Add Phase 6: production Docker & deployment pipeline

Fix CI/CD workflows to map GCP Secret Manager secrets, add GCS storage
env vars, service account binding, and post-deploy health checks. Add
manual deploy targets (push-api, push-web, deploy-api, deploy-web) to
Makefile. Fix Terraform to include WIKI_STORAGE_BACKEND and GCS_BUCKET
env vars, remove incorrect runtime secrets from web module. Add scripts
copy and healthcheck to backend Dockerfile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2 people

.github/workflows/deploy-api.yml

@@ -71,7 +71,21 @@ jobs:
             --memory=2Gi
             --min-instances=0
             --max-instances=3
-            --set-env-vars=ENVIRONMENT=production
+            --service-account=runtime-sa@gitunderstand.iam.gserviceaccount.com
+            --set-env-vars=ENVIRONMENT=production,WIKI_STORAGE_BACKEND=gcs,GCS_BUCKET_NAME=gitunderstand-wikicache
+            --set-secrets=GOOGLE_API_KEY=google-api-key:latest,OPENAI_API_KEY=openai-api-key:latest,CLERK_SECRET_KEY=clerk-secret-key:latest,SUPABASE_URL=supabase-url:latest,SUPABASE_SERVICE_ROLE_KEY=supabase-service-role-key:latest
+
+      - name: Verify deployment health
+        run: |
+          URL=$(gcloud run services describe ${{ env.SERVICE_NAME }} --region ${{ env.REGION }} --format 'value(status.url)')
+          for i in 1 2 3 4 5; do
+            STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$URL/health" || echo "000")
+            if [ "$STATUS" = "200" ]; then echo "Health check passed"; exit 0; fi
+            echo "Attempt $i: status=$STATUS, retrying..."
+            sleep 10
+          done
+          echo "Health check failed after 5 attempts"
+          exit 1
 
       - name: Show deployment URL
         run: |

.github/workflows/deploy-web.yml

@@ -61,6 +61,8 @@ jobs:
           build-args: |
             SERVER_BASE_URL=${{ secrets.SERVER_BASE_URL }}
             NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=${{ secrets.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+            NEXT_PUBLIC_SUPABASE_URL=${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+            NEXT_PUBLIC_SUPABASE_ANON_KEY=${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
           cache-from: type=gha,scope=web
           cache-to: type=gha,mode=max,scope=web
 
@@ -77,7 +79,20 @@ jobs:
             --memory=512Mi
             --min-instances=0
             --max-instances=5
-            --set-env-vars=ENVIRONMENT=production
+            --service-account=runtime-sa@gitunderstand.iam.gserviceaccount.com
+            --set-env-vars=ENVIRONMENT=production,NODE_ENV=production
+
+      - name: Verify deployment health
+        run: |
+          URL=$(gcloud run services describe ${{ env.SERVICE_NAME }} --region ${{ env.REGION }} --format 'value(status.url)')
+          for i in 1 2 3 4 5; do
+            STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$URL/" || echo "000")
+            if [ "$STATUS" = "200" ]; then echo "Health check passed"; exit 0; fi
+            echo "Attempt $i: status=$STATUS, retrying..."
+            sleep 10
+          done
+          echo "Health check failed after 5 attempts"
+          exit 1
 
       - name: Show deployment URL
         run: |

Makefile

@@ -5,6 +5,7 @@
 ## ============================================================
 
 .PHONY: dev dev-api dev-web test test-api lint build-api build-web \
+        push-api push-web deploy-api deploy-web deploy \
         infra-plan infra-apply ingest ingest-batch ingest-batch-skip \
         ingest-dry-run spec help
 
@@ -38,6 +39,45 @@ build-api: ## Build the backend Docker image
 build-web: ## Build the frontend Docker image
 	docker build -f docker/Dockerfile.frontend -t gitunderstand-web .
 
+## ------ Docker Push (to Artifact Registry) ---------------------
+
+push-api: build-api ## Build & push API image to GAR
+	docker tag gitunderstand-api us-central1-docker.pkg.dev/gitunderstand/bettercodewiki/api:latest
+	docker push us-central1-docker.pkg.dev/gitunderstand/bettercodewiki/api:latest
+
+push-web: build-web ## Build & push Web image to GAR
+	docker tag gitunderstand-web us-central1-docker.pkg.dev/gitunderstand/bettercodewiki/web:latest
+	docker push us-central1-docker.pkg.dev/gitunderstand/bettercodewiki/web:latest
+
+## ------ Deploy (manual gcloud) ---------------------------------
+
+deploy-api: ## Deploy API to Cloud Run (uses latest GAR image)
+	gcloud run deploy gitunderstand-api \
+		--image us-central1-docker.pkg.dev/gitunderstand/bettercodewiki/api:latest \
+		--region us-central1 \
+		--platform managed \
+		--allow-unauthenticated \
+		--service-account runtime-sa@gitunderstand.iam.gserviceaccount.com \
+		--port 8001 \
+		--cpu 1 --memory 2Gi \
+		--min-instances 0 --max-instances 3 \
+		--set-env-vars "ENVIRONMENT=production,WIKI_STORAGE_BACKEND=gcs,GCS_BUCKET_NAME=gitunderstand-wikicache" \
+		--set-secrets "GOOGLE_API_KEY=google-api-key:latest,OPENAI_API_KEY=openai-api-key:latest,CLERK_SECRET_KEY=clerk-secret-key:latest,SUPABASE_URL=supabase-url:latest,SUPABASE_SERVICE_ROLE_KEY=supabase-service-role-key:latest"
+
+deploy-web: ## Deploy Web to Cloud Run (uses latest GAR image)
+	gcloud run deploy gitunderstand-web \
+		--image us-central1-docker.pkg.dev/gitunderstand/bettercodewiki/web:latest \
+		--region us-central1 \
+		--platform managed \
+		--allow-unauthenticated \
+		--service-account runtime-sa@gitunderstand.iam.gserviceaccount.com \
+		--port 3000 \
+		--cpu 1 --memory 512Mi \
+		--min-instances 0 --max-instances 5 \
+		--set-env-vars "ENVIRONMENT=production,NODE_ENV=production"
+
+deploy: deploy-api deploy-web ## Deploy both services to Cloud Run
+
 ## ------ Infrastructure (Terraform) ---------------------------
 
 infra-plan: ## Preview Terraform changes for production

docker/Dockerfile.backend

@@ -45,6 +45,7 @@ ENV PATH="/opt/venv/bin:$PATH"
 
 # Copy application code
 COPY api/ ./api/
+COPY scripts/ ./scripts/
 
 # Create non-root user
 RUN groupadd --system --gid 1001 apiuser && \
@@ -59,4 +60,7 @@ EXPOSE 8001
 ENV PORT=8001
 ENV NODE_ENV=production
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s \
+  CMD curl -f http://localhost:8001/health || exit 1
+
 CMD ["python", "-m", "api.main"]

docker/docker-compose.yml

@@ -37,6 +37,8 @@ services:
       - PORT=8001
       - NODE_ENV=development
       - LOG_LEVEL=${LOG_LEVEL:-INFO}
+      - WIKI_STORAGE_BACKEND=${WIKI_STORAGE_BACKEND:-local}
+      - GCS_BUCKET_NAME=${GCS_BUCKET_NAME:-gitunderstand-wikicache}
     env_file:
       - ../.env
     volumes:

infra/environments/prod/main.tf

@@ -84,14 +84,16 @@ module "api" {
   service_account       = var.runtime_sa_email
 
   env_vars = {
-    ENVIRONMENT = "production"
+    ENVIRONMENT          = "production"
+    WIKI_STORAGE_BACKEND = "gcs"
+    GCS_BUCKET_NAME      = "gitunderstand-wikicache"
   }
 
   secret_env_vars = {
-    GOOGLE_API_KEY           = "google-api-key"
-    OPENAI_API_KEY           = "openai-api-key"
-    CLERK_SECRET_KEY         = "clerk-secret-key"
-    SUPABASE_URL             = "supabase-url"
+    GOOGLE_API_KEY            = "google-api-key"
+    OPENAI_API_KEY            = "openai-api-key"
+    CLERK_SECRET_KEY          = "clerk-secret-key"
+    SUPABASE_URL              = "supabase-url"
     SUPABASE_SERVICE_ROLE_KEY = "supabase-service-role-key"
   }
 
@@ -122,11 +124,9 @@ module "web" {
     ENVIRONMENT = "production"
   }
 
-  secret_env_vars = {
-    NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY = "clerk-publishable-key"
-    SUPABASE_URL                      = "supabase-url"
-    SUPABASE_ANON_KEY                 = "supabase-anon-key"
-  }
+  # NEXT_PUBLIC_* vars and SERVER_BASE_URL are baked in at Docker build time.
+  # No runtime secrets needed for the frontend service.
+  secret_env_vars = {}
 
   depends_on = [module.secrets]
 }