Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the repo’s CI/build/deploy pipeline from AWS ECR/ECS + PullPreview to GHCR + SSH-based Docker Swarm deployments on Hetzner, and introduces SOPS-managed env files plus Caddy-based proxying for preview and production stacks.
Changes:
- Replace ECR build workflows with GHCR build workflows and update e2e to pull images from GHCR.
- Replace PullPreview-based preview deployments with an SSH-driven Swarm stack deploy/teardown workflow.
- Add Hetzner deployment workflow + new Swarm stack/Caddy/SOPS infra assets.
Reviewed changes
Copilot reviewed 26 out of 27 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds SOPS encrypt/decrypt helper scripts. |
| infra/stack.yml | New Swarm stack definition for non-preview deployments. |
| infra/stack.preview.yml | New Swarm stack definition for PR previews (includes MinIO, init). |
| infra/import-backup.sh | Adds a helper to import DB dumps into the Swarm DB container. |
| infra/Caddyfile.preview | Adds preview Caddy config (on-demand TLS, routes). |
| infra/Caddyfile | Adds prod/staging Caddy config (routes to platform/site-builder/assets). |
| infra/.sops.yaml | Adds SOPS rules for encrypted env files. |
| infra/.env.preview.enc | Adds encrypted preview env file. |
| infra/.env.example | Adds infra env template for prod-like deployments. |
| docker-compose.preview.yml | Removes old PullPreview compose definition. |
| docker-compose.preview.sandbox.yml | Removes old PullPreview sandbox override. |
| docker-compose.preview.pr.yml | Removes old PullPreview PR override. |
| .gitignore | Ignores decrypted infra env files and keeps encrypted env tracked. |
| .github/workflows/pull-preview.yml | Removes PullPreview workflow. |
| .github/workflows/pull-preview-script.sh | Removes PullPreview helper script. |
| .github/workflows/preview.yml | Adds SSH-based PR preview deploy/teardown workflow. |
| .github/workflows/on_pr.yml | Switches PR pipeline to GHCR builds + new preview workflow. |
| .github/workflows/on_main.yml | Switches main pipeline to GHCR builds and removes AWS deploy steps. |
| .github/workflows/ghcr-build-template.yml | Adds reusable GHCR build/push workflow. |
| .github/workflows/ghcr-build-all.yml | Adds GHCR build-all aggregator workflow. |
| .github/workflows/ecrbuild-template.yml | Removes ECR build template workflow. |
| .github/workflows/ecrbuild-all.yml | Removes ECR build-all workflow. |
| .github/workflows/e2e.yml | Updates e2e to pull images from GHCR and adjusts permissions. |
| .github/workflows/deploy.yml | Adds Hetzner deploy workflow (build + SSH deploy). |
| .github/workflows/deploy-template.yml | Removes ECS deploy template workflow. |
| .github/workflows/awsdeploy.yml | Removes ECS deploy orchestrator workflow. |
| .env.example | Adds a base env example for local/dev/self-hosting defaults. |
Comments suppressed due to low confidence (1)
infra/stack.yml:154
stack.ymlconfigures Caddy to proxy/assets*and/assets-ui*tominio:9000/9001(seeinfra/Caddyfile), but this stack doesn't define aminioservice. As-is, asset routes will 502 and site serving via thefs s3plugin will fail. Add aminioservice (and any init/bucket/user bootstrap you need) or remove the MinIO proxies and the unusedminio_datavolume.
volumes:
pgdata:
minio_data:
caddy_data:
caddy_config:
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+19
to
+27
| echo "importing $DUMP_FILE into container $DB_CONTAINER ..." | ||
|
|
||
| if [[ "$DUMP_FILE" == *.sql ]]; then | ||
| sudo docker exec -i "$DB_CONTAINER" \ | ||
| psql -U "$PGUSER" -d "$PGDATABASE" < "$DUMP_FILE" | ||
| else | ||
| sudo docker exec -i "$DB_CONTAINER" \ | ||
| pg_restore --clean --if-exists --no-owner -U "$PGUSER" -d "$PGDATABASE" < "$DUMP_FILE" | ||
| fi |
There was a problem hiding this comment.
This script uses set -u but relies on PGUSER/PGDATABASE being set in the environment. If the caller hasn't exported them, the script will exit with an unbound-variable error before running psql/pg_restore. Consider sourcing infra/.env (or accepting --pguser/--pgdatabase flags / defaulting to POSTGRES_USER/POSTGRES_DB) and validating the required values up-front.
|
Preview deployed at https://pr-1432.pubstar.org |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue(s) Resolved
Deploy to hetzner instead of s3 a la v6
High-level Explanation of PR
Todo:
Test Plan
Screenshots (if applicable)
Notes