useblacksmith · devin-ai-integration · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026
diff --git a/.github/workflows/build-and-deploy.yaml b/.github/workflows/build-and-deploy.yaml
@@ -0,0 +1,184 @@
+name: Build and Deploy
+
+on:
+  push:
+    branches:
+      - main
+      - production
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "Branch to deploy (main/production)"
+        required: true
+        type: choice
+        options:
+          - main
+          - production
+        default: "main"
+      run_deployment:
+        description: "Run ansible deployment after build"
+        required: true
+        type: boolean
+        default: false
+
+concurrency:
+  group: "build-and-deploy-${{ github.ref == 'refs/heads/production' && 'production' || github.event.inputs.branch == 'production' && 'production' || 'staging' }}"
+  cancel-in-progress: false
+
+jobs:
+  build-and-deploy:
+    runs-on: blacksmith-8vcpu-ubuntu-2204
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.branch || github.ref }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Build binary
+        run: |
+          export GO=go
+          make build
+          cp bin/smart-git-proxy ./smart-git-proxy
+
+      - name: Run tests
+        if: github.event_name == 'pull_request'
+        run: go test ./...
+
+      - name: Install rclone
+        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' || github.event_name == 'workflow_dispatch'
+        run: curl https://rclone.org/install.sh | sudo bash
+
+      - name: Configure rclone
+        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' || github.event_name == 'workflow_dispatch'
+        env:
+          R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: |
+          mkdir -p ~/.config/rclone
+          printf '[r2]\ntype = s3\nprovider = Cloudflare\naccess_key_id = %s\nsecret_access_key = %s\nendpoint = https://1ede90a8395416f286ba9f692dc6bacf.r2.cloudflarestorage.com\n' \
+            "$R2_ACCESS_KEY_ID" "$R2_SECRET_ACCESS_KEY" > ~/.config/rclone/rclone.conf
+
+      - name: Push binary to R2
+        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' || github.event_name == 'workflow_dispatch'
+        run: |
+          SHA=$(git rev-parse HEAD)
+          echo "SHA=$SHA" >> $GITHUB_ENV
+          if [[ "$GITHUB_REF" == "refs/heads/production" || "${{ github.event.inputs.branch }}" == "production" ]]; then
+            rclone copy ./smart-git-proxy r2:useblacksmith/smart-git-proxy/production/$SHA
+          else
+            rclone copy ./smart-git-proxy r2:useblacksmith/smart-git-proxy/main/$SHA
+          fi
+
+      - name: Determine deploy target
+        id: deploy-target
+        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run_deployment == 'true')
+        run: |
+          if [[ "$GITHUB_REF" == "refs/heads/production" || "${{ github.event.inputs.branch }}" == "production" ]]; then
+            echo "env=production" >> $GITHUB_OUTPUT
+            echo "branch=production" >> $GITHUB_OUTPUT
+          else
+            echo "env=staging" >> $GITHUB_OUTPUT
+            echo "branch=${{ github.event.inputs.branch || github.ref_name }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Set up Python
+        if: steps.deploy-target.outcome == 'success'
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+
+      - name: Install Ansible
+        if: steps.deploy-target.outcome == 'success'
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible
+
+      - name: Connect to Tailscale
+        if: steps.deploy-target.outcome == 'success'
+        uses: tailscale/github-action@v3
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:ci
+
+      - name: Create Ansible Vault password file
+        if: steps.deploy-target.outcome == 'success'
+        run: echo "${{ secrets.ANSIBLE_SECRET }}" > ~/vault-password.txt
+
+      - name: Check host connectivity
+        if: steps.deploy-target.outcome == 'success'
+        working-directory: ansible
+        run: |
+          sleep 10
+          if [[ "${{ steps.deploy-target.outputs.env }}" == "production" ]]; then
+            INVENTORY_FILES="production-usw.ini production-euw.ini production-euc.ini"
+          else
+            INVENTORY_FILES="staging.ini"
+          fi
+          for INVENTORY_FILE in $INVENTORY_FILES; do
+            echo "=== Checking hosts in $INVENTORY_FILE ==="
+            HOSTS=$(ansible-inventory -i $INVENTORY_FILE --list | jq -r '._meta.hostvars | keys[]')
+            if [ -z "$HOSTS" ]; then
+              echo "warning: no hosts found in $INVENTORY_FILE, skipping"
+              continue
+            fi
+            for host in $HOSTS; do
+              echo "Testing connectivity to $host..."
+              start_time=$(date +%s)
+              while true; do
+                if tailscale ping -c 1 --timeout=5s $host >/dev/null 2>&1; then
+                  echo "$host is reachable"
+                  break
+                fi
+                current_time=$(date +%s)
+                elapsed=$((current_time - start_time))
+                if [ $elapsed -ge 30 ]; then
+                  echo "error: timeout after 30s waiting for $host"
+                  exit 1
+                fi
+                echo "Waiting for $host... (${elapsed}s elapsed)"
+                sleep 5
+              done
+            done
+          done
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: "False"
+
+      - name: Run Ansible rolling deploy
+        id: ansible-deploy
+        if: steps.deploy-target.outcome == 'success'
+        working-directory: ansible
+        run: |
+          BRANCH_ARG="-e branch=${{ steps.deploy-target.outputs.branch }}"
+          if [[ "${{ steps.deploy-target.outputs.env }}" == "production" ]]; then
+            for REGION_INI in production-usw.ini production-euw.ini production-euc.ini; do
+              echo "=== Rolling region: $REGION_INI ==="
+              ANSIBLE_CONFIG=./ansible.cfg ansible-playbook -i "$REGION_INI" \
+                --vault-password-file ~/vault-password.txt \
+                roll.yaml $BRANCH_ARG -v
+            done
+          else
+            ANSIBLE_CONFIG=./ansible.cfg ansible-playbook -i staging.ini \
+              --vault-password-file ~/vault-password.txt \
+              roll.yaml $BRANCH_ARG -v
+          fi
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: "False"
+
+      - name: Send Slack notification on failure
+        if: failure()
+        uses: slackapi/slack-github-action@v1
+        with:
+          payload: |
+            {
+              "text": "Ansible deploy failed for smart-git-proxy! Branch: ${{ github.ref_name || github.event.inputs.branch }}, Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: "https://hooks.slack.com/services/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"