[10.1] Continuous deployment to staging and production #34
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Parent
#10
Objective
Add continuous deployment from Forgejo Actions using a self-hosted runner so branch merges update the correct long-running Docker Compose environment.
Agreed decisions
lawnet-deploy-01.lawnet-deploy.main.dev.3410.3411.lawnet_prodfor production andlawnet_stagingfor staging.webservice publishes a loopback-bound host port.just deploy <target>recipe as the deployment contract used by the workflow.docker compose up -dto rerun an already-exited migration container.Deployment flow
The Forgejo workflow should select the target from the pushed branch:
The workflow should:
just deploy productionorjust deploy staging.Justfile deployment contract
Add a
deploy targetrecipe that accepts at least:Aliases may be accepted for convenience:
The recipe should map each target to:
The recipe should fail early if the target is unknown or the target env file is missing.
The deployment sequence should be equivalent to:
This keeps migration failure fatal to the workflow and ensures the Flyway one-shot container is recreated on every deploy.
Compose changes to implement
WEB_PORT, defaulting to3000for the application process.lawnet_prodandlawnet_stagingproduce separate PostgreSQL volumes, networks, and containers.Flyway handling
For the first implementation, the critical requirement is explicit forced execution:
A follow-up implementation improvement may add a repository-owned Flyway Dockerfile that copies migration scripts into the image instead of bind-mounting them. That would make the deployment artifact more immutable, but it is not a substitute for the explicit Flyway lifecycle step.
Forgejo secrets and variables
Use one Forgejo secret per sensitive value, per environment. Do not store a whole dotenv file as one secret.
Suggested secret names:
Suggested non-secret workflow constants or repository variables:
The workflow writes only the selected target's values into the rendered env file.
Rendered production env file shape:
Rendered staging env file shape:
DATABASE_URLmust use the Compose service hostnamepostgres, notlocalhost, because application containers connect over the Compose backend network.Password handling note: if the workflow interpolates the password into
DATABASE_URL, the password should either be URL-safe or the workflow must URL-encode it without logging the encoded value. If URL encoding would produce a different value that Forgejo cannot mask from the original secret, avoid logging rendered env lines entirely.Workflow requirements
mainanddev.mainto production anddevto staging.lawnet-deploy-01.Human follow-up TODOs
lawnet-deploy-01.lawnet-deploy.devbranch so merges todevare intentional staging deployments.127.0.0.1:3410for production and127.0.0.1:3411for staging.Review checklist
main -> production -> 3410anddev -> staging -> 3411are correct.Done when
devdeploys the staging stack on host port3411.maindeploys the production stack on host port3410.