@@ -6,6 +6,24 @@ and the occasional config schema change. |
| 6 | 6 | |
| 7 | 7 | ## Standard release |
| 8 | 8 | |
| 9 | +Pushes to `trunk` auto-deploy to production via the `deploy` GitHub |
| 10 | +Actions workflow once `ci` succeeds. The workflow SSHes to the app |
| 11 | +droplet and runs `deploy/redeploy.sh`, which fetches trunk, rebuilds |
| 12 | +the binary in place, runs `migrate up`, and restarts the web + worker |
| 13 | +units. There is no canary tier today (see "Canary" below). |
| 14 | + |
| 15 | +To redeploy current trunk without a push (e.g., after editing env |
| 16 | +files on the droplet), trigger the `deploy` workflow manually: |
| 17 | +`gh workflow run deploy.yml --ref trunk`. To deploy by hand from a |
| 18 | +console: |
| 19 | + |
| 20 | +```sh |
| 21 | +ssh root@shithub.sh 'bash /root/src/shithub/deploy/redeploy.sh' |
| 22 | +``` |
| 23 | + |
| 24 | +For tagged releases on a staging-then-prod path (once we have a |
| 25 | +staging tier): |
| 26 | + |
| 9 | 27 | ```sh |
| 10 | 28 | # from a clean checkout of the release tag |
| 11 | 29 | git fetch --tags |
@@ -16,6 +34,31 @@ make deploy ANSIBLE_INVENTORY=staging |
| 16 | 34 | make deploy ANSIBLE_INVENTORY=production |
| 17 | 35 | ``` |
| 18 | 36 | |
| 37 | +### GitHub Actions secrets |
| 38 | + |
| 39 | +The `deploy` workflow needs three repo secrets (Settings → Secrets |
| 40 | +and variables → Actions, in the `production` environment): |
| 41 | + |
| 42 | +- `DEPLOY_HOST` — `shithub.sh` (or the app droplet's public IPv4) |
| 43 | +- `DEPLOY_USER` — `root` |
| 44 | +- `DEPLOY_SSH_KEY` — private half of an ed25519 key whose public half |
| 45 | + is in `/root/.ssh/authorized_keys` on the app droplet |
| 46 | +- `DEPLOY_KNOWN_HOSTS` — output of `ssh-keyscan shithub.sh` on a |
| 47 | + trusted host, pinning the host key so the runner won't TOFU-trust |
| 48 | + a hijacked DNS answer |
| 49 | + |
| 50 | +Generate a dedicated deploy key (don't reuse the operator's laptop |
| 51 | +key): |
| 52 | + |
| 53 | +```sh |
| 54 | +ssh-keygen -t ed25519 -C 'gh-actions-deploy' -f ./gh-deploy -N '' |
| 55 | +ssh-copy-id -i ./gh-deploy.pub root@shithub.sh |
| 56 | +ssh-keyscan shithub.sh > known_hosts.txt |
| 57 | +# Paste ./gh-deploy → DEPLOY_SSH_KEY |
| 58 | +# Paste known_hosts.txt → DEPLOY_KNOWN_HOSTS |
| 59 | +# Then: rm gh-deploy gh-deploy.pub known_hosts.txt |
| 60 | +``` |
| 61 | + |
| 19 | 62 | `shithubd migrate up` runs as the web service's ExecStartPre, so |
| 20 | 63 | the binary that needs the new schema is also the one that applies |
| 21 | 64 | it. Order on each host: ExecStartPre runs migrations → web starts |
