Skip to content

fix: security patch (#651) #630

fix: security patch (#651)

fix: security patch (#651) #630

name: Build Docker Images, Push to Registry, and Deploy to Production
on:
push:
branches:
- main
release:
types: [published]
jobs:
build-push:
runs-on: ubuntu-latest
strategy:
matrix:
service: [backend, frontend, realtime-evaluators]
steps:
- name: Check out the private Ops repo
uses: actions/checkout@v4
with:
token: ${{ secrets.GH_TOKEN }}
submodules: "recursive"
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: "lab:latest"
driver: cloud
endpoint: "lunary/lunary"
- name: Generate date
id: date
run: echo "date=$(date +%Y-%m-%d-%Hh%Mm%Ss)" >> $GITHUB_OUTPUT
- name: Get short commit hash
id: commit
run: echo "hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Remove 'v' prefix from release tag
id: release_tag
run: echo "tag=$(echo ${{ github.event.release.tag_name }} | sed 's/^v//')" >> $GITHUB_OUTPUT
- name: Build and push ${{ matrix.service }}
uses: docker/build-push-action@v6
with:
context: .
build-args: |
VERSION=${{ steps.release_tag.outputs.tag != '' && steps.release_tag.outputs.tag || format('rev-{0}-{1}', steps.date.outputs.date, steps.commit.outputs.hash) }}
file: ./ops/${{ matrix.service }}.Dockerfile
push: true
tags: |
lunary/${{ matrix.service }}:latest
lunary/${{ matrix.service }}:rev-${{ steps.date.outputs.date }}-${{ steps.commit.outputs.hash }}
${{ github.event.release.tag_name != '' && format('lunary/{0}:{1}', matrix.service, steps.release_tag.outputs.tag) || '' }}
platforms: linux/arm64,linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
build-push-ml:
if: github.event_name == 'release'
runs-on: ubuntu-latest
steps:
- name: Check out the ML repository
uses: actions/checkout@v4
with:
repository: lunary-ai/ml
token: ${{ secrets.GH_TOKEN }}
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: "lab:latest"
driver: cloud
endpoint: "lunary/lunary"
- name: Remove 'v' prefix from release tag
id: release_tag
run: echo "tag=$(echo ${{ github.event.release.tag_name }} | sed 's/^v//')" >> $GITHUB_OUTPUT
- name: Build and push ml service
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: true
tags: |
lunary/ml:latest
${{ github.event.release.tag_name != '' && format('lunary/ml:{0}', steps.release_tag.outputs.tag) || '' }}
platforms: linux/arm64,linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
publish-helm:
if: github.event_name == 'release'
runs-on: ubuntu-latest
steps:
- name: Check out the Helm repository
uses: actions/checkout@v4
with:
repository: lunary-ai/helm
token: ${{ secrets.GH_TOKEN }}
- name: Set Git user identity
run: |
git config --global user.email "[email protected]"
git config --global user.name "hughcrt"
- name: Remove 'v' prefix from release tag
id: release_tag
run: echo "tag=$(echo ${{ github.event.release.tag_name }} | sed 's/^v//')" >> $GITHUB_OUTPUT
- name: Set up Helm
run: |
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
- name: Login to Helm repository
run: helm registry login registry-1.docker.io -u ${{ secrets.DOCKERHUB_USERNAME }} -p ${{ secrets.DOCKERHUB_TOKEN }}
- name: Update Helm chart version
run: bash update.sh ${{ github.event.release.tag_name }}
- name: Publish Helm chart
run: bash publish.sh
deploy:
needs: build-push
runs-on: ubuntu-latest
steps:
- name: Deploy to Production
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.PRODUCTION_IP_ADDRESS }}
username: root
key: ${{ secrets.SSH_PRIVATE_KEY }}
port: ${{ secrets.PRODUCTION_PORT }}
script: |
docker image prune -f
cd /opt/lunary
docker compose pull
docker compose down
docker compose up -d