From 68379dcf3a6964b00097a8ce71a34cf95aa61569 Mon Sep 17 00:00:00 2001 From: Kurdistan Tech Ministry Date: Fri, 8 May 2026 14:07:35 +0300 Subject: [PATCH] ci(deploy): mirror web build to pex.mom for geo-redundancy Split monolithic deploy job into bump-version + deploy-app + deploy-pex. Both deploys run in parallel from same build artifact, independent secrets per VPS. If one country blocks a domain, the other VPS keeps serving the same version. - bump-version: single source of version bump, runs before both deploys - deploy-app: existing target /var/www/subdomains/app on DEV VPS - deploy-pex: new target /var/www/pex.mom on VPS3 (217.77.6.126) Requires secrets: VPS_PEX_HOST, VPS_PEX_USER, VPS_PEX_SSH_KEY, VPS_PEX_SSH_PORT --- .github/workflows/quality-gate.yml | 56 ++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 6 deletions(-) diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index ee4a0d18..d3144e7b 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -75,13 +75,15 @@ jobs: path: web/dist/ # ======================================== - # DEPLOY WEB APP TO VPS + # VERSION BUMP (RUNS BEFORE BOTH DEPLOYS) # ======================================== - deploy: - name: Deploy Web + bump-version: + name: Bump Version runs-on: ubuntu-latest needs: [web, security-audit] if: github.ref == 'refs/heads/main' && github.event_name == 'push' + outputs: + new_version: ${{ steps.bump.outputs.version }} steps: - name: Checkout code @@ -101,23 +103,34 @@ jobs: git config user.email "github-actions[bot]@users.noreply.github.com" - name: Bump version + id: bump working-directory: ./web run: | npm version patch --no-git-tag-version VERSION=$(node -p "require('./package.json').version") - echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV + echo "version=$VERSION" >> $GITHUB_OUTPUT cd .. git add web/package.json git commit -m "chore(web): bump version to $VERSION [skip ci]" || echo "No version change" git push || echo "Nothing to push" + # ======================================== + # DEPLOY TO app.pezkuwichain.io (DEV VPS) + # ======================================== + deploy-app: + name: Deploy app.pezkuwichain.io + runs-on: ubuntu-latest + needs: [bump-version] + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + + steps: - name: Download build artifact uses: actions/download-artifact@v4 with: name: web-dist path: dist/ - - name: Deploy to VPS + - name: Deploy to DEV VPS uses: appleboy/scp-action@v1.0.0 with: host: ${{ secrets.VPS_HOST }} @@ -130,7 +143,38 @@ jobs: - name: Post-deploy notification run: | - echo "✅ Deployed web app v${{ env.NEW_VERSION }} to app.pezkuwichain.io" + echo "✅ Deployed v${{ needs.bump-version.outputs.new_version }} to app.pezkuwichain.io" + + # ======================================== + # DEPLOY TO pex.mom (VPS3 — geo-redundant mirror) + # ======================================== + deploy-pex: + name: Deploy pex.mom + runs-on: ubuntu-latest + needs: [bump-version] + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + + steps: + - name: Download build artifact + uses: actions/download-artifact@v4 + with: + name: web-dist + path: dist/ + + - name: Deploy to VPS3 + uses: appleboy/scp-action@v1.0.0 + with: + host: ${{ secrets.VPS_PEX_HOST }} + username: ${{ secrets.VPS_PEX_USER }} + key: ${{ secrets.VPS_PEX_SSH_KEY }} + port: ${{ secrets.VPS_PEX_SSH_PORT || 22 }} + source: 'dist/*' + target: '/var/www/pex.mom' + strip_components: 1 + + - name: Post-deploy notification + run: | + echo "✅ Deployed v${{ needs.bump-version.outputs.new_version }} to pex.mom" # ======================================== # SECURITY CHECKS (BLOCKING)