chore: bump spring version to 4.0.5 (#27)

* chore: bump spring version to 4.0.5

* feat: add docker build to CI workflow

* feat: add staging deploy - wip

* fix: change triggers to include PR changes

* feat: add server ci and deploy to stg

* chore: add app build candidate

* remove from branch, get from main

* fix: build app candidate

* fix: build app candidate

* fix: fe changes in the app

* fix: app ci workflow dispatch

* chore: improve PR ci and cd

* feat: make deployments always happen for PRs

* feat: improve workflow names

Author: RMCampos

.github/workflows/build-app-candidate.yml

@@ -34,63 +34,24 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository }}/app
           tags: |
-            type=raw,value=candidade
+            type=raw,value=candidate
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: ./client
-          push: true
-          tags: candidate
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          build-args: |
-            VITE_BUILD=v${DATE}.${{ github.run_number }}"
-name: Build App Candidate
-
-on:
-  workflow_dispatch:
-
-jobs:
-  build-and-push-app:
-    name: Build & Push App
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          ref: ${{ github.ref }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata for Docker
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}/app
-          tags: |
-            type=raw,value=candidade
+      - name: Generate version tag
+        id: version
+        run: |
+          DATE=$(date +'%Y.%m.%d')
+          TAG="app-v${DATE}.${{ github.run_number }}"
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
+          echo "Generated tag: ${TAG}"
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           context: ./client
           push: true
-          tags: candidate
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |
-            VITE_BUILD=v${DATE}.${{ github.run_number }}"
+            VITE_BUILD=${{ steps.version.outputs.tag }}

.github/workflows/client-ci.yml

@@ -1,10 +1,11 @@
-name: Frontend CI
+name: Frontend PR
 
 on:
   workflow_dispatch:
-  push:
+  pull_request:
+    types: [opened, synchronize, reopened]
     branches:
-      - '**'
+      - 'main'
     paths:
       - 'client/**/*.html'
       - 'client/**/*.png'
@@ -18,8 +19,8 @@ on:
       - '.github/workflows/client-ci.yml'
 
 jobs:
-  build-and-push:
-    name: Frontend CI
+  run-checks:
+    name: Checks
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -51,3 +52,55 @@ jobs:
       - name: Run tests
         run: npm run test:no-watch
         working-directory: ./client
+
+  build-and-push:
+    name: Build & Push
+    runs-on: ubuntu-latest
+    needs: ["run-checks"]
+    permissions:
+      contents: write
+      packages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}/app
+          tags: |
+            type=raw,value=candidate
+
+      - name: Generate version tag
+        id: version
+        run: |
+          DATE=$(date +'%Y.%m.%d')
+          TAG="app-v${DATE}.${{ github.run_number }}"
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
+          echo "Generated tag: ${TAG}"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./client
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            VITE_BUILD=${{ steps.version.outputs.tag }}

.github/workflows/deploy-stg.yml

@@ -0,0 +1,136 @@
+name: Deploy to staging
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: [ "Backend PR", "Frontend PR" ]
+    types: [ completed ]
+
+jobs:
+  terraform-plan-stg:
+    name: Plan changs to staging
+    runs-on: ubuntu-latest
+    outputs:
+      no_changes: ${{ steps.check-changes.outputs.no_changes }}
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Setup Kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG_DATA }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Validate cluster access
+        run: |
+          kubectl cluster-info
+          kubectl get namespace tasknote-stg
+
+      - name: Determine deployment values
+        id: deploy-vars
+        run: |
+          backend_image="ghcr.io/rmcampos/tasknote/api:candidate"
+          frontend_image="ghcr.io/rmcampos/tasknote/app:candidate"
+
+          echo "backend_image=$backend_image" >> "$GITHUB_OUTPUT"
+          echo "frontend_image=$frontend_image" >> "$GITHUB_OUTPUT"
+
+      - name: Terraform Fmt -check -diff
+        working-directory: terraform-stg
+        run: terraform fmt -check -diff
+
+      - name: Terraform Init
+        working-directory: terraform-stg
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: terraform init -input=false
+
+      - name: Terraform Validate
+        working-directory: terraform-stg
+        run: terraform validate
+
+      - name: Terraform Plan
+        id: check-changes
+        working-directory: terraform-stg
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: |
+          timeout 1m terraform plan -input=false -out=tfplan \
+            -var="db_user=${{ secrets.DB_USER }}" \
+            -var="db_password=${{ secrets.DB_PASSWORD }}" \
+            -var="db_name=${{ secrets.DB_NAME }}" \
+            -var="security_key=${{ secrets.JWT_SECURITY_KEY }}" \
+            -var="mailgun_apikey=${{ secrets.MAILGUN_API_KEY }}" \
+            -var="backend_image=${{ steps.deploy-vars.outputs.backend_image }}" \
+            -var="frontend_image=${{ steps.deploy-vars.outputs.frontend_image }}"
+          terraform show -json tfplan > tfplan.json
+          if jq -e '.resource_changes | length == 0' tfplan.json >/dev/null; then
+            echo "no_changes=true" >> "$GITHUB_OUTPUT"
+            echo "No changes to apply."
+            exit 0
+          else
+            echo "Changes detected. Proceeding with apply"
+            echo "no_changes=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload plan artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: tfplan
+          path: terraform/tfplan
+
+  terraform-apply:
+    runs-on: ubuntu-latest
+    needs: terraform-plan-stg
+    if: >
+      (github.event_name == 'push' || github.event_name == 'workflow_run')
+      && needs.terraform-plan-stg.outputs.no_changes == 'false'
+    environment:
+      name: staging
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Download plan artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: tfplan
+          path: terraform
+
+      - name: Setup Kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG_DATA }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Terraform Init
+        working-directory: terraform-stg
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: terraform init -input=false
+
+      - name: Terraform Apply
+        working-directory: terraform-stg
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: timeout 1m terraform apply tfplan

.github/workflows/deploy.yml

@@ -1,4 +1,4 @@
-name: Deploy to K3s
+name: Deploy to prod
 
 on:
   workflow_dispatch:
@@ -14,7 +14,7 @@ on:
         required: false
         default: "true"
   workflow_run:
-    workflows: [ "Backend Build & Push", "Frontend Build & Push" ]
+    workflows: [ "Backend Main", "Frontend Main" ]
     types: [ completed ]
 
 jobs:

.github/workflows/main-client.yml

@@ -1,4 +1,4 @@
-name: Frontend Build & Push
+name: Frontend Main
 
 on:
   workflow_dispatch:
@@ -19,7 +19,7 @@ on:
 
 jobs:
   build-and-push:
-    name: Frontend Build & Push
+    name: Build & Push
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/main-server.yml

@@ -1,4 +1,4 @@
-name: Backend Build & Push
+name: Backend Main
 
 on:
   workflow_dispatch:
@@ -13,7 +13,7 @@ on:
 
 jobs:
   build-and-push:
-    name: Backend Build & Push
+    name: Build & Push
     runs-on: ubuntu-latest
     permissions:
       contents: write