will.anderson
28c47c11c9
El repo is organized under lang/ — runtime and dist/platform binaries
are at lang/el-compiler/runtime/ and lang/dist/platform/, not at root.
Setting EL_HOME=$DEST/lang makes RUNTIME_SRC resolve correctly so
build-stage.sh can cp el_runtime.{c,h,js} from the right location.
278 lines
12 KiB
YAML
278 lines
12 KiB
YAML
name: Deploy marketing to Cloud Run
|
|
|
|
# Pipeline: build → stage → smoke test → prod
|
|
# Nothing reaches prod without passing the stage smoke test.
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'src/**'
|
|
- 'dist/**'
|
|
- 'runtime/**'
|
|
- 'Dockerfile.stage'
|
|
- 'build-stage.sh'
|
|
- '.gitea/workflows/deploy.yaml'
|
|
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: 'Image tag to build and deploy (defaults to short SHA)'
|
|
required: false
|
|
type: string
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 60
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write # needed for the OIDC token used by WIF
|
|
|
|
steps:
|
|
- name: Enforce stage-only source
|
|
# main only accepts merges from stage. Direct pushes from other branches
|
|
# are blocked by Gitea branch protection (enable_push=false for non-admins).
|
|
# workflow_dispatch is exempt to allow manual prod redeploy.
|
|
if: github.event_name != 'workflow_dispatch'
|
|
run: |
|
|
echo "Event: ${{ github.event_name }}, ref: ${{ github.ref }}"
|
|
echo "Source branch enforcement: OK (protected by Gitea branch rules)"
|
|
|
|
- name: Checkout neuron-web
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 2
|
|
|
|
- name: Detect change type
|
|
id: changetype
|
|
run: |
|
|
set -euo pipefail
|
|
CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only HEAD 2>/dev/null || echo "unknown")
|
|
echo "Changed files:"
|
|
echo "$CHANGED"
|
|
# Asset-only: only src/assets/, src/shares/, src/index.html, src/about.html, src/terms.html, src/enterprise-terms.html, src/llms.txt
|
|
NON_ASSET=$(echo "$CHANGED" | grep -v '^src/assets/' | grep -v '^src/shares/' | grep -v '^src/index\.html' | grep -v '^src/about\.html' | grep -v '^src/terms\.html' | grep -v '^src/enterprise-terms\.html' | grep -v '^src/llms\.txt' | grep -v '^$' || true)
|
|
if [ -z "$NON_ASSET" ] && [ "$CHANGED" != "unknown" ]; then
|
|
echo "asset_only=true" >> "$GITHUB_OUTPUT"
|
|
echo "=> Asset-only change detected, will use fast path"
|
|
else
|
|
echo "asset_only=false" >> "$GITHUB_OUTPUT"
|
|
echo "=> Full build required"
|
|
fi
|
|
|
|
# foundation/el contains the elc compiler that build-stage.sh shells out
|
|
# to. We clone el directly with git rather than a second
|
|
# actions/checkout call — act_runner v0.6 in host mode hits a
|
|
# `permission denied` error on .git/objects/pack/*.idx when running
|
|
# two checkout steps in the same job. EL_HOME is pinned outside the
|
|
# workspace so the path build-stage.sh expects (../../foundation/el)
|
|
# resolves correctly.
|
|
- name: Clone el (foundation/el — provides the elc compiler)
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
env:
|
|
CHECKOUT_TOKEN: ${{ secrets.CHECKOUT_TOKEN }}
|
|
run: |
|
|
set -euo pipefail
|
|
DEST="${{ github.workspace }}/../foundation-el"
|
|
rm -rf "$DEST"
|
|
git clone --depth 1 \
|
|
"https://will:${CHECKOUT_TOKEN}@git.neuralplatform.ai/neuron-technologies/el.git" \
|
|
"$DEST"
|
|
ls -la "$DEST" | head -5
|
|
echo "EL_HOME=$DEST/lang" >> "$GITHUB_ENV"
|
|
|
|
- name: Authenticate to GCP
|
|
id: auth
|
|
uses: google-github-actions/auth@v2
|
|
with:
|
|
# Gitea Actions doesn't currently inject ACTIONS_ID_TOKEN_REQUEST_TOKEN,
|
|
# so the WIF (workload_identity_provider + service_account) path fails
|
|
# at runtime — google-github-actions/auth needs that env var to mint
|
|
# a Gitea OIDC token. Fall back to the JSON SA key for now. The WIF
|
|
# provider + IAM bindings remain in Terraform so we can flip back
|
|
# once Gitea closes the gap (or once we wire act_runner into a
|
|
# custom OIDC issuer).
|
|
credentials_json: ${{ secrets.GCP_SA_KEY }}
|
|
|
|
- name: Set up gcloud SDK
|
|
uses: google-github-actions/setup-gcloud@v2
|
|
with:
|
|
project_id: neuron-785695
|
|
|
|
- name: Configure docker auth for Artifact Registry
|
|
run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet
|
|
|
|
- name: Get elc (pre-built linux/amd64 from El SDK release)
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
set -euo pipefail
|
|
curl -fL -o "$EL_HOME/dist/platform/elc" \
|
|
https://git.neuralplatform.ai/neuron-technologies/el/releases/download/v1.2.1/elc-linux-amd64
|
|
chmod +x "$EL_HOME/dist/platform/elc"
|
|
file "$EL_HOME/dist/platform/elc"
|
|
ls -la "$EL_HOME/dist/platform/elc"
|
|
|
|
- name: Compute image tag
|
|
id: tag
|
|
run: |
|
|
TAG="${{ inputs.tag }}"
|
|
if [ -z "$TAG" ]; then TAG="ci-${GITHUB_SHA:0:8}"; fi
|
|
IMAGE="us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:${TAG}"
|
|
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
|
|
echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
|
|
echo "Will build and push: ${IMAGE}"
|
|
|
|
- name: Touch HTML placeholder files
|
|
# El binary regenerates these at startup via fs_write. They must exist
|
|
# in the build context for Dockerfile COPY to succeed.
|
|
run: touch src/index.html src/about.html src/terms.html src/enterprise-terms.html
|
|
|
|
- name: Build image (build-stage.sh)
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
env:
|
|
EXTRACT_JS: '1'
|
|
run: |
|
|
./build-stage.sh "${{ steps.tag.outputs.tag }}"
|
|
docker tag "marketing:${{ steps.tag.outputs.tag }}" "${{ steps.tag.outputs.image }}"
|
|
docker tag "marketing:${{ steps.tag.outputs.tag }}" "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:latest"
|
|
|
|
- name: Push image
|
|
if: steps.changetype.outputs.asset_only != 'true'
|
|
run: |
|
|
docker push "${{ steps.tag.outputs.image }}"
|
|
docker push "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:latest"
|
|
|
|
- name: Asset-only fast build
|
|
if: steps.changetype.outputs.asset_only == 'true'
|
|
env:
|
|
IMAGE: ${{ steps.tag.outputs.image }}
|
|
run: |
|
|
set -euo pipefail
|
|
# Pull existing image as base - no El compilation needed
|
|
LATEST="us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:latest"
|
|
docker pull "$LATEST"
|
|
# Build tiny patch image: just replace the assets layer
|
|
cat > /tmp/Dockerfile.assets <<'EOF'
|
|
ARG BASE
|
|
FROM ${BASE}
|
|
COPY src/assets /srv/landing/assets
|
|
COPY src/shares /srv/landing/shares
|
|
EOF
|
|
# Plain `docker build` — the gitea runner ships docker without
|
|
# the buildx plugin, so `docker buildx build --platform ...`
|
|
# exits 125 ("unknown flag: --platform"). The runner host is
|
|
# already linux/amd64 so cross-platform isn't needed here.
|
|
docker build \
|
|
--build-arg BASE="$LATEST" \
|
|
-f /tmp/Dockerfile.assets \
|
|
-t "marketing:${{ steps.tag.outputs.tag }}" \
|
|
-t "$IMAGE" \
|
|
-t "${LATEST%:*}:latest" \
|
|
.
|
|
docker push "$IMAGE"
|
|
docker push "${LATEST%:*}:latest"
|
|
echo "Fast asset build complete"
|
|
|
|
# ── Stage deployment ──────────────────────────────────────────────────────
|
|
# marketing-stage is a single-region Cloud Run service (us-central1).
|
|
# It uses stage-specific Stripe keys (sk_test_...) so checkout can be
|
|
# exercised safely. Prod deploy only runs after the smoke test below passes.
|
|
#
|
|
# --update-env-vars / --update-secrets merges with existing config so
|
|
# any manually-set values on the service are preserved across deploys.
|
|
|
|
- name: Deploy to marketing-stage
|
|
id: deploy-stage
|
|
env:
|
|
IMAGE: ${{ steps.tag.outputs.image }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
gcloud run deploy marketing-stage \
|
|
--image "$IMAGE" \
|
|
--region us-central1 \
|
|
--project neuron-785695 \
|
|
--service-account neuron-marketing-sa@neuron-785695.iam.gserviceaccount.com \
|
|
--update-env-vars "NODE_ENV=production,STRIPE_PUBLISHABLE_KEY=pk_test_51TPoHnJg9Fv1D3AUp1FEMcy4MGlKRZqs4scW66kjQFQjWofmNc2rottzXzDaXekHvuw1OQpyp2WCIsc7O5fXIG0G00HQQrkdGX,GCS_SHARE_BUCKET=neuron-shares-prod,SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im9jb2pzZ2hhb25sdHVuaWRrenB3Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3Nzc2NDIxNjgsImV4cCI6MjA5MzIxODE2OH0.e0FVFw1aahnrBVvnkR5R8a-RxCx095U8o_gsk7Quq3E,NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages" \
|
|
--update-secrets "SUPABASE_SERVICE_KEY=supabase-service-key:latest,NEURON_LLM_0_KEY=anthropic-api-key:latest,ANTHROPIC_API_KEY=anthropic-api-key:latest,STRIPE_SECRET_KEY=stripe-secret-key-stage:latest,STRIPE_WEBHOOK_SECRET=stripe-webhook-secret-stage:latest,STRIPE_PRICE_PROFESSIONAL=stripe-price-professional-stage:latest,STRIPE_PRICE_FOUNDING=stripe-price-founding-stage:latest,STRIPE_PRICE_FAMILY_CHILD=stripe-price-family-child:latest,RESEND_API_KEY=resend-api-key:latest,DOCUSEAL_WEBHOOK_TOKEN=docuseal-webhook-token:latest" \
|
|
--allow-unauthenticated \
|
|
--quiet
|
|
|
|
# Get the stable Cloud Run URL and ensure NEURON_ORIGIN is set correctly.
|
|
# --update-env-vars is idempotent: no new revision is created if the
|
|
# value is already correct (i.e. on every deploy after the first).
|
|
STAGE_URL=$(gcloud run services describe marketing-stage \
|
|
--region us-central1 --project neuron-785695 \
|
|
--format 'value(status.url)')
|
|
echo "stage_url=${STAGE_URL}" >> "$GITHUB_OUTPUT"
|
|
echo "Stage URL: ${STAGE_URL}"
|
|
|
|
gcloud run services update marketing-stage \
|
|
--region us-central1 --project neuron-785695 \
|
|
--update-env-vars "NEURON_ORIGIN=${STAGE_URL}" \
|
|
--quiet
|
|
|
|
- name: Smoke test stage
|
|
run: |
|
|
set -euo pipefail
|
|
STAGE_URL="${{ steps.deploy-stage.outputs.stage_url }}"
|
|
echo "Smoke testing stage: ${STAGE_URL}"
|
|
|
|
# Poll up to 90s — container cold-start + El page compilation can take ~20s
|
|
for i in $(seq 1 18); do
|
|
STATUS=$(curl -sSo /dev/null -w "%{http_code}" --max-time 15 "${STAGE_URL}/" || echo "000")
|
|
echo "Attempt ${i}/18: HTTP ${STATUS}"
|
|
if [ "$STATUS" = "200" ]; then
|
|
echo "Stage smoke test PASSED"
|
|
exit 0
|
|
fi
|
|
sleep 5
|
|
done
|
|
|
|
echo "Stage smoke test FAILED — aborting prod deploy"
|
|
exit 1
|
|
|
|
# ── Prod deployment ───────────────────────────────────────────────────────
|
|
# Only runs if the stage smoke test above passed.
|
|
|
|
- name: Deploy to all marketing prod regions in parallel
|
|
env:
|
|
IMAGE: ${{ steps.tag.outputs.image }}
|
|
run: |
|
|
set -euo pipefail
|
|
deploy() {
|
|
local region="$1" svc="$2"
|
|
gcloud run deploy "$svc" \
|
|
--image "$IMAGE" \
|
|
--region "$region" \
|
|
--project neuron-785695 \
|
|
--quiet
|
|
}
|
|
deploy us-central1 marketing-prod-us &
|
|
deploy europe-west1 marketing-prod-eu &
|
|
deploy asia-northeast1 marketing-prod-apac &
|
|
wait
|
|
|
|
- name: Flip traffic to latest revision
|
|
run: |
|
|
set -euo pipefail
|
|
for r in us-central1:marketing-prod-us europe-west1:marketing-prod-eu asia-northeast1:marketing-prod-apac; do
|
|
REGION="${r%%:*}"; SVC="${r##*:}"
|
|
gcloud run services update-traffic "$SVC" \
|
|
--region "$REGION" --project neuron-785695 \
|
|
--to-latest --quiet
|
|
done
|
|
|
|
- name: Smoke check production endpoints
|
|
run: |
|
|
set -euo pipefail
|
|
for url in \
|
|
https://neurontechnologies.ai/ \
|
|
https://www.neurontechnologies.ai/ ; do
|
|
echo "GET $url"
|
|
curl -sSI "$url" | head -3
|
|
done
|
|
echo "Deployed tag: ${{ steps.tag.outputs.tag }}"
|