Add workflows for deployment

.github/workflows/deploy-production.yml

@@ -0,0 +1,23 @@
+name: Deploy to Pyris Production
+
+on:
+  workflow_dispatch:
+    inputs:
+      docker-tag:
+        description: 'Docker tag to deploy (e.g. 1.0.0 or latest, default: latest)'
+        required: true
+        default: 'latest'
+      branch-name:
+        description: 'Branch name to deploy (default: main)'
+        required: true
+        default: 'main'
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/deploy.yml
+    with:
+      docker-tag: latest
+      branch-name: main
+      environment-name: Pyris Production
+      environment-url: https://pyris.artemis.cit.tum.de
+    secrets: inherit

.github/workflows/deploy-test.yml

@@ -0,0 +1,172 @@
+name: Deploy to Pyris Test
+
+on:
+  pull_request:
+    types: [labeled]
+
+jobs:
+  # Get an up to date version of the label list. github.event.pull_request.labels seems to sometimes be outdated
+  # if the run was waiting for a while, which can cause duplicate deployments
+  get-labels:
+    runs-on: ubuntu-latest
+    outputs:
+      labels: ${{ steps.get-labels.outputs.result }}
+    steps:
+      - name: Get PR labels
+        id: get-labels
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const response = await github.rest.issues.listLabelsOnIssue({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number
+            })
+            const labels = response.data
+            return labels.map(label => label.name)
+
+
+  # Check that the build job has run successfully before deploying
+  check-build-status:
+    needs: [ get-labels ]
+    runs-on: ubuntu-latest
+    # Only run workflow if the added label is a deploy label
+    if: contains(needs.get-labels.outputs.labels, 'deploy:pyris-test')
+    steps:
+      - name: Get latest successful build for branch
+        id: check_build
+        uses: octokit/[email protected]
+        with:
+          route: GET /repos/${{ github.repository }}/actions/workflows/build.yml/runs?event=pull_request&status=success&head_sha=${{ github.event.pull_request.head.sha }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Remove deployment-error label if new run is started
+      - uses: actions-ecosystem/action-remove-labels@v1
+        if: fromJSON(steps.check_build.outputs.data).total_count > 0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          labels: |
+            deployment-error
+
+      # In case of invalid build status, remove deploy labels
+      - uses: actions-ecosystem/action-remove-labels@v1
+        if: fromJSON(steps.check_build.outputs.data).total_count == 0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          labels: |
+            deploy:pyris-test
+
+      - name: Check if latest push had successful build
+        if: fromJSON(steps.check_build.outputs.data).total_count == 0
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '### ❌ Unable to deploy to test server ❌\nThe docker build needs to run through before deploying.'
+            })
+            core.setFailed('The build needs to run through first. Please wait for the build to finish and then try again.')
+
+  # Compute the tag to use for the docker image
+  compute-tag:
+    needs: [ check-build-status ]
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.compute-tag.outputs.result }}
+    steps:
+      - name: Compute Tag
+        uses: actions/github-script@v6
+        id: compute-tag
+        with:
+          result-encoding: string
+          script: |
+            if (context.eventName === "pull_request") {
+              return "pr-" + context.issue.number;
+            }
+            if (context.eventName === "release") {
+              return "latest";
+            }
+            if (context.eventName === "push") {
+              if (context.ref.startsWith("refs/tags/")) {
+                return context.ref.slice(10);
+              }
+              if (context.ref === "refs/heads/develop") {
+                return "develop";
+              }
+            }
+            return "FALSE";
+
+  # Run pre-deployment steps
+  pre-deployment:
+    needs: [ compute-tag ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions-ecosystem/action-remove-labels@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          labels: |
+            deploy:pyris-test
+
+      - name: Check "lock:pyris-test" label
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const opts = github.rest.issues.listForRepo.endpoint.merge({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: ['lock:pyris-test']
+            })
+            const issues = await github.paginate(opts)
+            if (issues.length == 1 && (!context.issue || issues[0].number != context.issue.number)) {
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: `### ❌ Unable to deploy to test server ❌\nPyris Testserver is already in use by PR #${issues[0].number}.`
+              })
+              core.setFailed(`Pyris Testserver is already in use by PR #${issues[0].number}.`);
+            } else if (issues.length > 1) {
+              github.rest.issues.createComment({
+                  issue_number: context.issue.number,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  body: '### ❌ Unable to deploy to test server ❌\nPyris Testserver is already in use by multiple PRs. Check PRs with label "lock:pyris-test"!'
+                })
+              core.setFailed('Pyris Testserver is already in use by multiple PRs. Check PRs with label "lock:pyris-test"!');
+            } else if (context.issue && context.issue.number) {
+              await github.rest.issues.addLabels({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                labels: ['lock:pyris-test']
+              })
+            }
+
+  # Deploy to the test servers
+  deploy:
+    needs: [ pre-deployment ]
+    uses: ./.github/workflows/deploy.yml
+    with:
+      docker-tag: ${{ needs.compute-tag.outputs.tag }}
+      branch-name: ${{ github.event.pull_request.head.ref }}
+      environment-name: Pyris Test
+      environment-url: https://pyris-test.artemis.cit.tum.de
+    secrets: inherit
+
+
+  # Check that the build job has run successfully otherwise add an error label
+  add-error-label:
+    needs: [ check-build-status, compute-tag, pre-deployment, deploy ]
+    runs-on: ubuntu-latest
+    if: ${{ failure() }}
+    steps:
+      - name: Add error label
+        uses: actions-ecosystem/action-add-labels@v1
+        with:
+          labels: deployment-error

.github/workflows/deploy.yml

@@ -0,0 +1,72 @@
+name: Deploy
+
+on:
+  workflow_call:
+    inputs:
+      docker-tag:
+        required: true
+        type: string
+      branch-name:
+        required: true
+        type: string
+      environment-name:
+        required: true
+        type: string
+      environment-url:
+        required: true
+        type: string
+    secrets:
+      DEPLOYMENT_GATEWAY_SSH_KEY:
+        required: true
+
+concurrency: deploy
+
+env:
+  RAW_URL: https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}
+
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    environment:
+      name: ${{ inputs.environment-name }}
+      url: ${{ inputs.environment-url }}
+
+    env:
+      DOCKER_TAG: ${{ inputs.docker-tag }}
+      BRANCH_NAME: ${{ inputs.branch-name }}
+      DEPLOYMENT_USER: ${{ vars.DEPLOYMENT_USER }}
+      DEPLOYMENT_HOST: ${{ vars.DEPLOYMENT_HOST }}
+      DEPLOYMENT_FOLDER: ${{ vars.DEPLOYMENT_FOLDER }}
+      DEPLOYMENT_HOST_PUBLIC_KEYS: ${{ vars.DEPLOYMENT_HOST_PUBLIC_KEYS }}
+      GATEWAY_USER: "jump"
+      GATEWAY_HOST: "gateway.artemis.in.tum.de:2010"
+      GATEWAY_HOST_PUBLIC_KEY: "[gateway.artemis.in.tum.de]:2010 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtTLiKRILjKZ+Qg4ReWKsG7mLDXkzHfeY5nalSQUNQ4"
+
+    steps:
+      # Download pyris-server-cli from GH without cloning the Repo
+      - name: Fetch Pyris CLI
+        run: |
+          wget ${{ env.RAW_URL }}/pyris-server-cli
+          chmod +x pyris-server-cli
+
+      # Configure SSH Key
+      - name: Setup SSH Keys and known_hosts
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+          GATEWAY_SSH_KEY: "${{ secrets.DEPLOYMENT_GATEWAY_SSH_KEY }}"
+          DEPLOYMENT_SSH_KEY: "${{ secrets.DEPLOYMENT_SSH_KEY }}"
+        run: |
+          mkdir -p ~/.ssh
+          ssh-agent -a $SSH_AUTH_SOCK > /dev/null
+          ssh-add - <<< $GATEWAY_SSH_KEY
+          ssh-add - <<< $DEPLOYMENT_SSH_KEY
+          cat - <<< $GATEWAY_HOST_PUBLIC_KEY >> ~/.ssh/known_hosts
+          cat - <<< $(sed 's/\\n/\n/g' <<< "$DEPLOYMENT_HOST_PUBLIC_KEYS") >> ~/.ssh/known_hosts
+
+      - name: Deploy Pyris with Docker
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+        run: |
+          ./pyris-server-cli docker-deploy "$DEPLOYMENT_USER@$DEPLOYMENT_HOST" -g "$GATEWAY_USER@$GATEWAY_HOST" -t $DOCKER_TAG -b $BRANCH_NAME -d $DEPLOYMENT_FOLDER -y