dev_deploy.yml

name: Dev Deploy

on:
  workflow_run:
    workflows:
      - CI Checks
    types:
      - completed

permissions:
  contents: read
  packages: write

env:
  DOCKER_IMAGE_NAME: ${{ vars.DOCKER_IMAGE_NAME }}
  SHA_TAG: ${{ github.event.workflow_run.head_sha }}
  IMAGE: ghcr.io/${{ github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }}

concurrency:
  group: dev_deploy
  cancel-in-progress: false

jobs:
  build_and_push_image:
    name: Build and push commit image
    if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'dev'
    uses: ./.github/workflows/build_and_push_image.yml
    with:
      ref: ${{ github.event.workflow_run.head_sha }}
      image_tag: ${{ github.event.workflow_run.head_sha }}
      push: true

  deploy_dev:
    name: Deploy commit image to dev
    needs: [build_and_push_image]
    runs-on: ubuntu-latest
    environment: dev
    steps:
      - name: Trigger VM deploy gate (dev)
        uses: appleboy/ssh-action@v1.2.3
        with:
          host: ${{ secrets.VM_HOST }}
          username: ${{ secrets.VM_USERNAME }}
          key: ${{ secrets.VM_SSH_KEY }}
          fingerprint: ${{ secrets.VM_FINGERPRINT }}
          script: dev ${{ env.SHA_TAG }}

  tag_dev:
    name: Tag deployed commit image as dev
    needs: [deploy_dev]
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - name: GHCR login
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Retag commit image as dev
        run: |
          docker pull "${IMAGE}:${SHA_TAG}"
          docker tag "${IMAGE}:${SHA_TAG}" "${IMAGE}:dev"
          docker push "${IMAGE}:dev"

  cleanup_ghcr:
    name: Cleanup old package versions in GHCR
    needs: [tag_dev]
    uses: ./.github/workflows/ghcr_cleanup.yml
    with:
      keep_sha_tags: 20