diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml new file mode 100644 index 0000000..fe07ad0 --- /dev/null +++ b/.gitea/workflows/deploy.yml @@ -0,0 +1,95 @@ +name: build-test-deploy + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + build: + runs-on: ubuntu-22.04 + env: + PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }} + PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }} + PUBLIC_SALES_EMAIL: ${{ vars.PUBLIC_SALES_EMAIL }} + + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies + run: npm ci + + - name: Run unit tests + run: npm test + + - name: Build site + run: npm run build + + - name: Validate HTML + run: npm run lint:html + + - name: Check internal links + run: npm run lint:links + + - name: Lighthouse CI + run: npx lhci autorun + + - name: Upload dist artifact + if: github.ref == 'refs/heads/main' + uses: actions/upload-artifact@v4 + with: + name: dist + path: dist/ + retention-days: 7 + + deploy: + if: github.ref == 'refs/heads/main' + needs: build + runs-on: ubuntu-22.04 + concurrency: + group: deploy-production + cancel-in-progress: false + + steps: + - name: Download dist artifact + uses: actions/download-artifact@v4 + with: + name: dist + path: dist/ + + - name: Configure SSH + env: + SFTP_KEY: ${{ secrets.SFTP_KEY }} + SFTP_KNOWN_HOSTS: ${{ secrets.SFTP_KNOWN_HOSTS }} + run: | + mkdir -p ~/.ssh + echo "$SFTP_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + echo "$SFTP_KNOWN_HOSTS" > ~/.ssh/known_hosts + chmod 644 ~/.ssh/known_hosts + + - name: Deploy via rsync + env: + SFTP_USER: ${{ secrets.SFTP_USER }} + SFTP_HOST: ${{ secrets.SFTP_HOST }} + SFTP_PATH: ${{ secrets.SFTP_PATH }} + run: | + rsync -avz --delete \ + -e "ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes -o UserKnownHostsFile=~/.ssh/known_hosts" \ + dist/ "$SFTP_USER@$SFTP_HOST:$SFTP_PATH/" + + - name: Post-deploy smoke test + run: | + set -e + echo "Checking security headers on www.cameleer.io..." + HEADERS=$(curl -sI https://www.cameleer.io/ || echo "") + echo "$HEADERS" | grep -i '^strict-transport-security:' || { echo "HSTS missing"; exit 1; } + echo "$HEADERS" | grep -i '^content-security-policy:' || { echo "CSP missing"; exit 1; } + echo "$HEADERS" | grep -i '^x-frame-options:' || { echo "XFO missing"; exit 1; } + echo "All required headers present on the live origin."