deemanone/beanflows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5d7d53a260b67de3cb49429d0387bcd812254573
beanflows/.gitlab/.gitlab-ci.yml
Deeman 520da2c920 feat(ci): switch to pull-based deploy via git tags 
Replace push-based SSH deploy (deploy:web stage with SSH credentials +
individual env var injection) with tag-based pull deploy:

- Add `tag` stage: creates v${CI_PIPELINE_IID} tag using CI_JOB_TOKEN
- Remove all SSH variables (SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, DEPLOY_USER,
  DEPLOY_HOST) and all individual secret variables from CI
- Zero deploy secrets in CI — only CI_JOB_TOKEN (built-in) needed

Deployment is now handled by the on-server supervisor (src/materia/supervisor.py)
which polls for new v* tags every 60s and runs web/deploy.sh automatically.
Secrets live in .env.prod.sops (git-committed, age-encrypted), decrypted at
deploy time by deploy.sh — never stored in GitLab CI variables.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 11:10:06 +01:00

81 lines
1.6 KiB
YAML
Raw Blame History

image: python:3.13
stages:
- test
- tag
variables:
UV_CACHE_DIR: "$CI_PROJECT_DIR/.uv-cache"
cache:
paths:
- .uv-cache/
.uv_setup: &uv_setup
- curl -LsSf https://astral.sh/uv/install.sh | sh
- export PATH="$HOME/.cargo/bin:$PATH"
- source $HOME/.local/bin/env
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
# --- Data platform ---
test:cli:
stage: test
before_script:
- *uv_setup
script:
- uv sync
- uv run pytest tests
rules:
- changes:
- src/**/*
- tests/**/*
- pyproject.toml
test:sqlmesh:
stage: test
before_script:
- *uv_setup
script:
- uv sync
- cd transform/sqlmesh_materia && uv run sqlmesh test
rules:
- changes:
- transform/**/*
# --- Web app ---
test:web:
stage: test
before_script:
- *uv_setup
script:
- uv sync
- cd web && uv run pytest tests/ -x -q
- cd web && uv run ruff check src/ tests/
rules:
- changes:
- web/**/*
# --- Deploy (pull-based via supervisor) ---
# The on-server supervisor (src/materia/supervisor.py) polls for new tags
# every 60s and deploys automatically when a new v<N> tag appears.
# No SSH keys, no deploy credentials needed in CI.
tag:
stage: tag
image: alpine:latest
needs: []
before_script:
- apk add --no-cache git
script:
- git tag "v${CI_PIPELINE_IID}"
- git push "https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git" "v${CI_PIPELINE_IID}"
rules:
- if: $CI_COMMIT_BRANCH == "master"
Reference in New Issue View Git Blame Copy Permalink