ci(guide): auto build + deploy to bcos.dev on push to develop (#5)

The guide bundles content into the backend jar at build time, so instances must be rebuilt +
redeployed to pick up doc changes (git-pull is insufficient). Automates it: on push to develop
(backend/** paths), mvn package -> docker build -> push :dev -> deploy to bcos.dev -> smoke.

mvn package runs FIRST (the Dockerfile COPYs a pre-built jar — skipping it ships stale content).
Auto-deploy scoped to dev only (docs, low risk). Audience filtering is runtime via
GUIDE_SERVED_AUDIENCES, so no build-time filtering — prod (future cd-main, gated) serves
customer,internal only.

Needs (coordinate w/ CI/runner session): BCOS_DEV_DEPLOY_KEY secret + runner reachability to .251.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-07-05 13:10:34 -04:00
parent 7bc8c839d8
commit 37a1c4e396
+80
View File
@@ -0,0 +1,80 @@
name: CD - Develop (guide → bcos.dev)
# Guide-specific CI (issue #5). The guide bundles markdown INTO the backend jar at build time,
# so a running instance must be rebuilt + redeployed to pick up content changes — a git-pull is
# not enough. This automates that on every push to develop: build → push :dev → deploy to bcos.dev.
#
# Auto-deploy is intentional and scoped to the DEV environment only (docs, low blast radius).
# Audience filtering is runtime (GUIDE_SERVED_AUDIENCES): bcos.dev serves all four tiers; prod
# (a future cd-main, gated) serves only customer,internal — so dev/bcos content never leaves dev.
on:
push:
branches:
- develop
paths:
- 'backend/**'
- '.gitea/workflows/cd-develop.yml'
jobs:
build-and-deploy:
runs-on: ubuntu-latest
env:
GIT_SSL_NO_VERIFY: "true"
MAVEN_OPTS: "-Djava.net.preferIPv4Stack=true -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure Maven settings (Gitea package registry)
run: |
mkdir -p ~/.m2
cat > ~/.m2/settings.xml << 'EOF'
<settings>
<servers>
<server><id>gitea</id><username>hiveiq</username><password>${{ secrets.MAVEN_TOKEN }}</password></server>
</servers>
<profiles>
<profile>
<id>gitea-registry</id>
<repositories>
<repository>
<id>gitea</id>
<url>https://hiveiq-gitea.directlx.dev/api/packages/hiveops/maven</url>
<releases><enabled>true</enabled></releases><snapshots><enabled>false</enabled></snapshots>
</repository>
</repositories>
</profile>
</profiles>
<activeProfiles><activeProfile>gitea-registry</activeProfile></activeProfiles>
</settings>
EOF
# mvn package FIRST — the Dockerfile does `COPY target/*.jar`, so skipping this ships stale
# content (the exact trap that makes the manual process error-prone).
- name: Build backend JAR (bakes in content)
run: cd backend && mvn clean package -DskipTests -B
- name: Build + push image
run: |
echo "${{ secrets.DEV_REGISTRY_PASSWORD }}" | docker login ${{ secrets.DEV_REGISTRY_URL }} -u ${{ secrets.DEV_REGISTRY_USERNAME }} --password-stdin
docker build -t ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-guide-backend:dev backend/
docker push ${{ secrets.DEV_REGISTRY_URL }}/hiveiq-guide-backend:dev
# DEPENDENCY (issue #5, coordinate with CI/runner session): needs BCOS_DEV_DEPLOY_KEY secret
# (SSH key for bcosadmin@.251) + runner network reachability to 173.231.195.251.
- name: Deploy to bcos.dev
run: |
mkdir -p ~/.ssh && echo "${{ secrets.BCOS_DEV_DEPLOY_KEY }}" > ~/.ssh/dk && chmod 600 ~/.ssh/dk
ssh -i ~/.ssh/dk -o StrictHostKeyChecking=no bcosadmin@173.231.195.251 \
'cd ~/hiveiq/hiveops-openmetal/hiveops/instances/dev && docker compose pull hiveiq-guide-backend && docker compose up -d hiveiq-guide-backend'
- name: Smoke — guide backend healthy + content served
run: |
for i in $(seq 1 12); do
s=$(curl -sk -o /dev/null -w '%{http_code}' https://api.bcos.dev/guide/actuator/health || echo 000)
[ "$s" = "200" ] && { echo "guide healthy"; exit 0; }
sleep 5
done
echo "::error::guide did not report healthy after deploy"; exit 1