" --secret=IMG_TAG --project=aptivaai-dev)
if [ -z "$TAG" ]; then echo "📦 IMG_TAG=${IMG_TAG}"
echo "❌ CI_COMMIT_SHA is blank. Aborting."
exit 1
fi
TAG=$(echo "$TAG" | head -c 8)
echo "🚀 Deploying tag ${TAG} to staging"
# ── SSH into staging and refresh the stack ────────────────────── # ── SSH into staging and deploy ──────────────────────────────────
ssh -o StrictHostKeyChecking=yes \ ssh -o StrictHostKeyChecking=yes \
-i ~/.ssh/id_ed25519 \ -i ~/.ssh/id_ed25519 \
jcoakley@10.128.0.12 \ jcoakley@10.128.0.12 \
"export IMG_TAG=${TAG}; \ "export IMG_TAG=${IMG_TAG}; \
cd /home/jcoakley/aptiva-staging-app; \ cd /home/jcoakley/aptiva-staging-app; \
echo 'IMG_TAG = ${IMG_TAG}'; \ echo 'IMG_TAG = ${IMG_TAG}'; \
echo '→ Pulling containers'; \ docker compose pull; \
docker compose pull; \ docker compose up -d --force-recreate --remove-orphans; \
echo '→ Recreating services'; \ echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"
docker compose up -d --force-recreate --remove-orphans; \
echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"
environment: secrets: [ STAGING_SSH_KEY, STAGING_KNOWN_HOSTS ]
CI_COMMIT_SHA: ${CI_COMMIT_SHA}
when: when:
event: event:

32
deploy_all.sh
View File

@ -2,14 +2,14 @@
set -euo pipefail set -euo pipefail
# ───────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────
# CONFIG adjust only the 4 lines below if you change projects # CONFIG adjust only these 4 if needed
# ───────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────
ENV=dev # secret suffix, e.g. JWT_SECRET_staging ENV=dev
PROJECT=aptivaai-dev PROJECT=aptivaai-dev
ROOT=/home/jcoakley/aptiva-dev1-app ROOT=/home/jcoakley/aptiva-dev1-app
REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo
ENV_FILE="${ROOT}/.env" # ← holds NONsensitive values only ENV_FILE="${ROOT}/.env"
SECRETS=( SECRETS=(
JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
@ -19,21 +19,20 @@ SECRETS=(
cd "$ROOT" cd "$ROOT"
echo "🛠 Building frontend bundle" echo "🛠 Building frontend bundle"
npm ci --silent # installs if node_modules is missing/old npm ci --silent
npm run build npm run build
# ───────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────
# 1. Build ➔ Push ➔ Bump IMG_TAG in .env # 1. Build → Push → Stamp .env
# ───────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────
TAG=$(date -u +%Y%m%d%H%M) TAG=$(date -u +%Y%m%d%H%M)
echo "🔨 Building & pushing containers (tag = ${TAG})" echo "🔨 Building & pushing containers (tag = ${TAG})"
for svc in server1 server2 server3; do for svc in server1 server2 server3; do
docker build -f Dockerfile."$svc" -t "${REG}/${svc}:${TAG}" . docker build -f Dockerfile."$svc" -t "${REG}/${svc}:${TAG}" .
docker push "${REG}/${svc}:${TAG}" docker push "${REG}/${svc}:${TAG}"
done done
# keep .env for static, nonsensitive keys (ports, API_BASE…)
if grep -q '^IMG_TAG=' "$ENV_FILE"; then if grep -q '^IMG_TAG=' "$ENV_FILE"; then
sed -i "s/^IMG_TAG=.*/IMG_TAG=${TAG}/" "$ENV_FILE" sed -i "s/^IMG_TAG=.*/IMG_TAG=${TAG}/" "$ENV_FILE"
else else
@ -42,27 +41,30 @@ fi
echo "✅ .env updated with IMG_TAG=${TAG}" echo "✅ .env updated with IMG_TAG=${TAG}"
# ───────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────
# 2. Export secrets straight from Secret Manager # 1a. Publish IMG_TAG to Secret Manager (single source of truth)
# (they live only in this shell, never on disk)
# ───────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────
echo "🔐 Pulling ${ENV} secrets from Secret Manager" printf "%s" "${TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="$PROJECT"
echo "📦 IMG_TAG pushed to Secret Manager (no suffix)"
# ─────────────────────────────────────────────────────────────
# 2. Pull secrets into runtime (never written to disk)
# ─────────────────────────────────────────────────────────────
echo "🔐 Pulling secrets from Secret Manager"
for S in "${SECRETS[@]}"; do for S in "${SECRETS[@]}"; do
export "$S"="$(gcloud secrets versions access latest \ export "$S"="$(gcloud secrets versions access latest \
--secret="${S}_${ENV}" \ --secret="${S}_${ENV}" \
--project="$PROJECT")" --project="$PROJECT")"
done done
# A flag so we can see in the container env where they came from
export FROM_SECRETS_MANAGER=true export FROM_SECRETS_MANAGER=true
# ───────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────
# 3. Recreate the stack # 3. Re-create the container stack
# ───────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────
# Preserve only the variables dockercompose needs for expansion
preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}") preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}")
echo "🚀 docker compose up -d (env: $preserve)"
echo "🚀 docker compose up -d (with preserved env: $preserve)"
sudo --preserve-env="$preserve" docker compose up -d --force-recreate 2> >(grep -v 'WARN sudo --preserve-env="$preserve" docker compose up -d --force-recreate 2> >(grep -v 'WARN
\[0000\] \[0000\]