whekin/household-bot
1
0
Fork 0
mirror of https://github.com/whekin/household-bot.git synced 2026-03-31 10:24:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(deploy): harden runtime config and migrations

Browse Source
This commit is contained in:
whekin
2026-03-10 17:10:23 +04:00
parent 2efb18a4de
commit 1b490fa4a5
6 changed files with 27 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/cd.yml vendored
View File

@@ -62,7 +62,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: check-secrets needs: check-secrets
timeout-minutes: 30 timeout-minutes: 30
if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' }} if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' }}
env: env:
GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }} GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }} ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
@@ -90,7 +90,6 @@ jobs:
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- name: Run database migrations - name: Run database migrations
if: ${{ needs.check-secrets.outputs.db_secret_ok == 'true' }}
env: env:
DATABASE_URL: ${{ secrets.DATABASE_URL }} DATABASE_URL: ${{ secrets.DATABASE_URL }}
run: bun run db:migrate run: bun run db:migrate
@@ -186,6 +185,18 @@ jobs:
- name: Print configuration hint - name: Print configuration hint
run: | run: |
echo "CD skipped: configure required GitHub secrets." echo "CD skipped: configure required GitHub secrets."
echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT" echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT, DATABASE_URL"
echo "Optional for auto-migrations: DATABASE_URL"
echo "Optional repo/service vars: GCP_REGION, ARTIFACT_REPOSITORY, CLOUD_RUN_SERVICE_BOT, CLOUD_RUN_SERVICE_MINI" echo "Optional repo/service vars: GCP_REGION, ARTIFACT_REPOSITORY, CLOUD_RUN_SERVICE_BOT, CLOUD_RUN_SERVICE_MINI"
deploy-blocked-db:
name: Deploy blocked (missing DATABASE_URL)
runs-on: ubuntu-latest
needs: check-secrets
if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok != 'true' }}
steps:
- name: Fail fast on missing DATABASE_URL
run: |
echo "CD blocked: DATABASE_URL GitHub secret is required."
echo "This workflow now refuses to deploy without running migrations against the target database."
exit 1

5
apps/miniapp/nginx.conf
View File

@@ -10,6 +10,11 @@ server {
return 200 '{"ok":true}'; return 200 '{"ok":true}';
} }
location = /config.js {
add_header Cache-Control "no-store, no-cache, must-revalidate" always;
try_files $uri =404;
}
location / { location / {
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
} }

2
docs/runbooks/dev-setup.md
View File

@@ -82,7 +82,7 @@ bun run review:coderabbit
- `GCP_PROJECT_ID` - `GCP_PROJECT_ID`
- `GCP_WORKLOAD_IDENTITY_PROVIDER` - `GCP_WORKLOAD_IDENTITY_PROVIDER`
- `GCP_SERVICE_ACCOUNT` - `GCP_SERVICE_ACCOUNT`
- optional for automated migrations: `DATABASE_URL` - `DATABASE_URL`
- Optional GitHub variables for deploy: - Optional GitHub variables for deploy:
- `GCP_REGION` (default `europe-west1`) - `GCP_REGION` (default `europe-west1`)
- `ARTIFACT_REPOSITORY` (default `household-bot`) - `ARTIFACT_REPOSITORY` (default `household-bot`)

6
docs/runbooks/first-deploy.md
View File

@@ -62,7 +62,7 @@ Required for CD:
- `GCP_WORKLOAD_IDENTITY_PROVIDER` - `GCP_WORKLOAD_IDENTITY_PROVIDER`
- `GCP_SERVICE_ACCOUNT` - `GCP_SERVICE_ACCOUNT`
Recommended: Required for a real deploy:
- `DATABASE_URL` - `DATABASE_URL`
@@ -152,7 +152,7 @@ Populate GitHub repository secrets with the Terraform outputs:
- `GCP_PROJECT_ID` - `GCP_PROJECT_ID`
- `GCP_WORKLOAD_IDENTITY_PROVIDER` - `GCP_WORKLOAD_IDENTITY_PROVIDER`
- `GCP_SERVICE_ACCOUNT` - `GCP_SERVICE_ACCOUNT`
- optional `DATABASE_URL` - `DATABASE_URL`
If you prefer the GitHub CLI: If you prefer the GitHub CLI:
@@ -177,7 +177,7 @@ You have two safe options:
The workflow will: The workflow will:
- optionally run `bun run db:migrate` if `DATABASE_URL` secret is configured - run `bun run db:migrate` before deploy
- build and push bot and mini app images - build and push bot and mini app images
- deploy both Cloud Run services - deploy both Cloud Run services

4
docs/runbooks/migrations.md
View File

@@ -47,8 +47,8 @@ bun run build
## CD behavior ## CD behavior
- CD deploy can run migrations before deploy **if** `DATABASE_URL` secret is present. - CD deploy runs migrations before deploy and now requires the `DATABASE_URL` GitHub secret.
- If `DATABASE_URL` is not set, deploy continues without auto-migration. - If `DATABASE_URL` is missing, CD fails fast instead of deploying schema-dependent code without migrations.
## Safety rules ## Safety rules

2
docs/specs/HOUSEBOT-062-first-deploy-runbook.md
View File

@@ -45,7 +45,7 @@ Document the exact first-deploy sequence so one engineer can provision, deploy,
## Edge Cases and Failure Modes ## Edge Cases and Failure Modes
- First Terraform apply may not know the final mini app URL; runbook includes a second apply to set allowed origins. - First Terraform apply may not know the final mini app URL; runbook includes a second apply to set allowed origins.
- Missing `DATABASE_URL` in GitHub secrets skips migration automation. - Missing `DATABASE_URL` in GitHub secrets blocks CD entirely so schema-dependent deploys cannot ship without migrations.
- Scheduler jobs remain paused and dry-run by default to prevent accidental sends. - Scheduler jobs remain paused and dry-run by default to prevent accidental sends.
## Test Plan ## Test Plan