docmost-source/.github/workflows/deploy.yml at main · CHIPAsia/docmost-source · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Deploy

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Image tag to deploy (e.g. 0.70.1 or sha-abcdef)'
        required: true
        default: 'latest'

jobs:
  deploy:
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
    steps:
      - name: Configure AWS credentials
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_REGION: ${{ secrets.AWS_REGION }}
        run: |
          mkdir -p ~/.aws
          # Write credentials with restrictive permissions (600 = owner read/write only)
          {
            echo "[default]"
            echo "aws_access_key_id = ${AWS_ACCESS_KEY_ID}"
            echo "aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}"
          } > ~/.aws/credentials
          chmod 600 ~/.aws/credentials

          {
            echo "[default]"
            echo "region = ${AWS_REGION}"
          } > ~/.aws/config
          chmod 600 ~/.aws/config

      - name: Detect architecture
        id: arch
        run: |
          ARCH=$(uname -m)
          echo "ARCH=${ARCH}" >> $GITHUB_OUTPUT
          echo "Detected architecture: ${ARCH}"

      - name: Install AWS CLI (if not already installed)
        run: |
          # Check if AWS CLI is already installed
          if command -v aws &> /dev/null; then
            echo "AWS CLI is already installed, using existing installation..."
            aws --version
          else
            echo "AWS CLI not found, installing..."
            ARCH="${{ steps.arch.outputs.ARCH }}"
            if [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then
              curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
            else
              curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
            fi
            unzip awscliv2.zip
            sudo ./aws/install
            aws --version
          fi

      - name: Install AWS Session Manager plugin (if not already installed)
        run: |
          # Check if Session Manager plugin is already installed
          if command -v session-manager-plugin &> /dev/null; then
            echo "Session Manager plugin is already installed, using existing installation..."
            session-manager-plugin --version
          else
            echo "Session Manager plugin not found, installing..."
            ARCH="${{ steps.arch.outputs.ARCH }}"
            if [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then
              curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_arm64/session-manager-plugin.deb" -o "/tmp/session-manager-plugin.deb"
            else
              curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "/tmp/session-manager-plugin.deb"
            fi
            sudo dpkg -i /tmp/session-manager-plugin.deb
            session-manager-plugin --version
          fi

      - name: Execute commands via SSM
        env:
          AWS_REGION: ${{ secrets.AWS_REGION }}
          SSM_TARGET: ${{ secrets.SSM_TARGET }}
        run: |
          # Execute commands on the remote instance
          COMMAND_ID=$(aws ssm send-command \
            --region "${AWS_REGION}" \
            --instance-ids "${SSM_TARGET}" \
            --document-name "AWS-RunShellScript" \
            --parameters 'commands=["sudo su ubuntu -c \"cd ~/docmost && sudo IMAGE_TAG=${{ github.event.inputs.version }} docker compose pull && sudo IMAGE_TAG=${{ github.event.inputs.version }} docker compose up -d\""]' \
            --output text \
            --query "Command.CommandId")

          echo "Command ID: ${COMMAND_ID}"

          # Wait for command to complete
          echo "Waiting for command to complete..."
          aws ssm wait command-executed \
            --region "${AWS_REGION}" \
            --command-id "${COMMAND_ID}" \
            --instance-id "${SSM_TARGET}" || true

          # Get command output
          echo "Command output:"
          aws ssm get-command-invocation \
            --region "${AWS_REGION}" \
            --command-id "${COMMAND_ID}" \
            --instance-id "${SSM_TARGET}" \
            --query "StandardOutputContent" \
            --output text

          # Check exit status
          EXIT_CODE=$(aws ssm get-command-invocation \
            --region "${AWS_REGION}" \
            --command-id "${COMMAND_ID}" \
            --instance-id "${SSM_TARGET}" \
            --query "ResponseCode" \
            --output text)

          if [ "${EXIT_CODE}" != "0" ]; then
            echo "Command failed with exit code: ${EXIT_CODE}"
            aws ssm get-command-invocation \
              --region "${AWS_REGION}" \
              --command-id "${COMMAND_ID}" \
              --instance-id "${SSM_TARGET}" \
              --query "StandardErrorContent" \
              --output text
            exit 1
          fi

          echo "Command completed successfully!"

      - name: Cleanup AWS credentials
        if: always()
        run: |
          # Remove credential files for security (runner is ephemeral, but good practice)
          rm -f ~/.aws/credentials ~/.aws/config
          echo "Credentials cleaned up"