thoughtswap-ts/.github/workflows/deploy.yml at main · Lab-Lab-Lab/thoughtswap-ts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# ──────────────────────────────────────────────────────────────────────────────
# ThoughtSwap – Deploy to Google Cloud Run
# Triggers on every push to the `production` branch.
#
# Required GitHub Secrets:
#   GCP_SA_KEY              – Service-account JSON key (roles: Cloud Run Admin,
#                             Artifact Registry Writer, Cloud SQL Client,
#                             Service Account User)
#   GCP_PROJECT_ID          – Google Cloud project ID
#   CLOUD_SQL_INSTANCE      – Cloud SQL instance connection name
#                             (e.g. my-project:us-east4:my-instance)
#   DATABASE_URL            – Prisma connection string for Cloud SQL
#                             postgresql://USER:PASS@localhost/DB?host=/cloudsql/PROJECT:REGION:INSTANCE
#   FRONTEND_URL            – Public URL of the client (used for CORS)
#   SERVER_URL              – Public URL of the server Cloud Run service
#   CANVAS_BASE_URL         – Canvas LMS base URL
#   CANVAS_CLIENT_ID        – Canvas OAuth client ID
#   CANVAS_CLIENT_SECRET    – Canvas OAuth client secret
#   CANVAS_REDIRECT_URI     – Canvas OAuth redirect URI
# ──────────────────────────────────────────────────────────────────────────────

name: Deploy to Cloud Run

on:
  push:
    branches: [production]

env:
  REGION: us-east4
  GAR_LOCATION: us-east4-docker.pkg.dev
  REPOSITORY: thoughtswap
  SERVER_SERVICE: thoughtswap-server
  CLIENT_SERVICE: thoughtswap-client

jobs:
  # ── 1. Build & push Docker images to Artifact Registry ─────────────────────
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v2

      - name: Configure Docker for Artifact Registry
        run: gcloud auth configure-docker ${{ env.GAR_LOCATION }} --quiet

      # The server Dockerfile runs `prisma generate` which does NOT connect to
      # the database – a placeholder URL is fine at build time.
      - name: Build & push server image
        run: |
          docker build \
            -f packages/server/Dockerfile \
            --build-arg DATABASE_URL="postgresql://build:build@localhost:5432/placeholder" \
            -t "${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-server:${{ github.sha }}" \
            -t "${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-server:latest" \
            .
          docker push "${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-server:${{ github.sha }}"
          docker push "${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-server:latest"

      - name: Build & push client image
        run: |
          docker build \
            -f packages/client/Dockerfile.prod \
            -t "${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-client:${{ github.sha }}" \
            -t "${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-client:latest" \
            .
          docker push "${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-client:${{ github.sha }}"
          docker push "${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-client:latest"

  # ── 2. Deploy the server (API + WebSocket) to Cloud Run ────────────────────
  deploy-server:
    runs-on: ubuntu-latest
    needs: build-and-push
    permissions:
      contents: read
      id-token: write
    outputs:
      server_url: ${{ steps.deploy.outputs.url }}

    steps:
      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Deploy server to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v2
        with:
          service: ${{ env.SERVER_SERVICE }}
          image: ${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-server:${{ github.sha }}
          region: ${{ env.REGION }}
          # --session-affinity keeps Socket.IO clients pinned to the same
          # instance so in-memory room state works correctly.
          flags: >-
            --add-cloudsql-instances=${{ secrets.CLOUD_SQL_INSTANCE }}
            --allow-unauthenticated
            --port=3001
            --memory=512Mi
            --cpu=1
            --min-instances=0
            --max-instances=5
            --session-affinity
          env_vars: |
            RUN_MIGRATIONS=true
            FRONTEND_URL=${{ secrets.FRONTEND_URL }}
            CANVAS_BASE_URL=${{ secrets.CANVAS_BASE_URL }}
            CANVAS_CLIENT_ID=${{ secrets.CANVAS_CLIENT_ID }}
            CANVAS_CLIENT_SECRET=${{ secrets.CANVAS_CLIENT_SECRET }}
            CANVAS_REDIRECT_URI=${{ secrets.CANVAS_REDIRECT_URI }}
            DATABASE_URL=${{ secrets.DATABASE_URL }}

  # ── 3. Deploy the client (Nginx static + reverse-proxy) to Cloud Run ───────
  deploy-client:
    runs-on: ubuntu-latest
    needs: [build-and-push, deploy-server]
    permissions:
      contents: read
      id-token: write
    outputs:
      client_url: ${{ steps.deploy.outputs.url }}

    steps:
      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Validate SERVER_URL secret
        run: |
          test -n "${{ secrets.SERVER_URL }}" || (echo "SERVER_URL secret is empty" && exit 1)
          echo "${{ secrets.SERVER_URL }}" | grep -E '^https?://' >/dev/null || (echo "SERVER_URL must start with http:// or https://" && exit 1)

      - name: Deploy client to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v2
        with:
          service: ${{ env.CLIENT_SERVICE }}
          image: ${{ env.GAR_LOCATION }}/${{ secrets.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}/ts-client:${{ github.sha }}
          region: ${{ env.REGION }}
          flags: >-
            --allow-unauthenticated
            --port=8080
            --memory=256Mi
            --cpu=1
            --min-instances=0
            --max-instances=3
          env_vars: |
            SERVER_URL=${{ secrets.SERVER_URL }}

  # ── 4. Post-deploy summary ─────────────────────────────────────────────────
  post-deploy:
    runs-on: ubuntu-latest
    needs: [deploy-server, deploy-client]

    steps:
      - name: Print deployment summary
        run: |
          echo "## ✅ Deployment Complete"                            >> "$GITHUB_STEP_SUMMARY"
          echo ""                                                     >> "$GITHUB_STEP_SUMMARY"
          echo "| Service  | URL |"                                   >> "$GITHUB_STEP_SUMMARY"
          echo "| -------- | --- |"                                   >> "$GITHUB_STEP_SUMMARY"
          echo "| Server   | ${{ needs.deploy-server.outputs.server_url }} |" >> "$GITHUB_STEP_SUMMARY"
          echo "| Client   | ${{ needs.deploy-client.outputs.client_url }} |" >> "$GITHUB_STEP_SUMMARY"