OpenFrontIO/.github/workflows/deploy.yml

name: 🚀 Deploy

on:
  # Allow contributors to schedule manual deployments.
  # Permission to deploy can be restricted by requiring approval in environment configuration.
  workflow_dispatch:
    inputs:
      target_domain:
        description: "Deployment Domain"
        required: true
        default: "openfront.dev"
        type: choice
        options:
          - openfront.io
          - openfront.dev
      target_host:
        description: "Deployment Host"
        required: true
        default: "staging"
        type: choice
        options:
          - eu
          - us
          - staging
      target_subdomain:
        description: "Deployment Subdomain"
        required: false
        default: ""
        type: string

  # Automatic deployment on push
  # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
  push:
    branches:
      - "*"

jobs:
  deploy:
    # Don't deploy on push if this is a fork
    if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'openfrontio/OpenFrontIO' }}
    # Use different logic based on event type
    name: ${{
      github.event_name == 'push'
      && (github.ref_name == 'main' && 'openfront.dev'
      || format('{0}.openfront.dev', github.ref_name))
      || inputs.target_subdomain && format('{0}.{1}', inputs.target_subdomain, inputs.target_domain)
      || inputs.target_domain
      || 'openfront.dev'
      }}
    runs-on: ubuntu-latest
    environment: ${{
      github.event_name == 'push'
      && (github.ref_name == 'main' && 'openfront.dev'
      || format('{0}.openfront.dev', github.ref_name))
      || inputs.target_subdomain && format('{0}.{1}', inputs.target_subdomain, inputs.target_domain)
      || inputs.target_domain
      || 'openfront.dev'
      }}
    env:
      DOMAIN: ${{ inputs.target_domain || 'openfront.dev' }}
      SUBDOMAIN: ${{ github.event_name == 'push' && github.ref_name || inputs.target_subdomain || 'main' }}
    steps:
      - uses: actions/checkout@v4
      - name: 📝 Update job summary
        env:
          FQDN: ${{ env.SUBDOMAIN && format('{0}.{1}', env.SUBDOMAIN, env.DOMAIN) || env.DOMAIN || 'openfront.dev' }}
        run: |
          echo "FQDN=$FQDN" >> $GITHUB_ENV
          cat <<EOF >> $GITHUB_STEP_SUMMARY
          ### In progress :ship:

          Deploying from $GITHUB_REF to $FQDN
          EOF
      - uses: actions/create-github-app-token@v2
        id: generate-token
        if: ${{ github.repository == 'openfrontio/OpenFrontIO' }}
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
      - name: Export the token
        if: ${{ github.repository == 'openfrontio/OpenFrontIO' }}
        env:
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
        run: |
          echo "GH_TOKEN=$GH_TOKEN" >> $GITHUB_ENV
          gh api octocat
      - name: 📝 Create deployment
        uses: chrnorm/deployment-action@v2
        id: deployment
        with:
          token: ${{ steps.generate-token.outputs.token }}
          environment-url: https://${{ env.FQDN }}
          environment: ${{ env.FQDN }}
      - name: 🔗 Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: 🔑 Create SSH private key
        env:
          SERVER_HOST_EU: ${{ secrets.SERVER_HOST_EU }}
          SERVER_HOST_STAGING: ${{ secrets.SERVER_HOST_STAGING }}
          SERVER_HOST_US: ${{ secrets.SERVER_HOST_US }}
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        run: |
          set -euxo pipefail
          mkdir -p ~/.ssh
          echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa
          test -n "$SERVER_HOST_STAGING" && ssh-keyscan -H "$SERVER_HOST_STAGING" >> ~/.ssh/known_hosts
          test -n "$SERVER_HOST_US" && ssh-keyscan -H "$SERVER_HOST_US" >> ~/.ssh/known_hosts
          test -n "$SERVER_HOST_EU" && ssh-keyscan -H "$SERVER_HOST_EU" >> ~/.ssh/known_hosts
          chmod 600 ~/.ssh/id_rsa
      - name: 🚢 Deploy
        env:
          ADMIN_TOKEN: ${{ secrets.ADMIN_TOKEN }}
          CF_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
          CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
          DOCKER_REPO: ${{ vars.DOCKERHUB_REPO }}
          DOCKER_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
          ENV: ${{ inputs.target_domain == 'openfront.io' && 'prod' || 'staging' }}
          HOST: ${{ github.event_name == 'workflow_dispatch' && inputs.target_host || 'staging' }}
          MON_PASSWORD: ${{ secrets.MON_PASSWORD }}
          MON_USERNAME: ${{ secrets.MON_USERNAME }}
          OTEL_ENDPOINT: ${{ secrets.OTEL_ENDPOINT }}
          OTEL_PASSWORD: ${{ secrets.OTEL_PASSWORD }}
          OTEL_USERNAME: ${{ secrets.OTEL_USERNAME }}
          R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }}
          R2_BUCKET: ${{ secrets.R2_BUCKET }}
          R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }}
          SERVER_HOST_EU: ${{ secrets.SERVER_HOST_EU }}
          SERVER_HOST_STAGING: ${{ secrets.SERVER_HOST_STAGING }}
          SERVER_HOST_US: ${{ secrets.SERVER_HOST_US }}
          SSH_KEY: ~/.ssh/id_rsa
          VERSION_TAG: latest
        run: |
          echo "::group::deploy.sh"
          ./deploy.sh "$ENV" "$HOST" "$SUBDOMAIN"
          echo "Deployment created in ${SECONDS} seconds" >> $GITHUB_STEP_SUMMARY
          echo "::endgroup::"
      - name: ⏳ Wait for deployment to start
        run: |
          echo "::group::Wait for deployment to start"
          set -euxo pipefail
          while [ "$(curl -s https://${FQDN}/commit.txt)" != "${GITHUB_SHA}" ]; do
            if [ "$SECONDS" -ge 300 ]; then
              echo "Timeout: deployment did not start within 5 minutes"
              exit 1
            fi
            sleep 10
          done
          echo "Deployment started in ${SECONDS} seconds" >> $GITHUB_STEP_SUMMARY
          echo "::endgroup::"
      - name: 🚀 Notify PR
        if: ${{ success() && github.event_name == 'push' }}
        env:
          BRANCH: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.ref_name }}
        run: |
          set -euxo pipefail
          if [ -z "${BRANCH}" ]; then
            echo "Branch not found"
            exit 1
          fi
          echo "Checking for open PR from $BRANCH..."
          pr_url=$(gh pr list --head "$BRANCH" --state open --json url -q '.[0].url')
          if [ -z "$pr_url" ]; then
            echo "No open PR found for branch $BRANCH"
            exit 0
          fi
          gh pr comment "$pr_url" --body "🚀 Deployed ${GITHUB_SHA} to [$FQDN](https://$FQDN)."
      - name: ✅ Update deployment status
        if: success()
        uses: chrnorm/deployment-status@v2
        with:
          token: ${{ steps.generate-token.outputs.token }}
          environment-url: https://${{ env.FQDN }}
          state: success
          deployment-id: ${{ steps.deployment.outputs.deployment_id }}
      - name: ✅ Update job summary
        if: success()
        run: |
          cat <<EOF >> $GITHUB_STEP_SUMMARY
          ### Success! :rocket:

          Deployed from $GITHUB_REF to $FQDN
          EOF
      - name: ❌ Update deployment status
        if: failure()
        uses: chrnorm/deployment-status@v2
        with:
          token: ${{ steps.generate-token.outputs.token }}
          environment-url: https://${{ env.FQDN }}
          state: failure
          deployment-id: ${{ steps.deployment.outputs.deployment_id }}
      - name: ❌ Update job summary
        if: failure()
        run: |
          cat <<EOF >> $GITHUB_STEP_SUMMARY
          ### Failure! :fire:

          Unable to deploy from $GITHUB_REF to $FQDN
          EOF