- update local environment and prepare dev deployment

.dockerignore

@@ -0,0 +1,26 @@
+.composer/
+.editorconfig
+.env*
+.git/
+.gitattributes
+.github/
+.gitignore
+.idea/
+.sops.yaml
+
+codestyle.php
+docker-compose*
+eslint.config.js
+Taskfile.yml
+node_modules/
+phpstan*
+public/build/
+public/hot
+readme.md
+renovate.json5
+vendor/
+
+/environment
+!/environment/.deployment/scripts/post-deploy-actions.sh
+!/environment/.docker
+!/environment/dev

.env.example

@@ -3,7 +3,11 @@ APP_ENV=local
 APP_KEY=
 APP_DEBUG=true
 APP_TIMEZONE=Europe/Warsaw
-APP_URL=http://lmt.blumilk.localhost
+APP_URL=https://lmt.blumilk.local.env
+
+APP_DOCKER_HOST_NAME=lmt.blumilk.local.env
+MAILPIT_DOCKER_HOST_NAME=lmt-mailpit.blumilk.local.env
+VITE_DEV_SERVER_DOCKER_HOST_NAME=lmt-vite-dev-server.blumilk.local.env
 
 APP_LOCALE=pl
 APP_FALLBACK_LOCALE=en
@@ -21,7 +25,7 @@ LOG_DEPRECATIONS_CHANNEL=null
 LOG_LEVEL=debug
 
 DB_CONNECTION=pgsql
-DB_HOST=lmt-db-dev
+DB_HOST=lmt-db-local
 DB_PORT=5432
 DB_DATABASE=lmt
 DB_USERNAME=lmt
@@ -41,7 +45,7 @@ CACHE_STORE=database
 CACHE_PREFIX=
 
 MAIL_MAILER=smtp
-MAIL_HOST=lmt-dev-mailpit-container
+MAIL_HOST=lmt-mailpit-local
 MAIL_PORT=1025
 MAIL_USERNAME=null
 MAIL_PASSWORD=null
@@ -51,10 +55,13 @@ REGISTRATION_NOTIFICATION_EMAIL="[email protected]"
 
 VITE_APP_NAME="${APP_NAME}"
 
+SOPS_AGE_DEV_SECRET_KEY=
 SOPS_AGE_PROD_SECRET_KEY=
 
 DOCKER_APP_HOST_PORT=8051
 DOCKER_DATABASE_HOST_PORT=8055
 DOCKER_MAILPIT_DASHBOARD_HOST_PORT=8052
 
 DOCKER_HOST_USER_ID=1000
+DOCKER_INSTALL_XDEBUG=false
+[email protected]

.github/workflows/deploy-to-dev.yml

@@ -18,6 +18,7 @@ jobs:
       DOCKER_REGISTRY_PROJECT_NAME: internal-public
       DOCKER_REGISTRY_REPO_NAME: lmt
       TARGET_DIR_ON_SERVER: /blumilk/deployments/dev/projects
+      ENVIRONMENT: dev
     steps:
       - name: set branch name
         run: echo "BRANCH_NAME=$GITHUB_REF_NAME" >> $GITHUB_ENV
@@ -27,3 +28,141 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ env.BRANCH_NAME }}
+
+      - name: sync with main branch
+        run: |
+          git config user.name "GitHub Actions Bot"
+          git config user.email "<>"
+          git merge --no-commit --no-ff origin/main
+
+      - name: set deployment project version
+        run: echo "DEPLOYMENT_PROJECT_VERSION=$(bash ./environment/.deployment/scripts/version.sh --long)" >> $GITHUB_ENV
+
+      - name: set docker image name
+        run: echo "DOCKER_IMAGE_NAME=${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REGISTRY_PROJECT_NAME }}/${{ env.DOCKER_REGISTRY_REPO_NAME }}" >> $GITHUB_ENV
+
+      - name: fetch server secrets
+        uses: Infisical/[email protected]
+        with:
+          domain: https://infisical.blumilk.pl
+          client-id: ${{ secrets.INFISICAL_MACHINE_IDENTITY_GHA_BOT_CLIENT_ID }}
+          client-secret: ${{ secrets.INFISICAL_MACHINE_IDENTITY_GHA_BOT_CLIENT_SECRET }}
+          project-slug: blumilk-infra-pv-ih
+          env-slug: infra
+          secret-path: /servers/ovh/ns31445530
+          export-type: env
+          recursive: true
+          include-imports: true
+
+      - name: set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+
+      - name: login to Docker Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.DOCKER_REGISTRY }}
+          username: ${{ env.DOCKER_REGISTRY_USER_NAME }}
+          password: ${{ env.HARBOR_ROBOT_BLUMILKBOT_TOKEN }}  # masked secret fetched from Infisical
+
+      - name: set docker app database image name
+        run: echo "DOCKER_APP_DATABASE_IMAGE_NAME=${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REGISTRY_PROJECT_NAME }}/${{ env.DOCKER_REGISTRY_REPO_NAME }}-postgres" >> $GITHUB_ENV
+
+
+      - name: Docker meta for app database
+        id: meta-app-database
+        uses: docker/[email protected]
+        with:
+          images: |
+            ${{ env.DOCKER_APP_DATABASE_IMAGE_NAME }}
+          tags: |
+            type=raw,value=dev
+          context: workflow
+
+      - name: build and push app database image
+        uses: docker/[email protected]
+        with:
+          context: .
+          file: ./environment/.docker/postgres/Dockerfile
+          labels: ${{ steps.meta-app-database.outputs.labels }}
+          tags: ${{ steps.meta-app-database.outputs.tags }}
+          push: true
+          cache-from: type=gha, ref=${{ env.DOCKER_APP_DATABASE_IMAGE_NAME }}-dev-build-cache
+          cache-to: type=gha, ref=${{ env.DOCKER_APP_DATABASE_IMAGE_NAME }}-dev-build-cache, mode=max
+
+      - name: Docker meta for app
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=dev
+          context: workflow
+
+      - name: build and push app image
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        with:
+          context: .
+          file: ./environment/.docker/app/Dockerfile
+          target: production
+          build-args: |
+            DEPLOYMENT_PROJECT_VERSION_ARG=${{ env.DEPLOYMENT_PROJECT_VERSION }}
+            ENVIRONMENT=${{ env.ENVIRONMENT }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+          push: true
+          cache-from: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-dev-build-cache
+          cache-to: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-dev-build-cache, mode=max
+
+      - name: set deployment path on server
+        run: echo "DEPLOYMENT_PATH_ON_SERVER=${{ env.TARGET_DIR_ON_SERVER }}/${{ env.DOCKER_REGISTRY_PROJECT_NAME }}/${{ env.DOCKER_REGISTRY_REPO_NAME }}" >> $GITHUB_ENV
+
+      - name: copy files via ssh
+        uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
+        with:
+          timeout: 10s
+          command_timeout: 10m
+          host: ${{ env.SERVER_OVH_NS31445530_IP }} # masked secret fetched from Infisical
+          port: ${{ env.SERVER_OVH_NS31445530_SSH_PORT }} # masked secret fetched from Infisical
+          username: ${{ env.SERVER_OVH_NS31445530_BLUMILKBOT_USER_NAME }} # masked secret fetched from Infisical
+          key: ${{ env.SERVER_OVH_NS31445530_BLUMILKBOT_USER_SSH_PRIVATE_KEY }} # masked secret fetched from Infisical
+          passphrase: ${{ env.SERVER_OVH_NS31445530_BLUMILKBOT_USER_SSH_PRIVATE_KEY_PASSPHRASE }} # masked secret fetched from Infisical
+          source: "./environment/.deployment/dev/*,./environment/.deployment/Taskfile.yml"
+          target: ${{ env.DEPLOYMENT_PATH_ON_SERVER }}
+          rm: true
+
+
+      - name: fetch project deployment secrets
+        uses: Infisical/[email protected]
+        with:
+          domain: https://infisical.blumilk.pl
+          client-id: ${{ secrets.INFISICAL_MACHINE_IDENTITY_GHA_BOT_CLIENT_ID }}
+          client-secret: ${{ secrets.INFISICAL_MACHINE_IDENTITY_GHA_BOT_CLIENT_SECRET }}
+          project-slug: lmt-d-hr8
+          env-slug: dev
+          secret-path: /deployment
+          export-type: env
+          recursive: false
+          include-imports: false
+
+      - name: run deployment script over ssh
+        uses: appleboy/[email protected]
+        with:
+          timeout: 10s
+          command_timeout: 10m
+          host: ${{ env.SERVER_OVH_NS31445530_IP }} # masked secret fetched from Infisical
+          port: ${{ env.SERVER_OVH_NS31445530_SSH_PORT }} # masked secret fetched from Infisical
+          username: ${{ env.SERVER_OVH_NS31445530_BLUMILKBOT_USER_NAME }} # masked secret fetched from Infisical
+          key: ${{ env.SERVER_OVH_NS31445530_BLUMILKBOT_USER_SSH_PRIVATE_KEY }} # masked secret fetched from Infisical
+          passphrase: ${{ env.SERVER_OVH_NS31445530_BLUMILKBOT_USER_SSH_PRIVATE_KEY_PASSPHRASE }} # masked secret fetched from Infisical
+          # masked secrets from Infisical: HARBOR_ROBOT_BLUMILKBOT_TOKEN, SOPS_AGE_DEV_SECRET_KEY
+          script: |
+            cd ${{ env.DEPLOYMENT_PATH_ON_SERVER }}/environment/.deployment/
+            mv Taskfile.yml ${{ env.ENVIRONMENT }}/
+            cd ${{ env.ENVIRONMENT }}/
+            echo ${{ env.HARBOR_ROBOT_BLUMILKBOT_TOKEN }} | docker login ${{ env.DOCKER_REGISTRY }} --username ${{ env.DOCKER_REGISTRY_USER_NAME }} --password-stdin
+            export SOPS_AGE_KEY=${{ env.SOPS_AGE_DEV_SECRET_KEY }} 
+            export ENVIRONMENT=${{ env.ENVIRONMENT }} 
+            task deploy 
+            docker images --filter dangling=true | grep "${{ env.DOCKER_IMAGE_NAME }}" | awk '{print $3}'| xargs --no-run-if-empty docker rmi
+            docker images --filter dangling=true | grep ${{ env.DOCKER_APP_DATABASE_IMAGE_NAME }} | awk '{print $3}'| xargs --no-run-if-empty docker rmi
+            docker logout ${{ env.DOCKER_REGISTRY }}

.gitignore

@@ -1,8 +1,8 @@
 .idea
 .vscode
 /vendor/
+*.decrypted
 .env
-.env.prod.secrets.decrypted
 /cache/*
 !/cache/.gitkeep
 node_modules/

.sops.yaml

@@ -1,5 +1,10 @@
 creation_rules:
 
+  - name: dev
+    path_regex: \.env\.dev\.secrets.*$
+    age: >-
+      age1m3ruqh8ldq9wy9w5rpyj2wed0nc0n4ejda2lau2009w2rlvu7qjqacfqp2
+
   - name: prod
     path_regex: \.env\.prod\.secrets.*$
     age: >-