ci: ci for deployement of SILL and add workflow to update the project from upstream every day

JeromeBu · github-actions[bot] · commit 3b8681fc79c1 · 2025-06-04T09:56:24.000Z
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -40,89 +40,106 @@ jobs:
     runs-on: ubuntu-latest
     needs: validations
     outputs:
-      from_version: ${{ steps.step1.outputs.from_version }}
-      to_version: ${{ steps.step1.outputs.to_version }}
-      is_upgraded_version: ${{ steps.step1.outputs.is_upgraded_version }}
+      is_upgraded_in_preprod: ${{ steps.check_version.outputs.is_upgraded_in_preprod }}
+      is_upgraded_version: ${{ steps.check_version.outputs.is_upgraded_version }}
+      to_version: ${{ steps.check_version.outputs.to_version }}
+      from_version: ${{ steps.check_version.outputs.from_version }}
     steps:
-      - uses: garronej/ts-ci@v2.1.0
-        id: step1
-        with:
-          action_name: is_package_json_version_upgraded
+      - uses: actions/checkout@v4
+      - name: Check version upgrade
+        id: check_version
+        run: |
+          # Get current version from package.json
+          CURRENT_VERSION=$(jq -r '.version' package.json)
+          echo "Version in package.json: $CURRENT_VERSION"
 
-  create_tag:
-    name: Create version tag
+          # Get deployed version from preprod API
+          PRE_PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill-preprod/api/getApiVersion" | jq -r '.result.data.json')
+          PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill/api/getApiVersion" | jq -r '.result.data.json')
+          echo "Deployed version in preprod: $PRE_PROD_DEPLOYED_VERSION"
+          echo "Deployed version in prod: $PROD_DEPLOYED_VERSION"
+          
+          # Simple comparison: check if versions are different
+          if [ "$CURRENT_VERSION" != "$PRE_PROD_DEPLOYED_VERSION" ]; then
+            IS_UPGRADED_IN_PRE_PROD="true"
+            IS_UPGRADED="true"
+            echo "✅ Version different from preprod ($PRE_PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION"
+          elif [ "$CURRENT_VERSION" != "$PROD_DEPLOYED_VERSION" ]; then
+            IS_UPGRADED="true"
+            echo "✅ Version different from prod ($PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION"
+          else
+            IS_UPGRADED="false"
+            echo "ℹ️ Version unchanged: $CURRENT_VERSION"
+          fi
+          
+          echo "Is version upgraded: $IS_UPGRADED"
+          
+          # Set outputs
+          echo "is_upgraded_version=$IS_UPGRADED" >> $GITHUB_OUTPUT
+          echo "is_upgraded_in_preprod=$IS_UPGRADED_IN_PRE_PROD" >> $GITHUB_OUTPUT
+          echo "to_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          echo "from_version=$PRE_PROD_DEPLOYED_VERSION" >> $GITHUB_OUTPUT
+
+  trigger_pre_production_deploy:
+    name: "Trigger pre-production deploy"
     runs-on: ubuntu-latest
+    concurrency:
+      group: deploy-to-pre-production
+      cancel-in-progress: true
     needs:
       - check_if_version_upgraded
-    if: needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true'
+    if: needs.check_if_version_upgraded.outputs.is_upgraded_in_preprod == 'true'
     env:
       TO_VERSION: ${{ needs.check_if_version_upgraded.outputs.to_version }}
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Create tag
+      - run: echo "Triggering production deploy"
+      - name: Set up SSH
         run: |
-          git config --local user.email "actions@github.com"
-          git config --local user.name "GitHub Actions"
-          git tag -a v${{ env.TO_VERSION }} -m "Deployment tag for v${{ env.TO_VERSION }}"
-          git push --tags
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan code.gouv.fr >> ~/.ssh/known_hosts
+          
+          # Debug: Check key format
+          echo "SSH key first line:"
+          head -1 ~/.ssh/id_ed25519
+          echo "SSH key last line:"
+          tail -1 ~/.ssh/id_ed25519
+          echo "SSH key line count:"
+          wc -l ~/.ssh/id_ed25519
+          
+          # Test SSH connection
+          echo "Testing SSH connection..."
+          ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 web@code.gouv.fr "echo 'SSH connection successful'"
+          
+          # Run the actual command
+          ssh -o StrictHostKeyChecking=no web@code.gouv.fr "bash -c 'eval \"\$(ssh-agent -s)\" && ssh-add ~/.ssh/sill-data && ./update-sill-preprod.sh v${{ env.TO_VERSION }}'"
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
 
-  create_github_release:
-    name: "Create release notes"
-    runs-on: ubuntu-latest
-    needs:
-      - check_if_version_upgraded
-      - create_tag
-    if: |
-      needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true' && github.event_name == 'push'
-    env:
-      RELEASE_TAG: v${{ needs.check_if_version_upgraded.outputs.to_version }}
-    steps:
-      - name: "Generate release on github"
-        uses: softprops/action-gh-release@v2
-        with:
-          name: Release ${{ env.RELEASE_TAG }}
-          prerelease: false
-          tag_name: ${{ env.RELEASE_TAG }}
-          generate_release_notes: true
-          token: ${{ secrets.GITHUB_TOKEN }}
 
-  docker:
-    name: Build and push Docker images
+  trigger_production_deploy:
+    name: "Trigger production deploy"
     runs-on: ubuntu-latest
+    environment: production
+    concurrency:
+      group: deploy-to-production
+      cancel-in-progress: true
     needs:
+      - trigger_pre_production_deploy
       - check_if_version_upgraded
+    if: always() && needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true' && (needs.trigger_pre_production_deploy.result == 'success' || needs.trigger_pre_production_deploy.result == 'skipped')
+    env:
+      TO_VERSION: ${{ needs.check_if_version_upgraded.outputs.to_version }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Computing Docker image tags
-        id: step1
-        env:
-          TO_VERSION: ${{ needs.check_if_version_upgraded.outputs.to_version }}
+      - run: echo "Triggering production deploy"
+      - name: Set up SSH
         run: |
-          OUT_API=$GITHUB_REPOSITORY-api:$TO_VERSION,$GITHUB_REPOSITORY-api:latest
-          OUT_API=$(echo "$OUT_API" | awk '{print tolower($0)}')
-          echo ::set-output name=docker_api_tags::$OUT_API
-
-          OUT_WEB=$GITHUB_REPOSITORY-web:$TO_VERSION,$GITHUB_REPOSITORY-web:latest
-          OUT_WEB=$(echo "$OUT_WEB" | awk '{print tolower($0)}')
-          echo ::set-output name=docker_web_tags::$OUT_WEB
-
-      - uses: docker/build-push-action@v5
-        with:
-          push: true
-          context: .
-          file: ./Dockerfile.api
-          tags: ${{ steps.step1.outputs.docker_api_tags }}
-      - uses: docker/build-push-action@v5
-        with:
-          push: true
-          context: .
-          file: ./Dockerfile.web
-          tags: ${{ steps.step1.outputs.docker_web_tags }}
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan code.gouv.fr >> ~/.ssh/known_hosts
+          ssh -o StrictHostKeyChecking=no web@code.gouv.fr "bash -c 'eval \"\$(ssh-agent -s)\" && ssh-add ~/.ssh/sill-data && ./update-sill-docker-compose.sh v${{ env.TO_VERSION }}'"
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
 
diff --git a/.github/workflows/sync-upstream.yaml b/.github/workflows/sync-upstream.yaml
@@ -0,0 +1,35 @@
+name: Sync upstream
+
+on:
+  schedule:
+    - cron: '0 7 * * *' # every day at 7 AM UTC
+  workflow_dispatch:
+
+jobs:
+  sync:
+    name: Sync repository with upstream repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout fork
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PAT_FOR_UPSTREAM_SYNC }}
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Add upstream remote
+        run: |
+          git remote add upstream https://github.com/codegouvfr/sill.git
+          git fetch upstream
+
+      - name: Sync with upstream/main
+        run: |
+          git checkout main
+          git rebase upstream/main
+
+      - name: Push to origin
+        run: git push origin main --force-with-lease --no-verify
