Refactor GitHub Actions workflow for building and deploying Docker images

OutboundSpade · OutboundSpade · commit 968e7c6550d3 · 2026-02-24T12:43:54.000-05:00
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -1,63 +1,117 @@
-name: Deploy to EC2
+name: Build and Deploy
 
 on:
   push:
     branches:
-      - dev
       - main
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
 
 jobs:
-  deploy:
+  build-and-push:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Set environment variables
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Compute image tags
+        id: image
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+          RELEASE_PRERELEASE: ${{ github.event.release.prerelease }}
+          REPOSITORY: ${{ github.repository }}
+          SHA: ${{ github.sha }}
         run: |
-          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
-            echo "DEPLOY_DIR=/data/MusicCPRProd" >> $GITHUB_ENV
-            echo "IMAGE_NAME=backend:prod" >> $GITHUB_ENV
-            echo "CONTAINER_NAME=backend-prod" >> $GITHUB_ENV
-            echo "HOST_PORT=8001" >> $GITHUB_ENV
+          set -euo pipefail
+          image="ghcr.io/${REPOSITORY,,}"
+          short_sha="${SHA::12}"
+
+          tags=""
+
+          if [[ "$EVENT_NAME" == "push" ]]; then
+            tags="${image}:nightly"
+            tags+=$'\n'"${image}:sha-${short_sha}"
+          elif [[ "$EVENT_NAME" == "release" ]]; then
+            tags="${image}:${RELEASE_TAG}"
+            if [[ "$RELEASE_PRERELEASE" != "true" ]]; then
+              tags+=$'\n'"${image}:latest"
+            fi
           else
-            echo "DEPLOY_DIR=/data/MusicCPRDev" >> $GITHUB_ENV
-            echo "IMAGE_NAME=backend:dev" >> $GITHUB_ENV
-            echo "CONTAINER_NAME=backend-dev" >> $GITHUB_ENV
-            echo "HOST_PORT=8000" >> $GITHUB_ENV
+            echo "Unsupported event: $EVENT_NAME" >&2
+            exit 1
           fi
-      - name: Set up SSH
-        run: |
-          mkdir -p ~/.ssh
-          echo "${{ secrets.EC2_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
-          chmod 600 ~/.ssh/id_rsa
-          ssh-keyscan -H ${{ secrets.EC2_HOST }} >> ~/.ssh/known_hosts
 
-      - name: Deploy to EC2
-        run: |
-          ssh ${{ secrets.EC2_USER }}@${{ secrets.EC2_HOST }} << 'EOF'
-            set -e
-            echo "Deploying to ${{ env.DEPLOY_DIR }}"
+          {
+            echo "image=$image"
+            echo "tags<<EOF"
+            echo "$tags"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
 
-            cd ${{ env.DEPLOY_DIR }}
+      - name: Build and push image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile.aws
+          push: true
+          platforms: ${{ vars.DOCKER_PLATFORMS != '' && vars.DOCKER_PLATFORMS || 'linux/amd64,linux/arm64' }}
+          tags: ${{ steps.image.outputs.tags }}
 
-            echo "Pulling latest changes..."
-            git pull origin ${{ github.ref_name }}
+  deploy-dev:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    needs: build-and-push
+    runs-on: ubuntu-latest
 
-            echo "Stopping and removing old container"
-            docker stop ${{ env.CONTAINER_NAME }} || true
-            docker rm ${{ env.CONTAINER_NAME }} || true
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.AWS_REGION }}
 
-            echo "Removing old image"
-            docker rmi ${{ env.IMAGE_NAME }} || true
+      - name: Trigger ECS deployment (dev)
+        run: |
+          aws ecs update-service \
+            --cluster "${{ vars.ECS_DEV_CLUSTER }}" \
+            --service "${{ vars.ECS_DEV_SERVICE }}" \
+            --force-new-deployment
 
-            echo "Building new image..."
-            docker build -t ${{ env.IMAGE_NAME }} .
+  deploy-prod:
+    if: github.event_name == 'release' && github.event.release.prerelease == false
+    needs: build-and-push
+    runs-on: ubuntu-latest
 
-            echo "Starting new container..."
-            docker run -d --name ${{ env.CONTAINER_NAME }} \
-                  -p ${{ env.HOST_PORT }}:8000 \
-                  -v ./.env:/app/.env \
-                  --restart unless-stopped ${{ env.IMAGE_NAME }}
-          EOF
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Trigger ECS deployment (prod)
+        run: |
+          aws ecs update-service \
+            --cluster "${{ vars.ECS_PROD_CLUSTER }}" \
+            --service "${{ vars.ECS_PROD_SERVICE }}" \
+            --force-new-deployment
