name: Redeploy Docker Compose on: push: branches: - main jobs: redeploy: runs-on: ubuntu-latest env: DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} DEPLOY_PORT: ${{ secrets.DEPLOY_PORT }} DEPLOY_USER: ${{ secrets.DEPLOY_USER }} DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }} DEPLOY_BRANCH: main SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} steps: - name: Install SSH client tools shell: bash run: | set -euo pipefail if command -v apk >/dev/null 2>&1; then apk add --no-cache openssh-client elif command -v apt-get >/dev/null 2>&1; then apt-get update apt-get install -y --no-install-recommends openssh-client elif command -v dnf >/dev/null 2>&1; then dnf install -y openssh-clients else echo "No supported package manager found to install ssh-keyscan." exit 1 fi - name: Validate required secrets shell: bash run: | set -euo pipefail : "${DEPLOY_PORT:=22}" missing=0 for key in DEPLOY_HOST DEPLOY_USER DEPLOY_PATH SSH_PRIVATE_KEY; do if [ -z "${!key:-}" ]; then echo "Missing required secret: $key" missing=1 fi done if [ "$missing" -ne 0 ]; then exit 1 fi - name: Configure SSH key shell: bash run: | set -euo pipefail : "${DEPLOY_PORT:=22}" mkdir -p ~/.ssh chmod 700 ~/.ssh printf '%s\n' "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ssh-keyscan -p "$DEPLOY_PORT" -H "$DEPLOY_HOST" >> ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts - name: Redeploy on remote host shell: bash run: | set -euo pipefail : "${DEPLOY_PORT:=22}" ssh -p "$DEPLOY_PORT" "$DEPLOY_USER@$DEPLOY_HOST" \ "DEPLOY_PATH='$DEPLOY_PATH' DEPLOY_BRANCH='$DEPLOY_BRANCH' bash -se" <<'EOF' set -euo pipefail cd "$DEPLOY_PATH" git fetch origin "$DEPLOY_BRANCH" git checkout "$DEPLOY_BRANCH" git pull --ff-only origin "$DEPLOY_BRANCH" docker compose pull docker compose up -d --build --remove-orphans EOF