name: Build, Test, Deploy and Analysis on: push: branches: [main, int, dev] workflow_dispatch: concurrency: group: print-calculator-${{ gitea.ref }} cancel-in-progress: true jobs: # --- JOB DI ANALISI (In parallelo) --- qodana: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 # Fondamentale per Qodana per analizzare la storia - name: Prepare Qodana dirs shell: bash run: | mkdir -p /tmp/qodana/caches /tmp/qodana/results mkdir -p .qodana/cache .qodana/results - name: 'Qodana Scan' uses: JetBrains/qodana-action@v2025.3 env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} with: project-dir: backend cache-dir: .qodana/cache results-dir: .qodana/results # In Gitea, pr-mode funziona se il runner ha accesso ai dati del clone pr-mode: ${{ gitea.event_name == 'pull_request' }} use-caches: false # Nota: Gitea ha un supporto limitato per i commenti automatici # rispetto a GitHub, ma l'analisi verrà eseguita correttamente. post-pr-comment: false use-annotations: true test-backend: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up JDK 21 uses: actions/setup-java@v4 with: java-version: '21' distribution: 'temurin' - name: Run Tests with Gradle run: | cd backend chmod +x gradlew ./gradlew test build-and-push: needs: test-backend runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set TAG + OWNER lowercase shell: bash run: | if [[ "${{ gitea.ref }}" == "refs/heads/main" ]]; then echo "TAG=prod" >> "$GITHUB_ENV" elif [[ "${{ gitea.ref }}" == "refs/heads/int" ]]; then echo "TAG=int" >> "$GITHUB_ENV" else echo "TAG=dev" >> "$GITHUB_ENV" fi echo "OWNER_LOWER=$(echo '${{ gitea.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" - name: Ensure docker CLI exists shell: bash run: | if ! command -v docker >/dev/null 2>&1; then apt-get update apt-get install -y --no-install-recommends docker.io fi docker version - name: Login to Gitea Registry shell: bash run: | set -euo pipefail printf '%s' "${{ secrets.REGISTRY_TOKEN }}" | docker login "${{ secrets.REGISTRY_URL }}" \ -u "${{ secrets.REGISTRY_USER }}" --password-stdin - name: Build & Push Backend shell: bash run: | BACKEND_IMAGE="${{ secrets.REGISTRY_URL }}/${{ env.OWNER_LOWER }}/print-calculator-backend:${{ env.TAG }}" docker build -t "$BACKEND_IMAGE" ./backend docker push "$BACKEND_IMAGE" - name: Build & Push Frontend shell: bash run: | FRONTEND_IMAGE="${{ secrets.REGISTRY_URL }}/${{ env.OWNER_LOWER }}/print-calculator-frontend:${{ env.TAG }}" docker build -t "$FRONTEND_IMAGE" ./frontend docker push "$FRONTEND_IMAGE" deploy: needs: build-and-push runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set ENV shell: bash run: | if [[ "${{ gitea.ref }}" == "refs/heads/main" ]]; then echo "ENV=prod" >> "$GITHUB_ENV" elif [[ "${{ gitea.ref }}" == "refs/heads/int" ]]; then echo "ENV=int" >> "$GITHUB_ENV" else echo "ENV=dev" >> "$GITHUB_ENV" fi - name: Setup SSH key shell: bash run: | set -euo pipefail apt-get update apt-get install -y --no-install-recommends openssh-client mkdir -p ~/.ssh chmod 700 ~/.ssh # 1) Prende il secret base64 e rimuove spazi/newline/CR printf '%s' "${{ secrets.SSH_PRIVATE_KEY_B64 }}" | tr -d '\r\n\t ' > /tmp/key.b64 # 2) (debug sicuro) stampa solo la lunghezza della base64 echo "b64_len=$(wc -c < /tmp/key.b64)" # 3) Decodifica in chiave privata base64 -d /tmp/key.b64 > ~/.ssh/id_ed25519 # 4) Rimuove eventuali CRLF dentro la chiave (se proviene da Windows) tr -d '\r' < ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.clean mv ~/.ssh/id_ed25519.clean ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 # 5) Validazione: se fallisce qui, la chiave NON è valida/corrotta ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null ssh-keyscan -H "${{ secrets.SERVER_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null - name: Write env and compose to server shell: bash run: | # 1. Recalculate TAG and OWNER_LOWER (jobs don't share ENV) if [[ "${{ gitea.ref }}" == "refs/heads/main" ]]; then DEPLOY_TAG="prod" elif [[ "${{ gitea.ref }}" == "refs/heads/int" ]]; then DEPLOY_TAG="int" else DEPLOY_TAG="dev" fi DEPLOY_OWNER=$(echo '${{ gitea.repository_owner }}' | tr '[:upper:]' '[:lower:]') # 2. Start with the static env file content cat "deploy/envs/${{ env.ENV }}.env" > /tmp/full_env.env # 3. Determine DB credentials if [[ "${{ env.ENV }}" == "prod" ]]; then DB_URL="${{ secrets.DB_URL_PROD }}" DB_USER="${{ secrets.DB_USERNAME_PROD }}" DB_PASS="${{ secrets.DB_PASSWORD_PROD }}" elif [[ "${{ env.ENV }}" == "int" ]]; then DB_URL="${{ secrets.DB_URL_INT }}" DB_USER="${{ secrets.DB_USERNAME_INT }}" DB_PASS="${{ secrets.DB_PASSWORD_INT }}" else DB_URL="${{ secrets.DB_URL_DEV }}" DB_USER="${{ secrets.DB_USERNAME_DEV }}" DB_PASS="${{ secrets.DB_PASSWORD_DEV }}" fi # 4. Append DB and Docker credentials (quoted) printf '\nDB_URL="%s"\nDB_USERNAME="%s"\nDB_PASSWORD="%s"\n' \ "$DB_URL" "$DB_USER" "$DB_PASS" >> /tmp/full_env.env printf 'REGISTRY_URL="%s"\nREPO_OWNER="%s"\nTAG="%s"\n' \ "${{ secrets.REGISTRY_URL }}" "$DEPLOY_OWNER" "$DEPLOY_TAG" >> /tmp/full_env.env ADMIN_TTL="${{ secrets.ADMIN_SESSION_TTL_MINUTES }}" ADMIN_TTL="${ADMIN_TTL:-480}" printf 'ADMIN_PASSWORD="%s"\nADMIN_SESSION_SECRET="%s"\nADMIN_SESSION_TTL_MINUTES="%s"\n' \ "${{ secrets.ADMIN_PASSWORD }}" "${{ secrets.ADMIN_SESSION_SECRET }}" "$ADMIN_TTL" >> /tmp/full_env.env # 5. Debug: print content (for debug purposes) echo "Preparing to send env file with variables:" grep -Ev "PASSWORD|SECRET" /tmp/full_env.env || true # 5. Send env to server ssh -i ~/.ssh/id_ed25519 -o BatchMode=yes "${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}" \ "setenv ${{ env.ENV }}" < /tmp/full_env.env # 6. Send docker-compose.deploy.yml to server ssh -i ~/.ssh/id_ed25519 -o BatchMode=yes "${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}" \ "setcompose ${{ env.ENV }}" < docker-compose.deploy.yml - name: Trigger deploy on Unraid (forced command key) shell: bash run: | set -euo pipefail # Aggiungiamo le opzioni di verbosità se dovesse fallire ancora, # e assicuriamoci che l'input sia pulito ssh -i ~/.ssh/id_ed25519 -o BatchMode=yes "${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}" "deploy ${{ env.ENV }}"