frontend/.github/workflows/ci-cd.yml at main · Dispatch-AI-com/frontend · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: CI/CD pipeline
run-name: >
  ${{ github.event_name == 'workflow_dispatch' && format('Manual {0} pipeline (by {1})', inputs.mode, github.actor) ||
      github.event_name == 'pull_request' && format('CI Pipeline is triggered by PR (by {0})', github.actor) ||
      github.event_name == 'push' && format('CI&CD Pipeline is triggered by PUSH (by {0})', github.actor) ||
      'CI/CD pipeline' }}

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:
    inputs:
      mode:
        description: "Choose pipeline mode"
        type: choice
        options: [ci, cicd]
        default: cicd
        required: true

concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true

permissions:
  contents: read
  id-token: write  # OIDC to AWS

env:
  AWS_REGION: ${{ secrets.AWS_REGION }}
  ECR_REPO: ${{ secrets.FRONTEND_ECR }}
  IMAGE_SHA: sha-${{ github.sha }}
  IMAGE_UAT: uat-latest

jobs:
  ci_frontend:
    runs-on: ubuntu-latest
    if: ${{ github.event_name == 'pull_request' || inputs.mode == 'ci' || inputs.mode == 'cicd' }}

    defaults:
      run:
        working-directory: .

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Enable corepack (pnpm)
        run: corepack enable

      - name: Install pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'pnpm'
          cache-dependency-path: pnpm-lock.yaml

      - name: Install pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Type check
        run: pnpm run type-check

      - name: Lint
        run: pnpm run lint

      - name: Test
        run: pnpm test

      # 若 Dockerfile.uat 会 COPY apps/frontend/.next，则先构建
      - name: Build (only if you COPY .next into image)
        run: NEXT_PUBLIC_API_BASE_URL="${{ secrets.UAT_BACKEND_URL }}" pnpm build

      # 仅当需要 COPY .next 时上传产物
      - name: Upload Next.js artifact
        if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && inputs.mode == 'cicd') }}
        uses: actions/upload-artifact@v4
        with:
          name: frontend-build
          path: |
            apps/frontend/.next/**
            apps/frontend/public/**
          include-hidden-files: true
          retention-days: 1

  build_and_push:
    if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && inputs.mode == 'cicd') }}
    needs: ci_frontend
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      # 仅当上游上传了 artifact（需要 COPY .next）时才下载
      - name: Download build artifact (when Dockerfile needs COPY .next)
        if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && inputs.mode == 'cicd') }}
        uses: actions/download-artifact@v4
        with:
          name: frontend-build
          path: .  # 解压到仓库根；Dockerfile.uat 可 COPY apps/frontend/.next

      - name: Configure AWS credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to ECR
        uses: aws-actions/amazon-ecr-login@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: "Build & push (two tags: uat-latest + sha-*)"
        uses: docker/build-push-action@v6
        with:
          push: true
          context: .
          file: ./Dockerfile.uat
          tags: |
            ${{ env.ECR_REPO }}:${{ env.IMAGE_UAT }}
            ${{ env.ECR_REPO }}:${{ env.IMAGE_SHA }}
          platforms: linux/amd64
          provenance: false

  notify_platform:
    name: Notify platform repo to deploy UAT
    if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'workflow_dispatch' && inputs.mode == 'cicd') }}
    needs: build_and_push
    runs-on: ubuntu-latest
    steps:
      - name: Install jq
        run: sudo apt-get update && sudo apt-get install -y jq

      - name: Dispatch deploy event to main platform
        env:
          GH_TOKEN: ${{ secrets.PLATFORM_DISPATCH_TOKEN }}
          OWNER: ${{ secrets.PLATFORM_REPO_OWNER }}
          REPO: ${{ secrets.PLATFORM_REPO_NAME }}
          SERVICE: frontend
          TAG: uat-latest
        run: |
          set -euo pipefail
          payload="$(jq -n \
            --arg et "deploy_uat" \
            --arg svc "${SERVICE}" \
            --arg tag "${TAG}" \
            '{event_type:$et, client_payload:{service:$svc, tag:$tag}}')"
          curl -s -X POST \
            -H "Authorization: token ${GH_TOKEN}" \
            -H "Accept: application/vnd.github+json" \
            "https://api.github.com/repos/${OWNER}/${REPO}/dispatches" \
            -d "${payload}"