Add continuous deployment (#634)

Author: thomashoneyman

.github/workflows/deploy.yml

@@ -0,0 +1,38 @@
+name: deploy
+
+on:
+  # This event is triggered once per non-Github Actions check-suite. If the only
+  # check suites we are running are garnix and Github Actions-based ones, this
+  # will be triggered only once, when garnix is done with all the builds for a
+  # commit.
+  check_suite:
+    types: [completed]
+
+jobs:
+  deploy:
+    # Deploys should only occur from the master branch
+    if: github.ref_name == 'master'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup SSH keys and known_hosts
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+        run: |
+          ssh-agent -a $SSH_AUTH_SOCK > /dev/null
+          ssh-add - <<< "${{ secrets.PACCHETTIBOTTI_SSH_KEY }}"
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Deploy with Colmena
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+        run: |
+          nix develop --command colmena apply

CONTRIBUTING.md

@@ -92,11 +92,17 @@ These checks are also run in the repository continuous integration.
 
 ## Deployment
 
-You can deploy a new version of the registry server in one step:
+The registry is continuously deployed. The [deploy.yml](./.github/workflows/deploy.yml) file defines a GitHub Actions workflow to auto-deploy the server when a new commit is pushed to `master` and test workflows have passed.
+
+However, you can manually deploy a new version of the registry server in one step:
 
 ```sh
 # Will deploy the server to registry.purescript.org
 colmena apply
 ```
 
-If the deployment fails it will automatically be rolled back. If you have provisioned a new machine altogether, then you will first need to copy a valid `.env` file to `/var/lib/registry-server/.env` before the server will run. You can test that the server has come up appropriately by SSH-ing into the server and running `journalctl -u server.service`.
+If the deployment fails it will automatically be rolled back. You can test that the server has come up appropriately by SSHing into the server and running `journalctl -uf server.service`.
+
+### Updating Secrets
+
+If you have provisioned a new machine or need to update a secret, then you will need to create or edit the `.env` file located in `/var/lib/registry-server`. It follows the same rules as described in the [`.env.example`](./.env.example) file in this repository.

README.md

@@ -1,5 +1,7 @@
 # PureScript Registry Development
 
+[![deploy](https://github.com/purescript/registry-dev/actions/workflows/deploy.yml/badge.svg)](https://github.com/purescript/registry-dev/actions/workflows/deploy.yml) [![tests](https://github.com/purescript/registry-dev/actions/workflows/main.yml/badge.svg)](https://github.com/purescript/registry-dev/actions/workflows/main.yml)
+
 This repository hosts the code for the PureScript Registry and its affiliated projects. If you are new to the registry and are interested in its development, then the following should be helpful:
 
 - The [specification](./SPEC.md) describes what the registry is, how it works, and its fundamental types and operations.

flake.nix

@@ -336,10 +336,7 @@
           host = "registry.purescript.org";
         in {
           deployment.targetHost = host;
-
-          # Set 'true' to build on the target machine (necessary if deploying
-          # from a non-linux machine).
-          deployment.buildOnTarget = false;
+          deployment.buildOnTarget = true;
 
           # We import the server module and also the digital ocean configuration
           # necessary to run in a DO droplet.

nix/deployers.nix

@@ -8,4 +8,8 @@
   fabrizio = {
     sshKeys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqIMvUZf1ffuqlKqemYMrLruO15Hy1SM+We5W1GHI9wLbY6FOsfDL78Yx6Eywc2iU0acpbyr1RVvgJ0gbMbHGc= [email protected]"];
   };
+
+  pacchettibotti = {
+    sshKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGm5hQeEQS85APheDeSRyggo0Igdq6CbTfq1f8eQG45t [email protected]"];
+  };
 }