Add production CI/CD deployment pipeline

Add GHCR image build/push and SSH-based server deployment workflow, production compose/env templates, and deployment script. Also fix frontend container healthcheck target and extend Docker CI with frontend health verification. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-15 22:54:14 +02:00
parent 7ef16ff4c7
commit 88260e1e9a
8 changed files with 285 additions and 6 deletions
@@ -0,0 +1,34 @@
+# Required image/deployment settings
+GHCR_OWNER=denshooter
+IMAGE_TAG=latest
+
+# Host ports
+FRONTEND_PORT=3000
+BACKEND_PORT=5000
+
+# PostgreSQL
+POSTGRES_USER=monitoring
+POSTGRES_PASSWORD=replace-with-strong-password
+POSTGRES_DB=monitoring
+
+# App URLs and backend CORS
+NEXT_PUBLIC_APP_URL=https://monitoring.example.com
+CORS_ORIGIN=https://monitoring.example.com
+
+# Supabase
+NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
+NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
+SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
+DATABASE_URL=postgresql://postgres:[PASSWORD]@db.[PROJECT-REF].supabase.co:5432/postgres
+
+# Security
+CRON_SECRET=replace-with-random-secret
+
+# Optional notifications
+LIGHTHOUSE_SERVICE_URL=http://backend:5000
+RESEND_API_KEY=
+SMTP_HOST=
+SMTP_PORT=
+SMTP_USER=
+SMTP_PASSWORD=
+SMTP_FROM=
@@ -0,0 +1,70 @@
+services:
+  db:
+    image: postgres:16-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${POSTGRES_DB}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  backend:
+    image: ghcr.io/${GHCR_OWNER}/cloudlense-backend:${IMAGE_TAG:-latest}
+    restart: unless-stopped
+    depends_on:
+      db:
+        condition: service_healthy
+    ports:
+      - "${BACKEND_PORT:-5000}:5000"
+    environment:
+      PORT: 5000
+      NODE_ENV: production
+      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+      CORS_ORIGIN: ${CORS_ORIGIN}
+      CHROME_PATH: /usr/bin/chromium
+    healthcheck:
+      test: ["CMD-SHELL", "node -e \"const h=require('http');h.get('http://localhost:5000/health',(r)=>process.exit(r.statusCode===200?0:1)).on('error',()=>process.exit(1))\""]
+      interval: 15s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+  frontend:
+    image: ghcr.io/${GHCR_OWNER}/cloudlense-frontend:${IMAGE_TAG:-latest}
+    restart: unless-stopped
+    depends_on:
+      backend:
+        condition: service_healthy
+    ports:
+      - "${FRONTEND_PORT:-3000}:3000"
+    environment:
+      NODE_ENV: production
+      NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL}
+      NEXT_PUBLIC_SUPABASE_URL: ${NEXT_PUBLIC_SUPABASE_URL}
+      NEXT_PUBLIC_SUPABASE_ANON_KEY: ${NEXT_PUBLIC_SUPABASE_ANON_KEY}
+      SUPABASE_SERVICE_ROLE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
+      DATABASE_URL: ${DATABASE_URL}
+      CORS_ORIGIN: ${CORS_ORIGIN}
+      CRON_SECRET: ${CRON_SECRET}
+      LIGHTHOUSE_SERVICE_URL: ${LIGHTHOUSE_SERVICE_URL:-http://backend:5000}
+      RESEND_API_KEY: ${RESEND_API_KEY:-}
+      SMTP_HOST: ${SMTP_HOST:-}
+      SMTP_PORT: ${SMTP_PORT:-}
+      SMTP_USER: ${SMTP_USER:-}
+      SMTP_PASSWORD: ${SMTP_PASSWORD:-}
+      SMTP_FROM: ${SMTP_FROM:-}
+    healthcheck:
+      test: ["CMD-SHELL", "node -e \"const h=require('http');h.get('http://localhost:3000',(r)=>process.exit(r.statusCode===200?0:1)).on('error',()=>process.exit(1))\""]
+      interval: 15s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+
+volumes:
+  postgres_data:
@@ -33,7 +33,7 @@ services:
      CHROME_PATH: /usr/bin/chromium
      NODE_ENV: production
    healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:5000/health || exit 1"]
+      test: ["CMD-SHELL", "node -e \"const h=require('http');h.get('http://localhost:5000/health',(r)=>process.exit(r.statusCode===200?0:1)).on('error',()=>process.exit(1))\""]
      interval: 15s
      timeout: 10s
      retries: 3
@@ -55,7 +55,7 @@ services:
      NEXT_PUBLIC_SUPABASE_ANON_KEY: ${NEXT_PUBLIC_SUPABASE_ANON_KEY:-}
      NODE_ENV: production
    healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:3000 || exit 1"]
+      test: ["CMD-SHELL", "node -e \"const h=require('http');h.get('http://localhost:3000',(r)=>process.exit(r.statusCode===200?0:1)).on('error',()=>process.exit(1))\""]
      interval: 15s
      timeout: 10s
      retries: 3
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+require_env() {
+  local name="$1"
+  if [[ -z "${!name:-}" ]]; then
+    echo "Missing required environment variable: $name" >&2
+    exit 1
+  fi
+}
+
+require_env "GHCR_USERNAME"
+require_env "GHCR_READ_TOKEN"
+require_env "GHCR_OWNER"
+require_env "IMAGE_TAG"
+
+if [[ ! -f ".env" ]]; then
+  echo "Missing .env in deployment directory. Create it from devops/.env.production.example." >&2
+  exit 1
+fi
+
+echo "${GHCR_READ_TOKEN}" | docker login ghcr.io -u "${GHCR_USERNAME}" --password-stdin
+
+IMAGE_TAG="${IMAGE_TAG}" GHCR_OWNER="${GHCR_OWNER}" docker compose -f docker-compose.prod.yml --env-file .env pull
+IMAGE_TAG="${IMAGE_TAG}" GHCR_OWNER="${GHCR_OWNER}" docker compose -f docker-compose.prod.yml --env-file .env up -d --remove-orphans
+
+docker compose -f docker-compose.prod.yml --env-file .env ps