web-app/.github/workflows/deploy.yml at main · fieldtrack-tech/web-app · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# .github/workflows/deploy.yml (web-app)
#
# Production deployment pipeline for the Next.js frontend.
#
# Design principles:
#   1. Triggered ONLY after CodeQL deep scan completes successfully on master.
#   2. Builds and exports Next.js as a static bundle (or SSR — see deploy step).
#   3. Runs typecheck + dep audit before any build.
#   4. manual workflow_dispatch retained for hotfix deploys.
#
# Pipeline order:
#   codeql-gate ─► validate ─► build ─► deploy
#

name: Web App — Deploy to Production

on:
  workflow_run:
    workflows: ["Web App — CodeQL (PR scan)"]
    types:
      - completed
    branches:
      - master
  workflow_dispatch:

# Never cancel an in-progress deployment.
concurrency:
  group: web-production-deploy
  cancel-in-progress: false

permissions:
  contents: read

jobs:
  # -------------------------------------------------------------------
  # JOB: codeql-gate
  # Ensures CodeQL scan passed before we deploy.
  # On workflow_dispatch (manual) the gate is skipped.
  # -------------------------------------------------------------------
  codeql-gate:
    name: CodeQL Security Gate
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      deploy_sha: ${{ steps.sha.outputs.deploy_sha }}
    steps:
      - name: Resolve deploy SHA
        id: sha
        run: |
          if [ "${{ github.event_name }}" = "workflow_run" ]; then
            echo "deploy_sha=${{ github.event.workflow_run.head_sha }}" >> "$GITHUB_OUTPUT"
          else
            echo "deploy_sha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Verify CodeQL scan passed
        if: github.event_name == 'workflow_run'
        run: |
          CONCLUSION="${{ github.event.workflow_run.conclusion }}"
          BRANCH="${{ github.event.workflow_run.head_branch }}"
          SHA="${{ github.event.workflow_run.head_sha }}"
          echo "CodeQL scan conclusion : $CONCLUSION"
          echo "Scanned commit SHA     : $SHA"
          echo "Head branch            : $BRANCH"
          if [ "$BRANCH" != "master" ]; then
            echo "::error::Deploy blocked — head_branch=$BRANCH (only master deploys to production)"
            exit 1
          fi
          if [ "$CONCLUSION" != "success" ]; then
            echo "::error::CodeQL scan did not pass (conclusion=$CONCLUSION)"
            echo "  Review findings: https://github.com/${{ github.repository }}/security/code-scanning"
            exit 1
          fi
          echo "✓ CodeQL gate passed — deploying SHA $SHA"

  # -------------------------------------------------------------------
  # JOB: validate
  # TypeScript check + dependency audit.
  # -------------------------------------------------------------------
  validate:
    name: Validate (typecheck + audit)
    runs-on: ubuntu-latest
    needs: [codeql-gate]
    timeout-minutes: 10
    env:
      NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL || 'https://placeholder.supabase.co' }}
      NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY || 'placeholder-anon-key' }}
      NEXT_PUBLIC_API_BASE_URL: ${{ secrets.NEXT_PUBLIC_API_BASE_URL || 'http://localhost:3001' }}
      NEXT_TELEMETRY_DISABLED: "1"
    steps:
      - uses: actions/checkout@v5
        with:
          ref: ${{ needs.codeql-gate.outputs.deploy_sha }}

      - uses: actions/setup-node@v5
        with:
          node-version: '24'
          cache: npm
          cache-dependency-path: package-lock.json

      - name: Install dependencies
        run: |
          for attempt in 1 2 3; do
            npm ci && break
            [ $attempt -eq 3 ] && { echo "::error::npm ci failed after 3 attempts"; exit 1; }
            echo "Attempt $attempt failed — retrying in 15s..."; sleep 15
          done

      - name: TypeScript check
        run: npm run typecheck

      - name: Dependency audit
        run: npm audit --audit-level=high || true

  # -------------------------------------------------------------------
  # JOB: build
  # Production Next.js build. Fails fast if the build breaks.
  # -------------------------------------------------------------------
  build:
    name: Build (Next.js production)
    runs-on: ubuntu-latest
    needs: [codeql-gate, validate]
    timeout-minutes: 20
    env:
      NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
      NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
      NEXT_PUBLIC_API_BASE_URL: ${{ secrets.NEXT_PUBLIC_API_BASE_URL }}
      NEXT_TELEMETRY_DISABLED: "1"
      NODE_ENV: production
    steps:
      - uses: actions/checkout@v5
        with:
          ref: ${{ needs.codeql-gate.outputs.deploy_sha }}

      - uses: actions/setup-node@v5
        with:
          node-version: '24'
          cache: npm
          cache-dependency-path: package-lock.json

      - name: Install dependencies
        run: npm ci

      - name: Build Next.js
        run: npm run build

      - name: Upload build artifact
        uses: actions/upload-artifact@v4
        with:
          name: nextjs-build
          path: .next
          retention-days: 1

  # -------------------------------------------------------------------
  # JOB: deploy
  # Replace this step with your actual deploy mechanism
  # (Vercel CLI, SSH rsync, Docker image push, etc.)
  # -------------------------------------------------------------------
  deploy:
    name: Deploy to Production
    runs-on: ubuntu-latest
    needs: [codeql-gate, build]
    timeout-minutes: 15
    environment:
      name: production
    steps:
      - uses: actions/checkout@v5
        with:
          ref: ${{ needs.codeql-gate.outputs.deploy_sha }}

      - name: Download build artifact
        uses: actions/download-artifact@v4
        with:
          name: nextjs-build
          path: .next

      # ── Replace the step below with your deploy target ────────────
      # Examples:
      #   Vercel:   npx vercel --prod --token ${{ secrets.VERCEL_TOKEN }}
      #   SSH/rsync: rsync -az web-app/.next user@host:/var/www/webapp
      #   Docker:   docker build -t webapp && docker push
      - name: Deploy (placeholder — configure for your target)
        run: |
          echo "::notice::Deploy step is a placeholder."
          echo "Replace with Vercel CLI, SSH/rsync, or Docker push as needed."
          echo "Deploying SHA: ${{ needs.codeql-gate.outputs.deploy_sha }}"