AcadeNice/corentin_wakdo
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
corentin_wakdo/.forgejo/workflows/deploy.yml
Imugiii 6428b30bbb
All checks were successful
CI / secret-scan (push) Successful in 13s
Details
CI / php-lint (push) Successful in 26s
Details
CI / static-tests (push) Successful in 56s
Details
CI / js-tests (push) Successful in 32s
Details
CI / secret-scan (pull_request) Successful in 11s
Details
CI / php-lint (pull_request) Successful in 21s
Details
CI / static-tests (pull_request) Successful in 50s
Details
CI / js-tests (pull_request) Successful in 29s
Details
feat(devops): CD push-based vers Vision (prod) + preuve de version 
Sur push main, le workflow Deploy ouvre une session SSH vers Vision ou une forced
command lance scripts/deploy.sh : le runner (Stark, sans socket Docker) ne pilote
pas Docker, il delegue a l'hote distant. La cle CI ne peut declencher que le
deploiement (forced command + options no-*, cle d'hote epinglee, BatchMode).

deploy.sh gagne un mode non-interactif (DEPLOY_YES), grave src/VERSION (SHA + date)
et alimente deploy.log. GET /api/health expose version + deployed_at lus depuis
src/VERSION : apres un deploiement, la sonde reflete le nouveau commit -> preuve
verifiable du CD cote app.

Mise en place cote Vision + secrets forge documentes dans
docs/architecture/deployment.md. Revue compliance : 1 must_fix integre (BatchMode).
2026-06-23 09:28:40 +00:00

45 lines
1.9 KiB
YAML
Raw Blame History

name: Deploy
# Deploiement continu (CD) vers Vision (prod) a chaque release sur main.
#
# Topologie : le runner tourne sur Stark (dev) et n'a pas le socket Docker. Il ne
# pilote donc PAS Docker lui-meme : il OUVRE une session SSH vers Vision (prod, hote
# distinct) ou une forced command (cote Vision) lance scripts/deploy.sh. La cle CI ne
# peut ainsi declencher QUE le deploiement, rien d'autre.
#
# main n'est alimentee que par des PR dev->main deja passees par la CI : le code
# deploye a donc deja ete teste. Voir docs/architecture/deployment.md pour la mise en
# place cote Vision (utilisateur deploy, forced command) et les secrets a creer.
on:
push:
branches: [main]
jobs:
deploy:
runs-on: docker
steps:
- name: Install SSH client
run: |
apt-get update -qq
apt-get install -y -qq openssh-client >/dev/null
- name: Deploy to Vision over SSH
env:
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
DEPLOY_KNOWN_HOSTS: ${{ secrets.DEPLOY_KNOWN_HOSTS }}
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
DEPLOY_USER: ${{ vars.DEPLOY_USER }}
run: |
set -eu
install -d -m 700 ~/.ssh
printf '%s\n' "$DEPLOY_SSH_KEY" > ~/.ssh/id_deploy
chmod 600 ~/.ssh/id_deploy
# Cle d'hote epinglee (pas de TOFU) : la connexion echoue si Vision ne
# presente pas la cle attendue.
printf '%s\n' "$DEPLOY_KNOWN_HOSTS" > ~/.ssh/known_hosts
# Aucune commande passee : la forced command cote Vision lance deploy.sh.
# BatchMode : pas de prompt interactif (un echec d'auth echoue vite au lieu
# de pendre le job) ; ConnectTimeout borne l'attente si Vision est injoignable.
ssh -i ~/.ssh/id_deploy -o IdentitiesOnly=yes \
-o StrictHostKeyChecking=yes \
-o BatchMode=yes -o ConnectTimeout=15 \
"$DEPLOY_USER@$DEPLOY_HOST"
Reference in a new issue View git blame Copy permalink