-
Notifications
You must be signed in to change notification settings - Fork 108
Expand file tree
/
Copy pathdeploy.php
More file actions
243 lines (201 loc) · 7.22 KB
/
deploy.php
File metadata and controls
243 lines (201 loc) · 7.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
<?php
declare(strict_types=1);
namespace Deployer;
require 'recipe/symfony.php';
require 'contrib/slack.php';
// ---------------------------------------------------
// Configuration via environment variables
// ---------------------------------------------------
set('default_timeout', 6000);
// Project name and repository
set('application', getenv('APP_NAME') ?: 'Catroweb');
set('php_fpm_version', getenv('PHP_FPM_VERSION') ?: '8.5');
set('repository', getenv('DEPLOY_GIT') ?: 'https://github.com/Catrobat/Catroweb.git');
set('git_tty', false);
// Slack configuration
set('slack_webhook', getenv('SLACK_WEBHOOK') ?? '');
set('slack_text', 'Web-Team deploying `{{branch}}` to *{{target}}*');
set('slack_success_text', 'Deploy to *{{target}}* successful');
set('slack_success_color', '#4BB543');
// Symfony environment
set('symfony_env', 'prod');
set('writable_recursive', true);
set('http_user', 'www-data');
set('writable_mode', 'acl');
// Shared directories
set('shared_dirs', [
'var/log',
'var/sessions',
'public/resources',
'.jwt',
]);
// Shared files between releases
add('shared_files', [
'.env.prod.local', // keep only production .env
'google_cloud_key.json',
'.dkim/private.key',
]);
// Writable directories
set('writable_dirs', [
'var/cache',
'var/log',
'var/sessions',
'public/resources',
]);
// Symfony directories
set('bin_dir', 'bin');
set('var_dir', 'var');
set('web_dir', 'public');
set('public_dir', 'public');
set('allow_anonymous_stats', false);
// Hosts
$deployShare = getenv('DEPLOY_HOST') ?: '127.0.0.1';
$deployUser = getenv('DEPLOY_USER') ?: 'deploy';
$deployBranch = getenv('DEPLOY_BRANCH') ?: 'main';
host($deployShare)
->set('labels', ['stage' => 'share'])
->set('symfony_env', 'prod')
->set('branch', $deployBranch)
->set('deploy_path', '/var/www/share')
->set('remote_user', $deployUser)
;
// ---------------------------------------------------
// Tasks
// ---------------------------------------------------
// Manually define this task because deployer uses the old symfony structure with web instead of
// public. Change this when deployer gets updated.
task('install:assets', function () {
run('{{bin/console}} assets:install --symlink --relative public');
});
// For such sudo commands to work, the server must allow those commands without a password
// change the sudoers file if needed!
task('restart:nginx', function () {
run('sudo /usr/sbin/service nginx restart');
});
task('restart:php-fpm', function () {
run('sudo /usr/sbin/service php{{php_fpm_version}}-fpm restart');
});
// Sync nsfw-scanner sources to /opt/nsfw-scanner and rebuild the container only
// when the source files actually changed (model download is multi-minute). On
// first run after switching from raw `docker run` to compose, the legacy
// container is force-removed so compose can take over the `nsfw-scanner` name.
// Requires the deploy user to be in the `docker` group on the prod host and
// to own /opt/nsfw-scanner (e.g. chown -R deploy:deploy /opt/nsfw-scanner).
task('restart:nsfw-scanner', function () {
$dst = '/opt/nsfw-scanner';
if (!test("[ -d {$dst} ]")) {
info('nsfw-scanner not installed on this host, skipping');
return;
}
$src = '{{release_path}}/docker/nsfw-scanner';
$hashCmd = "find %s -type f -exec sha256sum {} + | sort | sha256sum | cut -d' ' -f1";
$srcHash = trim(run(sprintf($hashCmd, $src)));
$dstHash = trim(run(sprintf($hashCmd, $dst)));
if ($srcHash === $dstHash) {
info('nsfw-scanner sources unchanged, skipping rebuild');
return;
}
info('nsfw-scanner sources changed, rebuilding');
// -rlt (not -a): skip owner/group preservation since the deploy user is not root
run("rsync -rlt --delete {$src}/ {$dst}/");
$composeProject = trim(run("docker inspect nsfw-scanner --format '{{index .Config.Labels \"com.docker.compose.project\"}}' 2>/dev/null || true"));
if ('' === $composeProject) {
info('Migrating nsfw-scanner from raw docker-run to docker compose');
run('docker rm -f nsfw-scanner 2>/dev/null || true');
}
run("cd {$dst} && docker compose -f docker-compose.prod.yaml up -d --build");
});
task('install:yarn', function () {
cd('{{release_path}}');
run('mkdir -p .corepack-bin && corepack enable --install-directory=.corepack-bin');
run('export PATH={{release_path}}/.corepack-bin:$PATH && corepack prepare yarn@4.12.0 --activate && yarn install --immutable');
});
task('deploy:encore', function () {
cd('{{release_path}}');
run('export PATH={{release_path}}/.corepack-bin:$PATH && yarn run prod');
});
task('deploy:jwt', function () {
cd('{{release_path}}');
run('sh docker/app/init-jwt-config.sh');
});
task('update:achievements', function () {
cd('{{release_path}}');
run('bin/console catrobat:update:achievements');
});
task('update:tags', function () {
cd('{{release_path}}');
run('bin/console catrobat:update:tags');
});
task('update:extensions', function () {
cd('{{release_path}}');
run('bin/console catrobat:update:extensions');
});
task('update:flavors', function () {
cd('{{release_path}}');
run('bin/console catrobat:update:flavors');
});
task('update:special', function () {
cd('{{release_path}}');
run('bin/console catrobat:update:special');
});
// dump the .env file as .env.local.php to speed up the loading of the env vars
task('dump:env', function () {
cd('{{release_path}}');
run('bin/console dotenv:dump prod');
});
// Smoke test: verify the health endpoint after deployment
task('smoke_test', function () {
$maxRetries = 5;
$retryDelay = 5;
for ($i = 1; $i <= $maxRetries; ++$i) {
$result = run('curl -sf -o /dev/null -w "%{http_code}" -H "Host: share.catrobat.org" https://localhost/api/health --max-time 10 -k || echo "000"');
if ('200' === trim($result)) {
info("Health check passed (attempt {$i})");
return;
}
warning("Health check attempt {$i}/{$maxRetries} returned HTTP {$result}");
if ($i === $maxRetries) {
$body = run('curl -s -H "Host: share.catrobat.org" https://localhost/api/health --max-time 10 -k || echo "N/A"');
warning("Final health check failed. Response body: {$body}");
}
if ($i < $maxRetries) {
sleep($retryDelay);
}
}
throw new \RuntimeException("Health check failed after {$maxRetries} attempts (Final HTTP Code: {$result})");
});
// ---------------------------------------------------
// Main deployment task
// ---------------------------------------------------
desc('Start the deployment process');
task('deploy', [
'deploy:prepare',
'deploy:clear_paths',
'deploy:vendors',
'install:assets',
'install:yarn',
'deploy:encore',
'dump:env',
'deploy:jwt',
'deploy:cache:clear',
'database:migrate',
'deploy:symlink',
'restart:nginx',
'restart:php-fpm',
'restart:nsfw-scanner',
'update:flavors',
'update:achievements',
'update:tags',
'update:extensions',
'update:special',
'smoke_test',
'deploy:unlock',
'slack:notify:success',
]);
// [Optional] if deploy fails automatically unlock.
after('deploy:failed', 'deploy:unlock');
// Migrate database before symlink new release.
// should maybe not be done automatically. we can do that no problem but that is not that nice.
// before('deploy:symlink', 'database:migrate');
before('deploy:prepare', 'slack:notify');
after('deploy:failed', 'slack:notify:failure');