88 lines
3.8 KiB
YAML
88 lines
3.8 KiB
YAML
name: Deploy Indiekit Blog
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v3
|
|
with:
|
|
node-version: '18'
|
|
|
|
- name: Install dependencies
|
|
run: npm ci
|
|
|
|
- name: Build (if needed)
|
|
run: |
|
|
# Add build steps if your project requires them
|
|
echo "No build step required"
|
|
|
|
- name: Deploy to FreeBSD host and jail
|
|
uses: appleboy/ssh-action@v0.1.10
|
|
with:
|
|
host: ${{ secrets.FREEBSD_HOST }}
|
|
username: ${{ secrets.FREEBSD_DEPLOY_USER }}
|
|
key: ${{ secrets.FREEBSD_DEPLOY_SSH_KEY }}
|
|
port: 222
|
|
script: |
|
|
set -eu
|
|
restart_log=/tmp/indiekit-restart.log
|
|
|
|
# Ensure native sharp build prerequisites are present in the jail.
|
|
sudo bastille cmd node sh -lc 'env ASSUME_ALWAYS_YES=yes pkg update -f >/dev/null'
|
|
sudo bastille cmd node sh -lc 'env ASSUME_ALWAYS_YES=yes pkg install -y vips pkgconf python3 gmake'
|
|
|
|
# Update code and dependencies as indiekit user inside the jail.
|
|
sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && git pull origin main && npm ci && install -m 755 start.example.sh start.sh"'
|
|
|
|
# Build sharp against jail libraries and verify runtime load.
|
|
sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && npm rebuild sharp --build-from-source"'
|
|
sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && node -e \"require(\\\"sharp\\\"); console.log(\\\"sharp runtime OK\\\")\""'
|
|
|
|
# Ensure env file exists and contains auth secrets required by start.sh.
|
|
sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
|
|
sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && if ! (grep -Eq \"^SECRET=.*\" .env && grep -Eq \"^PASSWORD_SECRET=.*\" .env); then echo \"Missing SECRET or PASSWORD_SECRET in /usr/local/indiekit/.env\"; exit 1; fi"'
|
|
|
|
# Validate startup prerequisites before touching the running service.
|
|
sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
|
|
|
|
# Restart asynchronously to avoid hanging SSH sessions when rc scripts keep stdout open.
|
|
sudo bastille cmd node sh -lc "nohup service indiekit restart >${restart_log} 2>&1 </dev/null &"
|
|
|
|
# Give the process time to boot and pass preflight checks.
|
|
attempts=0
|
|
max_attempts=30
|
|
while [ "$attempts" -lt "$max_attempts" ]; do
|
|
if sudo bastille cmd node pgrep -f "indiekit serve" >/dev/null 2>&1; then
|
|
echo "Indiekit restart triggered and process is running."
|
|
exit 0
|
|
fi
|
|
|
|
attempts=$((attempts + 1))
|
|
sleep 2
|
|
done
|
|
|
|
echo "Indiekit process not found after restart."
|
|
sudo bastille cmd node sh -lc "tail -n 120 ${restart_log} || true"
|
|
sudo bastille cmd node sh -lc 'service indiekit onestatus || true'
|
|
sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs" || true'
|
|
exit 1
|
|
# Optionally reload nginx on web jail
|
|
# - name: Reload nginx
|
|
# uses: appleboy/ssh-action@v0.1.10
|
|
# with:
|
|
# host: ${{ secrets.FREEBSD_WEB_HOST }}
|
|
# username: ${{ secrets.FREEBSD_WEB_USER }}
|
|
# key: ${{ secrets.FREEBSD_WEB_SSH_KEY }}
|
|
# port: ${{ secrets.FREEBSD_WEB_PORT }}
|
|
# script: sudo service nginx reload
|
|
|