will.anderson
6a040afcc5
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m43s
410 lines
19 KiB
YAML
410 lines
19 KiB
YAML
name: Stage — Build, push & deploy to marketing-stage
|
|
|
|
# Pipeline: build → push → deploy marketing-stage → smoke test.
|
|
# STOPS HERE. No prod deploy. Merge to main when stage looks good.
|
|
# Triggered: 2026-05-11 (add tests/** to paths filter)
|
|
|
|
on:
|
|
push:
|
|
branches: [stage]
|
|
paths:
|
|
- 'src/**'
|
|
- 'dist/**'
|
|
- 'runtime/**'
|
|
- 'tests/**'
|
|
- 'migrations/**'
|
|
- 'playwright.config.ts'
|
|
- 'package.json'
|
|
- 'Dockerfile.stage'
|
|
- 'Dockerfile.soul-demo'
|
|
- 'build-stage.sh'
|
|
- '.gitea/workflows/stage.yaml'
|
|
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: 'Image tag to build and deploy (defaults to short SHA)'
|
|
required: false
|
|
type: string
|
|
|
|
jobs:
|
|
deploy-stage:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 2
|
|
|
|
- name: Enforce dev-only source
|
|
# stage only accepts merges from dev. Any PR from another branch fails
|
|
# here before a single build step runs.
|
|
# workflow_dispatch is exempt (allows manual redeploy of current stage).
|
|
# Must run AFTER checkout — git commands require a cloned workspace.
|
|
if: github.event_name != 'workflow_dispatch'
|
|
run: |
|
|
set -euo pipefail
|
|
COMMIT_MSG=$(git log -1 --pretty=format:"%s" 2>/dev/null || true)
|
|
echo "Merge commit: $COMMIT_MSG"
|
|
# Fetch dev so ancestry check works in the shallow clone.
|
|
git fetch --depth=1 origin dev 2>/dev/null || true
|
|
# Gitea merge commits: "Merge pull request '...' (#N) from dev into stage"
|
|
# Direct branch merges: "Merge branch 'dev' into stage"
|
|
# tea pr merge with custom title: any subject line is possible, so
|
|
# fall back to checking git parents — if the second parent is on dev
|
|
# the merge came from dev regardless of the commit subject.
|
|
SECOND_PARENT=$(git log -1 --pretty=format:"%P" HEAD | awk '{print $2}')
|
|
FROM_DEV=""
|
|
if [ -n "$SECOND_PARENT" ]; then
|
|
if git merge-base --is-ancestor "$SECOND_PARENT" origin/dev 2>/dev/null; then
|
|
FROM_DEV=1
|
|
fi
|
|
fi
|
|
if echo "$COMMIT_MSG" | grep -qE " from dev into stage$| 'dev' into stage$" || [ -n "$FROM_DEV" ]; then
|
|
echo "Source branch check: OK (merged from dev)"
|
|
else
|
|
echo "ERROR: stage only accepts merges from dev."
|
|
echo "Commit message was: $COMMIT_MSG"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Detect change type
|
|
id: changetype
|
|
run: |
|
|
set -euo pipefail
|
|
CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only HEAD 2>/dev/null || echo "unknown")
|
|
echo "Changed files:"
|
|
echo "$CHANGED"
|
|
NON_ASSET=$(echo "$CHANGED" | grep -v '^src/assets/' | grep -v '^src/shares/' | grep -v '^src/index\.html' | grep -v '^src/about\.html' | grep -v '^src/terms\.html' | grep -v '^src/enterprise-terms\.html' | grep -v '^src/llms\.txt' | grep -v '^migrations/' | grep -v '^scripts/' | grep -v '^tests/' | grep -v '^\.gitea/' | grep -v '^$' || true)
|
|
if [ -z "$CHANGED" ] || [ "$CHANGED" = "unknown" ]; then
|
|
# No diff (workflow_dispatch with no new commits, or git error).
|
|
# Registry may not have a stage-latest base image, so force full build.
|
|
echo "asset_only=false" >> "$GITHUB_OUTPUT"
|
|
echo "=> No changed files detected (workflow_dispatch?), forcing full build"
|
|
elif [ -z "$NON_ASSET" ]; then
|
|
echo "asset_only=true" >> "$GITHUB_OUTPUT"
|
|
echo "=> Asset-only change detected, will use fast path"
|
|
else
|
|
echo "asset_only=false" >> "$GITHUB_OUTPUT"
|
|
echo "=> Full build required"
|
|
fi
|
|
|
|
- name: Authenticate to GCP
|
|
uses: google-github-actions/auth@v2
|
|
with:
|
|
credentials_json: ${{ secrets.GCP_SA_KEY }}
|
|
|
|
- name: Set up gcloud SDK
|
|
uses: google-github-actions/setup-gcloud@v2
|
|
with:
|
|
project_id: neuron-785695
|
|
|
|
- name: Run database migrations
|
|
# Applies any pending migrations in migrations/*.sql to the Supabase DB.
|
|
# Runs unconditionally (asset-only or full build) so the schema is always
|
|
# current before the new code is deployed.
|
|
run: python3 scripts/run_migrations.py
|
|
|
|
- name: Configure docker auth for Artifact Registry
|
|
run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet
|
|
|
|
- name: Prune Docker to reclaim disk
|
|
run: |
|
|
# Remove stopped containers, dangling images, unused volumes/networks.
|
|
# Do NOT prune build cache — that keeps Docker builds fast and under
|
|
# the ~26min runner restart window. Selective pruning frees ~4-5GB
|
|
# which is enough to prevent overlay2 "no space left on device" errors.
|
|
docker container prune -f 2>&1 || true
|
|
docker image prune -f 2>&1 || true
|
|
docker volume prune -f 2>&1 || true
|
|
df -h /
|
|
|
|
- name: Compute image tag
|
|
id: tag
|
|
run: |
|
|
TAG="${{ inputs.tag }}"
|
|
if [ -z "$TAG" ]; then TAG="stage-${GITHUB_SHA:0:8}"; fi
|
|
IMAGE="us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:${TAG}"
|
|
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
|
|
echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
|
|
echo "Will build and push: ${IMAGE}"
|
|
|
|
- name: Touch HTML placeholder files
|
|
# El binary regenerates these at startup via fs_write. They must exist
|
|
# in the build context for Dockerfile COPY to succeed.
|
|
run: touch src/index.html src/about.html src/terms.html src/enterprise-terms.html
|
|
|
|
# ── El SDK setup ──────────────────────────────────────────────────────
|
|
|
|
- name: Extract El SDK from ci-base
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
docker pull us-central1-docker.pkg.dev/neuron-785695/neuron-ci/ci-base:dev
|
|
CID=$(docker create us-central1-docker.pkg.dev/neuron-785695/neuron-ci/ci-base:dev)
|
|
sudo mkdir -p /opt/el
|
|
docker cp "$CID:/opt/el" /opt/
|
|
docker rm "$CID"
|
|
echo "ELB=/opt/el/dist/bin/elb" >> "$GITHUB_ENV"
|
|
echo "ELC=/opt/el/dist/platform/elc" >> "$GITHUB_ENV"
|
|
echo "EL_RUNTIME=$GITHUB_WORKSPACE/runtime" >> "$GITHUB_ENV"
|
|
|
|
# ── Build neuron-web binary ───────────────────────────────────────────
|
|
|
|
- name: Build neuron-web with elb
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
"$ELB" \
|
|
--elc="$ELC" \
|
|
--runtime="$EL_RUNTIME"
|
|
echo "Binary: $(ls -lh dist/neuron-landing)"
|
|
|
|
- name: Relink neuron-web with HAVE_CURL
|
|
# elb does not pass -DHAVE_CURL when compiling el_runtime.c, so
|
|
# http_get/http_post return {"error":"not built with HAVE_CURL"}.
|
|
# Fix: after elb generates all intermediate .c files in dist/, recompile
|
|
# el_runtime.c with -DHAVE_CURL and relink the whole binary manually.
|
|
# All component .c files (nav.c, hero.c, etc.) are generated by elb and
|
|
# remain in dist/ after the build — we collect them here, exclude the
|
|
# separate soul-demo.c binary, and relink with libcurl.
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
# Compile el_runtime.c with full curl support
|
|
cc -O2 -DHAVE_CURL -c runtime/el_runtime.c -I runtime/ -o /tmp/el_runtime_curl.o
|
|
echo "el_runtime_curl.o compiled: $(ls -lh /tmp/el_runtime_curl.o)"
|
|
|
|
# Collect every neuron-web .c file elb deposited in dist/
|
|
# (both committed stubs and freshly-generated component files)
|
|
mapfile -t C_SRCS < <(find dist/ -maxdepth 1 -name '*.c' ! -name 'soul-demo.c')
|
|
echo "Relinking ${#C_SRCS[@]} C files..."
|
|
|
|
cc -O2 -rdynamic \
|
|
-I runtime/ -I dist/ \
|
|
-o dist/neuron-landing \
|
|
"${C_SRCS[@]}" /tmp/el_runtime_curl.o \
|
|
-lcurl -lpthread -ldl -lm -lssl -lcrypto
|
|
|
|
echo "Relinked: $(ls -lh dist/neuron-landing)"
|
|
# Verification: if compiled WITHOUT HAVE_CURL the stub string
|
|
# "not built with HAVE_CURL" is baked into the binary's rodata.
|
|
# Its absence confirms curl code is compiled in.
|
|
if strings dist/neuron-landing | grep -q 'not built with HAVE_CURL'; then
|
|
echo "ERROR: no-curl stub string still in binary — HAVE_CURL not compiled"
|
|
exit 1
|
|
fi
|
|
# Confirm curl symbols visible in dynamic table
|
|
nm -D dist/neuron-landing | grep curl_easy_init || \
|
|
nm dist/neuron-landing | grep curl || true
|
|
echo "HAVE_CURL verified ✓"
|
|
|
|
# ── Compile JS client sources ─────────────────────────────────────────
|
|
|
|
- name: Compile JS El sources
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
echo "ELC=$ELC"
|
|
echo "EL_RUNTIME=$EL_RUNTIME"
|
|
echo "el_runtime.js: $(ls -lh "$EL_RUNTIME/el_runtime.js" 2>&1)"
|
|
cp "$EL_RUNTIME/el_runtime.js" src/js/
|
|
mkdir -p dist/js
|
|
for f in src/js/*.el; do
|
|
[ -f "$f" ] || continue
|
|
name=$(basename "$f" .el)
|
|
echo "Compiling $f..."
|
|
"$ELC" --target=js --bundle --minify "$f" > "dist/js/${name}.js" || {
|
|
echo "elc FAILED on $f"
|
|
exit 1
|
|
}
|
|
echo " compiled: $f -> dist/js/${name}.js"
|
|
done
|
|
rm -f src/js/el_runtime.js
|
|
|
|
# ── Docker build + push ───────────────────────────────────────────────
|
|
|
|
- name: Build soul-demo binary
|
|
# Compile soul-demo directly on the host runner (ci-base has gcc).
|
|
# Cloud Run runs soul-demo as a direct subprocess with a watchdog loop —
|
|
# no k3s, no OCI image needed. One binary per container; Cloud Run
|
|
# handles horizontal scaling.
|
|
# Moved AFTER JS compilation to avoid Docker memory pressure killing elc.
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
cc -O2 -DHAVE_CURL -c runtime/el_runtime.c -I runtime/ -o /tmp/el_runtime.o
|
|
cc -O2 -rdynamic -DEL_SOUL_DEMO_BUILD \
|
|
-I runtime/ \
|
|
-o dist/soul-demo \
|
|
dist/soul-demo.c dist/vessel_stubs.c /tmp/el_runtime.o \
|
|
-lcurl -lpthread -ldl -lm -lssl -lcrypto
|
|
echo "soul-demo compiled: $(ls -lh dist/soul-demo)"
|
|
|
|
- name: Build and push soul-demo image
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
id: soul-image
|
|
run: |
|
|
set -euo pipefail
|
|
SOUL_IMAGE="us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:${{ steps.tag.outputs.tag }}"
|
|
docker build --no-cache \
|
|
-f Dockerfile.soul-demo \
|
|
-t "soul-demo:${{ steps.tag.outputs.tag }}" \
|
|
.
|
|
docker tag "soul-demo:${{ steps.tag.outputs.tag }}" "$SOUL_IMAGE"
|
|
docker tag "soul-demo:${{ steps.tag.outputs.tag }}" \
|
|
"us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:stage-latest"
|
|
docker push "$SOUL_IMAGE"
|
|
docker push "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:stage-latest"
|
|
echo "soul_image=${SOUL_IMAGE}" >> "$GITHUB_OUTPUT"
|
|
echo "Soul-demo image: ${SOUL_IMAGE}"
|
|
|
|
- name: Deploy soul-demo-stage
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
id: deploy-soul
|
|
run: |
|
|
set -euo pipefail
|
|
gcloud run deploy soul-demo-stage \
|
|
--image "${{ steps.soul-image.outputs.soul_image }}" \
|
|
--region us-central1 \
|
|
--project neuron-785695 \
|
|
--service-account neuron-marketing-sa@neuron-785695.iam.gserviceaccount.com \
|
|
--update-env-vars "NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages" \
|
|
--update-secrets "NEURON_LLM_0_KEY=anthropic-api-key:latest,ANTHROPIC_API_KEY=anthropic-api-key:latest" \
|
|
--min-instances 1 \
|
|
--max-instances 50 \
|
|
--concurrency 20 \
|
|
--port 8080 \
|
|
--allow-unauthenticated \
|
|
--quiet
|
|
|
|
SOUL_URL=$(gcloud run services describe soul-demo-stage \
|
|
--region us-central1 --project neuron-785695 \
|
|
--format 'value(status.url)')
|
|
echo "soul_url=${SOUL_URL}" >> "$GITHUB_OUTPUT"
|
|
echo "Soul-demo URL: ${SOUL_URL}"
|
|
|
|
- name: Build and tag image
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
# --no-cache: prevents reuse of corrupted overlay2 layers from prior failed runs.
|
|
# Dockerfile.stage is now single-stage (no builder) so build is fast even without cache.
|
|
docker build \
|
|
--no-cache \
|
|
-f Dockerfile.stage \
|
|
-t "marketing:${{ steps.tag.outputs.tag }}" \
|
|
.
|
|
docker tag "marketing:${{ steps.tag.outputs.tag }}" "${{ steps.tag.outputs.image }}"
|
|
docker tag "marketing:${{ steps.tag.outputs.tag }}" "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:stage-latest"
|
|
|
|
- name: Push image
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
docker push "${{ steps.tag.outputs.image }}"
|
|
docker push "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:stage-latest"
|
|
|
|
- name: Asset-only fast build
|
|
if: steps.changetype.outputs.asset_only == 'true'
|
|
env:
|
|
IMAGE: ${{ steps.tag.outputs.image }}
|
|
run: |
|
|
set -euo pipefail
|
|
LATEST="us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:stage-latest"
|
|
docker pull "$LATEST"
|
|
cat > /tmp/Dockerfile.assets <<'EOF'
|
|
ARG BASE
|
|
FROM ${BASE}
|
|
COPY src/assets /srv/landing/assets
|
|
COPY src/shares /srv/landing/shares
|
|
EOF
|
|
docker build \
|
|
--build-arg BASE="$LATEST" \
|
|
-f /tmp/Dockerfile.assets \
|
|
-t "marketing:${{ steps.tag.outputs.tag }}" \
|
|
-t "$IMAGE" \
|
|
-t "${LATEST%:*}:stage-latest" \
|
|
.
|
|
docker push "$IMAGE"
|
|
docker push "${LATEST%:*}:stage-latest"
|
|
echo "Fast asset build complete"
|
|
|
|
- name: Resolve soul-demo URL
|
|
id: soul-url
|
|
run: |
|
|
set -euo pipefail
|
|
# For full builds: soul_url comes from deploy-soul step output.
|
|
# For asset-only builds (soul-demo not redeployed): describe existing service.
|
|
SOUL_URL="${{ steps.deploy-soul.outputs.soul_url }}"
|
|
if [ -z "$SOUL_URL" ]; then
|
|
SOUL_URL=$(gcloud run services describe soul-demo-stage \
|
|
--region us-central1 --project neuron-785695 \
|
|
--format 'value(status.url)' 2>/dev/null || echo "")
|
|
fi
|
|
echo "soul_url=${SOUL_URL}" >> "$GITHUB_OUTPUT"
|
|
echo "Resolved SOUL_URL: ${SOUL_URL}"
|
|
|
|
- name: Deploy to marketing-stage
|
|
id: deploy-stage
|
|
env:
|
|
IMAGE: ${{ steps.tag.outputs.image }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
gcloud run deploy marketing-stage \
|
|
--image "$IMAGE" \
|
|
--region us-central1 \
|
|
--project neuron-785695 \
|
|
--service-account neuron-marketing-sa@neuron-785695.iam.gserviceaccount.com \
|
|
--max-instances 200 \
|
|
--update-env-vars "NODE_ENV=production,STRIPE_PUBLISHABLE_KEY=pk_test_51TPoHnJg9Fv1D3AUp1FEMcy4MGlKRZqs4scW66kjQFQjWofmNc2rottzXzDaXekHvuw1OQpyp2WCIsc7O5fXIG0G00HQQrkdGX,GCS_SHARE_BUCKET=neuron-shares-prod,SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im9jb2pzZ2hhb25sdHVuaWRrenB3Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3Nzc2NDIxNjgsImV4cCI6MjA5MzIxODE2OH0.e0FVFw1aahnrBVvnkR5R8a-RxCx095U8o_gsk7Quq3E,NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages,SOUL_URL=${{ steps.soul-url.outputs.soul_url }}" \
|
|
--update-secrets "SUPABASE_SERVICE_KEY=supabase-service-key:latest,NEURON_LLM_0_KEY=anthropic-api-key:latest,ANTHROPIC_API_KEY=anthropic-api-key:latest,STRIPE_SECRET_KEY=stripe-secret-key-stage:latest,STRIPE_WEBHOOK_SECRET=stripe-webhook-secret-stage:latest,STRIPE_PRICE_PROFESSIONAL=stripe-price-professional-stage:latest,STRIPE_PRICE_FOUNDING=stripe-price-founding-stage:latest,STRIPE_PRICE_FAMILY_CHILD=stripe-price-family-child:latest,RESEND_API_KEY=resend-api-key:latest,DOCUSEAL_WEBHOOK_TOKEN=docuseal-webhook-token:latest" \
|
|
--allow-unauthenticated \
|
|
--quiet
|
|
|
|
STAGE_URL=$(gcloud run services describe marketing-stage \
|
|
--region us-central1 --project neuron-785695 \
|
|
--format 'value(status.url)')
|
|
echo "stage_url=${STAGE_URL}" >> "$GITHUB_OUTPUT"
|
|
echo "Stage URL: ${STAGE_URL}"
|
|
|
|
gcloud run services update marketing-stage \
|
|
--region us-central1 --project neuron-785695 \
|
|
--update-env-vars "NEURON_ORIGIN=${STAGE_URL}" \
|
|
--quiet
|
|
|
|
- name: Smoke test stage
|
|
run: |
|
|
set -euo pipefail
|
|
STAGE_URL="${{ steps.deploy-stage.outputs.stage_url }}"
|
|
echo "Smoke testing stage: ${STAGE_URL}"
|
|
|
|
for i in $(seq 1 18); do
|
|
STATUS=$(curl -sSo /dev/null -w "%{http_code}" --max-time 15 "${STAGE_URL}/" || echo "000")
|
|
echo "Attempt ${i}/18: HTTP ${STATUS}"
|
|
if [ "$STATUS" = "200" ]; then
|
|
echo "Stage smoke test PASSED — merge to main when ready"
|
|
exit 0
|
|
fi
|
|
sleep 5
|
|
done
|
|
|
|
echo "Stage smoke test FAILED"
|
|
exit 1
|
|
|
|
- name: Run automated test suite
|
|
run: |
|
|
set -euo pipefail
|
|
cd $GITHUB_WORKSPACE
|
|
npm ci --prefer-offline 2>/dev/null || npm install
|
|
npx playwright install chromium --with-deps
|
|
BASE_URL="${{ steps.deploy-stage.outputs.stage_url }}" \
|
|
npx playwright test --reporter=list
|