Citali/cms.fellies.org

Files

Citali 969e88670f

ci(delivery): add deploy and release workflow scaffolds

2026-02-11 12:19:31 +01:00

1.7 KiB

Raw Blame History

Delivery Pipeline

Scope

Operational pipeline baseline for image build/push, staging deploy, production promotion, and rollback.

Registry Credentials Strategy

Use scoped Gitea secrets:

CMS_IMAGE_REGISTRY
CMS_IMAGE_NAMESPACE
CMS_IMAGE_REGISTRY_USER
CMS_IMAGE_REGISTRY_PASSWORD

Policy:

credentials only in CI secrets
no plaintext credentials in repo
least privilege: push/pull for target namespace only

Build and Push Flow

Workflow: .gitea/workflows/release.yml
Trigger:
- tag push vX.Y.Z
- manual workflow_dispatch
Steps:
1. validate tag vs root package.json version
2. generate changelog
3. docker login
4. build and push cms-web and cms-admin images

Staging Deployment Automation

Workflow: .gitea/workflows/deploy.yml
Manual input:
- environment=staging
- image_tag=vX.Y.Z
Remote deployment uses SSH + compose file:
- docker-compose.staging.yml

Required secrets:

CMS_STAGING_HOST
CMS_STAGING_USER
CMS_DEPLOY_KEY
CMS_REMOTE_DEPLOY_PATH

Production Promotion and Rollback

Promotion:

run deploy workflow with:
- environment=production
- image_tag=vX.Y.Z

Rollback:

release workflow supports rollback placeholder by image tag
deploy workflow supports rollback_tag input
recovery action:
- rerun deploy with previous known-good tag

Deployment Verification

After deploy:

app health checks (web/admin)
auth smoke flow
i18n smoke flow
critical route checks (/, /login, /todo)

Notes

Current workflows are production-oriented scaffolds and require secret provisioning in Gitea.
Host hardening, network ACLs, and backup policy remain mandatory operational controls.