`apps/web/vite.config.ts` now injects three build-time constants via
`define`: `__APP_VERSION__` (root package.json), `__APP_COMMIT__`
(GIT_SHA env > local `git rev-parse` > 'dev'), `__BUILD_TIME__` (ISO
timestamp at build). They're declared in `apps/web/src/global.d.ts`
and re-exported through `$lib/version` — components consume the named
exports rather than the magic globals so an accidental tree-shake
would break the test, not the page silently.
`/settings` gains an "About" section at the bottom: a small chip
`v{version} · {commit} · {date}` in muted text. Not interactive,
purely diagnostic — useful when a user reports a bug from a stale
PWA install.
Deploy pipeline:
- `apps/web/Dockerfile` accepts a `GIT_SHA` build arg and exports
it as an env var for the SvelteKit build step.
- `infra/docker-compose.erosi.yml` forwards `${GIT_SHA:-dev}` into
the build args.
- `infra/scripts/deploy-erosi.sh` captures `git rev-parse --short
HEAD` locally (the deploy host has .git; the remote doesn't —
rsync excludes it) and forwards it via `ssh ... env GIT_SHA=…`
so the remote `docker compose build` sees it.
V-01/V-02 vitest: stub the three globals via `vi.stubGlobal` (vitest
doesn't run through the main vite.config so `define` isn't applied),
assert the named exports thread through and never collapse to
undefined or the 'dev' sentinel under a real build.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
173 lines
6.9 KiB
Bash
Executable File
173 lines
6.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Deploy the full stack to ambrosio.
|
|
#
|
|
# Usage: infra/scripts/deploy-erosi.sh
|
|
# Env: DEPLOY_HOST=ambrosio (override if needed)
|
|
# DEPLOY_PATH=/opt/colectivo
|
|
#
|
|
# First run:
|
|
# 1. rsyncs repo → ambrosio:/opt/colectivo/
|
|
# 2. if .env doesn't exist on server, generates secrets and writes it with
|
|
# placeholder values the operator must fill in (external Keycloak URL,
|
|
# Keycloak client secret)
|
|
# 3. docker compose build + up -d
|
|
# 4. applies DB migrations
|
|
#
|
|
# Internal edge is a Caddy container listening on host port 3000 — the
|
|
# external proxy (TLS terminator, off-stack) forwards plain HTTP to
|
|
# ambrosio:3000. This script never touches the host reverse-proxy config —
|
|
# it only manages the Docker stack.
|
|
#
|
|
# Subsequent runs: rsync + rebuild app + rolling restart.
|
|
|
|
set -euo pipefail
|
|
|
|
DEPLOY_HOST="${DEPLOY_HOST:-ambrosio}"
|
|
DEPLOY_PATH="${DEPLOY_PATH:-/opt/colectivo}"
|
|
REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
|
|
|
|
# Fase 14.3.5 — capture the short git sha on the deploy host (this
|
|
# machine) so it can be baked into the built app bundle as
|
|
# `__APP_COMMIT__`. We do it here rather than on ambrosio because we
|
|
# rsync without `.git`, so the remote can't run `git rev-parse`.
|
|
GIT_SHA="$(cd "$REPO_ROOT" && git rev-parse --short HEAD 2>/dev/null || echo dev)"
|
|
|
|
echo "==> Deploying to $DEPLOY_HOST:$DEPLOY_PATH (commit $GIT_SHA)"
|
|
|
|
# ── 1. Ensure target dir exists ────────────────────────────────────────────
|
|
ssh "$DEPLOY_HOST" "sudo mkdir -p $DEPLOY_PATH && sudo chown \$(id -u):\$(id -g) $DEPLOY_PATH"
|
|
|
|
# ── 2. rsync repo (excluding node_modules / build artefacts / local env) ──
|
|
rsync -az --delete \
|
|
--exclude '.git' \
|
|
--exclude 'node_modules' \
|
|
--exclude '.svelte-kit' \
|
|
--exclude 'apps/web/build' \
|
|
--exclude 'apps/web/.vite' \
|
|
--exclude '**/*.log' \
|
|
--exclude '**/.env' \
|
|
--exclude '**/.env.development' \
|
|
--exclude '**/.env.local' \
|
|
--exclude 'lighthouse-report.html' \
|
|
--exclude 'coverage' \
|
|
--exclude 'test-results' \
|
|
--exclude 'playwright-report' \
|
|
"$REPO_ROOT/" "$DEPLOY_HOST:$DEPLOY_PATH/"
|
|
|
|
# ── 3. Bootstrap secrets on first run; sanity-check placeholders every run ─
|
|
ssh "$DEPLOY_HOST" bash -s << 'REMOTE'
|
|
set -euo pipefail
|
|
cd /opt/colectivo
|
|
|
|
if [ ! -f .env ]; then
|
|
echo "--- First deploy: generating secrets"
|
|
|
|
# JWT triplet (anon + service_role)
|
|
JWT_OUT=$(bash infra/scripts/rotate-jwt.sh)
|
|
SUPABASE_JWT_SECRET=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_JWT_SECRET=/{print substr($0, index($0,$2))}')
|
|
PUBLIC_SUPABASE_ANON_KEY=$(echo "$JWT_OUT" | awk -F= '/^PUBLIC_SUPABASE_ANON_KEY=/{print substr($0, index($0,$2))}')
|
|
SUPABASE_SERVICE_ROLE_KEY=$(echo "$JWT_OUT" | awk -F= '/^SUPABASE_SERVICE_ROLE_KEY=/{print substr($0, index($0,$2))}')
|
|
|
|
# Postgres + Realtime secrets
|
|
POSTGRES_PASSWORD=$(openssl rand -hex 24)
|
|
REALTIME_ENC_KEY=$(openssl rand -hex 8) # 16 chars
|
|
REALTIME_SECRET_KEY_BASE=$(openssl rand -hex 48) # 96 chars
|
|
|
|
cat > .env <<EOF
|
|
# Generated on $(date -u +%Y-%m-%dT%H:%M:%SZ). Keep this file mode 600.
|
|
PUBLIC_APP_URL=https://erosi.limonia.net
|
|
PUBLIC_SUPABASE_URL=https://erosi.limonia.net
|
|
|
|
# External Keycloak — FILL THESE IN before the stack will boot usefully.
|
|
PUBLIC_KEYCLOAK_URL=FILL_IN_KEYCLOAK_URL
|
|
PUBLIC_KEYCLOAK_REALM=colectivo
|
|
PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web
|
|
KEYCLOAK_CLIENT_SECRET=FILL_IN_CLIENT_SECRET
|
|
|
|
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
|
|
|
|
SUPABASE_JWT_SECRET=$SUPABASE_JWT_SECRET
|
|
PUBLIC_SUPABASE_ANON_KEY=$PUBLIC_SUPABASE_ANON_KEY
|
|
SUPABASE_SERVICE_ROLE_KEY=$SUPABASE_SERVICE_ROLE_KEY
|
|
|
|
REALTIME_ENC_KEY=$REALTIME_ENC_KEY
|
|
REALTIME_SECRET_KEY_BASE=$REALTIME_SECRET_KEY_BASE
|
|
EOF
|
|
chmod 600 .env
|
|
echo "--- Wrote .env (mode 600)."
|
|
echo " Fill in: PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET"
|
|
echo " then re-run this script."
|
|
exit 0
|
|
fi
|
|
|
|
# Every deploy: fail fast if the operator didn't finish the .env.
|
|
if grep -q '^PUBLIC_KEYCLOAK_URL=FILL_IN_' .env \
|
|
|| grep -q '^KEYCLOAK_CLIENT_SECRET=FILL_IN_' .env; then
|
|
echo "ERROR: /opt/colectivo/.env still contains FILL_IN_ placeholders." >&2
|
|
echo " Fill in PUBLIC_KEYCLOAK_URL, KEYCLOAK_CLIENT_SECRET and retry." >&2
|
|
exit 1
|
|
fi
|
|
REMOTE
|
|
|
|
# ── 4. Build + bring up the stack ─────────────────────────────────────────
|
|
# We forward GIT_SHA over the ssh env so the remote `docker compose build`
|
|
# can substitute it into the Dockerfile build-arg (compose reads it from
|
|
# the same shell, not from .env, so a transient export is enough). ssh
|
|
# doesn't accept VAR=value args directly, so we prefix `env`.
|
|
ssh "$DEPLOY_HOST" env GIT_SHA="$GIT_SHA" bash -s << 'REMOTE'
|
|
set -euo pipefail
|
|
cd /opt/colectivo
|
|
: "${GIT_SHA:=dev}"
|
|
|
|
echo "--- Building app image (commit $GIT_SHA)"
|
|
GIT_SHA="$GIT_SHA" docker compose --env-file .env -f infra/docker-compose.erosi.yml \
|
|
build --build-arg GIT_SHA="$GIT_SHA" app
|
|
|
|
echo "--- Bringing stack up (detached)"
|
|
GIT_SHA="$GIT_SHA" docker compose --env-file .env -f infra/docker-compose.erosi.yml up -d
|
|
|
|
echo "--- Waiting for db to be healthy"
|
|
for i in $(seq 1 60); do
|
|
if docker compose --env-file .env -f infra/docker-compose.erosi.yml ps db --format json | grep -q '"Health":"healthy"'; then
|
|
echo "db healthy"; break
|
|
fi
|
|
sleep 2
|
|
done
|
|
|
|
echo "--- Applying migrations"
|
|
# Every `docker compose exec -T` call below pipes in `</dev/null` (or the
|
|
# migration file for the apply step). This matters because the outer bash
|
|
# is reading its own script from stdin (`ssh ... bash -s << REMOTE`); a
|
|
# `docker compose exec -T` without its own stdin source drains the heredoc,
|
|
# silently eating the remainder of the script — observed as "first iteration
|
|
# runs, every subsequent migration vanishes from the log".
|
|
docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
|
|
psql -U postgres -d postgres </dev/null \
|
|
-c "CREATE TABLE IF NOT EXISTS public._applied_migrations (filename TEXT PRIMARY KEY, applied_at TIMESTAMPTZ DEFAULT now());"
|
|
|
|
for f in supabase/migrations/*.sql; do
|
|
fn=$(basename "$f")
|
|
already=$(docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
|
|
psql -U postgres -d postgres -tAq </dev/null \
|
|
-c "SELECT count(*) FROM public._applied_migrations WHERE filename='$fn'")
|
|
if [ "${already:-0}" -gt 0 ]; then
|
|
echo " skip $fn (applied)"
|
|
continue
|
|
fi
|
|
printf " apply %s ... " "$fn"
|
|
if docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
|
|
psql -U postgres -d postgres -v ON_ERROR_STOP=1 -q < "$f"; then
|
|
docker compose --env-file .env -f infra/docker-compose.erosi.yml exec -T db \
|
|
psql -U postgres -d postgres </dev/null \
|
|
-c "INSERT INTO public._applied_migrations (filename) VALUES ('$fn') ON CONFLICT DO NOTHING;"
|
|
echo "ok"
|
|
else
|
|
echo "FAIL"; exit 1
|
|
fi
|
|
done
|
|
REMOTE
|
|
|
|
echo "==> Deploy complete."
|
|
echo " App: https://erosi.limonia.net"
|
|
echo " Keycloak: external — see PUBLIC_KEYCLOAK_URL in $DEPLOY_PATH/.env"
|