Setup/cd workflow

[Fl1riX]

Summary by Sourcery

Deployment:

• Внедрён рабочий процесс GitHub Actions, который подключается через Tailscale и SSH, чтобы обновлять репозиторий на сервере и пересобирать/перезапускать Docker‑сервисы при пушах в ветку main.

Original summary in English

Summary by Sourcery

Deployment:

• Introduce a GitHub Actions workflow that connects via Tailscale and SSH to update the repository on the server and rebuild/restart Docker services on pushes to main.

[sourcery-ai]

Руководство для рецензента

Добавляет workflow развёртывания GitHub Actions, который подключается через Tailscale и выполняет деплой на удалённый сервер по SSH при пушах в main, включая управление конкурентностью и шаги деплоя на базе Docker.

Диаграмма последовательности для workflow Deploy при push в main

sequenceDiagram
    actor Developer
    participant GitHubRepo
    participant GitHubActions
    participant Tailscale
    participant RemoteServer
    participant DockerEngine

    Developer->>GitHubRepo: push commit to main
    GitHubRepo->>GitHubActions: trigger Deploy workflow (on push to main)

    GitHubActions->>GitHubActions: create concurrency group deploy-${{ github.ref }}
    GitHubActions->>GitHubActions: cancel in-progress deploy jobs for same ref

    GitHubActions->>Tailscale: connect using secret TAILSCALE_AUTHKEY
    Tailscale-->>GitHubActions: runner joined Tailscale network

    GitHubActions->>RemoteServer: SSH using SSH_USER and SSH_DEPLOY_PRIVATE_KEY
    GitHubActions->>RemoteServer: run cd ~/SteelTime
    GitHubActions->>RemoteServer: run git fetch origin main
    GitHubActions->>RemoteServer: run git reset --hard origin/main
    GitHubActions->>RemoteServer: run docker compose up -d --build
    RemoteServer->>DockerEngine: build and start containers
    GitHubActions->>RemoteServer: run docker system prune -f

Loading

Изменения на уровне файлов

Change	Details	Files
Введение workflow GitHub Actions для автоматического развёртывания при пушах в main.	Создать workflow Deploy, запускающийся при событиях push в ветку main Настроить конкурентность, чтобы одновременно выполнялся только один деплой на ветку и прерывались запуски, находящиеся в процессе выполнения Добавить job, выполняющийся на ubuntu-latest для исполнения шагов деплоя	.github/workflows/deploy.yml
Настройка подключения через Tailscale и удалённого деплоя по SSH с использованием Docker.	Использовать tailscale/github-action для установления подключения по Tailscale с использованием секретного ключа аутентификации репозитория Использовать appleboy/ssh-action для подключения по SSH к серверу деплоя с использованием учётных данных из secrets Выполнить fetch и жёсткий reset репозитория на сервере к origin/main перед деплоем Пересобрать и перезапустить сервисы через docker compose up -d --build на сервере Очистить неиспользуемые ресурсы Docker командой docker system prune -f после деплоя	.github/workflows/deploy.yml

---

Подсказки и команды

Взаимодействие с Sourcery

• Запустить новый обзор: Оставьте комментарий @sourcery-ai review в pull request.
• Продолжить обсуждение: Отвечайте напрямую на комментарии обзора от Sourcery.
• Создать задачу GitHub из комментария обзора: Попросите Sourcery создать
  issue из комментария обзора, ответив на него. Также можно ответить на
  комментарий обзора с @sourcery-ai issue, чтобы создать issue на его основе.
• Сгенерировать заголовок pull request: Напишите @sourcery-ai в любом месте
  заголовка pull request, чтобы в любой момент сгенерировать заголовок. Также можно
  оставить комментарий @sourcery-ai title в pull request, чтобы (пере)сгенерировать заголовок в любое время.
• Сгенерировать краткое описание pull request: Напишите @sourcery-ai summary в любом
  месте тела pull request, чтобы в любой момент сгенерировать краткое описание PR ровно там,
  где вам нужно. Также можно оставить комментарий @sourcery-ai summary в pull request, чтобы
  (пере)сгенерировать краткое описание в любое время.
• Сгенерировать руководство для рецензента: Оставьте комментарий @sourcery-ai guide в pull
  request, чтобы (пере)сгенерировать руководство для рецензента в любое время.
• Разрешить все комментарии Sourcery: Оставьте комментарий @sourcery-ai resolve в pull
  request, чтобы пометить все комментарии Sourcery как разрешённые. Полезно, если вы уже
  учли все замечания и больше не хотите их видеть.
• Отклонить все обзоры Sourcery: Оставьте комментарий @sourcery-ai dismiss в pull
  request, чтобы отклонить все существующие обзоры Sourcery. Особенно полезно, если вы
  хотите начать заново с новым обзором — не забудьте оставить комментарий
  @sourcery-ai review, чтобы запустить новый обзор!

Настройка работы сервиса

Зайдите в свою панель управления, чтобы:

• Включать или отключать функции обзора, такие как сгенерированное Sourcery
  краткое описание pull request, руководство для рецензента и другие.
• Изменить язык обзора.
• Добавлять, удалять или редактировать пользовательские инструкции для обзора.
• Настроить другие параметры обзора.

Получение помощи

• Свяжитесь с нашей службой поддержки по вопросам или для обратной связи.
• Посетите нашу документацию для подробных руководств и информации.
• Оставайтесь на связи с командой Sourcery, подписавшись на нас в X/Twitter, LinkedIn или GitHub.

Original review guide in English

Reviewer's Guide

Adds a GitHub Actions deployment workflow that connects via Tailscale and deploys to a remote server over SSH on pushes to main, including concurrency control and Docker-based deployment steps.

Sequence diagram for Deploy workflow on push to main

sequenceDiagram
    actor Developer
    participant GitHubRepo
    participant GitHubActions
    participant Tailscale
    participant RemoteServer
    participant DockerEngine

    Developer->>GitHubRepo: push commit to main
    GitHubRepo->>GitHubActions: trigger Deploy workflow (on push to main)

    GitHubActions->>GitHubActions: create concurrency group deploy-${{ github.ref }}
    GitHubActions->>GitHubActions: cancel in-progress deploy jobs for same ref

    GitHubActions->>Tailscale: connect using secret TAILSCALE_AUTHKEY
    Tailscale-->>GitHubActions: runner joined Tailscale network

    GitHubActions->>RemoteServer: SSH using SSH_USER and SSH_DEPLOY_PRIVATE_KEY
    GitHubActions->>RemoteServer: run cd ~/SteelTime
    GitHubActions->>RemoteServer: run git fetch origin main
    GitHubActions->>RemoteServer: run git reset --hard origin/main
    GitHubActions->>RemoteServer: run docker compose up -d --build
    RemoteServer->>DockerEngine: build and start containers
    GitHubActions->>RemoteServer: run docker system prune -f

Loading

File-Level Changes

Change	Details	Files
Introduce GitHub Actions workflow for automated deployment on pushes to main.	Create Deploy workflow triggered on push events to the main branch Configure concurrency to ensure only one deploy runs per branch and cancel in-progress runs Add job that runs on ubuntu-latest to execute deployment steps	.github/workflows/deploy.yml
Set up Tailscale connection and SSH-based remote deployment using Docker.	Use tailscale/github-action to establish a Tailscale connection using a repository secret auth key Use appleboy/ssh-action to SSH into the deployment server with secrets-based credentials Fetch and hard-reset the repo on the server to origin/main before deployment Rebuild and restart services via docker compose up -d --build on the server Clean up unused Docker resources with docker system prune -f after deployment	.github/workflows/deploy.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey — я нашёл 3 проблемы и оставил несколько общих комментариев:

• Параметр authkey для экшена Tailscale должен использовать синтаксис выражений GitHub (например, authkey: ${{ secrets.TAILSCALE_AUTHKEY }}), а не YAML‑якорь в стиле &{{ ... }}, который не будет работать как ожидается.
• Рассмотрите возможность вынести жёстко прописанный IP сервера (107.74.35.34) в секрет или переменную окружения, чтобы его можно было менять без правки файла workflow и чтобы не раскрывать детали инфраструктуры в репозитории.
• Команда docker system prune -f в скрипте деплоя может удалять образы и ресурсы, не связанные с этим развёртыванием; имеет смысл ограничить очистку конкретными контейнерами/образами или вынести периодическое обслуживание отдельно от workflow деплоя.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `authkey` parameter for the Tailscale action should use GitHub expression syntax (e.g. `authkey: ${{ secrets.TAILSCALE_AUTHKEY }}`) rather than the YAML anchor-style `&{{ ... }}`, which will not resolve as intended.
- Consider moving the hard-coded server IP (`107.74.35.34`) into a secret or environment variable so it can be changed without editing the workflow file and to avoid exposing infrastructure details in the repo.
- `docker system prune -f` in the deploy script can remove images and resources unrelated to this deployment; consider limiting cleanup to specific containers/images or running periodic maintenance separately from the deployment workflow.

## Individual Comments

### Comment 1
<location path=".github/workflows/deploy.yml" line_range="20" />
<code_context>
+      - name: Connect to tailscale
+        uses: tailscale/github-action@v2
+        with: 
+          authkey: &{{ secrets.TAILSCALE_AUTHKEY }}
+
+      - name: Deploy to server
</code_context>
<issue_to_address>
**issue (bug_risk):** GitHub Actions expression syntax for `authkey` looks incorrect and will likely fail parsing.

The `authkey` line is using `&{{ ... }}`, which is a YAML anchor, not valid GitHub Actions expression syntax, and will likely fail at parse or runtime. It should be:

```yaml
authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
```

This aligns with other `secrets.*` usages and the expected input format for `tailscale/github-action`.
</issue_to_address>

### Comment 2
<location path=".github/workflows/deploy.yml" line_range="25" />
<code_context>
+      - name: Deploy to server
+        uses: appleboy/ssh-action@v1.0.0
+        with:
+          host: 107.74.35.34
+          username: ${{ secrets.SSH_USER }}
+          key: ${{ secrets.SSH_DEPLOY_PRIVATE_KEY }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Hardcoding the SSH host IP reduces flexibility and can leak infrastructure details.

Using a literal IP here makes it harder to rotate servers or separate environments, and it exposes infrastructure details in the repo. Prefer sourcing this from a secret or environment variable (e.g. `host: ${{ secrets.SSH_HOST }}`) so you can change hosts without code changes and avoid publishing the IP.

Suggested implementation:

```
      - name: Deploy to server
        uses: appleboy/ssh-action@v1.0.0
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_DEPLOY_PRIVATE_KEY }}

```

1. In your GitHub repository settings, define a `SSH_HOST` secret with the appropriate host (IP or hostname) for this deployment.
2. If you have multiple environments (e.g. staging/production), consider separate workflows or environment-specific secrets like `STAGING_SSH_HOST` and `PROD_SSH_HOST`.
</issue_to_address>

### Comment 3
<location path=".github/workflows/deploy.yml" line_range="33" />
<code_context>
+            git fetch origin main
+            git reset --hard origin/main
+            docker compose up -d --build
+            docker system prune -f
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Unscoped `docker system prune -f` can remove unrelated images/containers on the host.

On a shared host, this will remove all unused containers/images/networks, not just ones for this project, which can disrupt other services or wipe debugging artifacts. If you only need to clean up this project’s resources, consider a narrower command (e.g., `docker image prune` with labels/filters or `docker compose` cleanup) to avoid impacting unrelated workloads.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

Original comment in English

Hey - I've found 3 issues, and left some high level feedback:

• The authkey parameter for the Tailscale action should use GitHub expression syntax (e.g. authkey: ${{ secrets.TAILSCALE_AUTHKEY }}) rather than the YAML anchor-style &{{ ... }}, which will not resolve as intended.
• Consider moving the hard-coded server IP (107.74.35.34) into a secret or environment variable so it can be changed without editing the workflow file and to avoid exposing infrastructure details in the repo.
• docker system prune -f in the deploy script can remove images and resources unrelated to this deployment; consider limiting cleanup to specific containers/images or running periodic maintenance separately from the deployment workflow.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `authkey` parameter for the Tailscale action should use GitHub expression syntax (e.g. `authkey: ${{ secrets.TAILSCALE_AUTHKEY }}`) rather than the YAML anchor-style `&{{ ... }}`, which will not resolve as intended.
- Consider moving the hard-coded server IP (`107.74.35.34`) into a secret or environment variable so it can be changed without editing the workflow file and to avoid exposing infrastructure details in the repo.
- `docker system prune -f` in the deploy script can remove images and resources unrelated to this deployment; consider limiting cleanup to specific containers/images or running periodic maintenance separately from the deployment workflow.

## Individual Comments

### Comment 1
<location path=".github/workflows/deploy.yml" line_range="20" />
<code_context>
+      - name: Connect to tailscale
+        uses: tailscale/github-action@v2
+        with: 
+          authkey: &{{ secrets.TAILSCALE_AUTHKEY }}
+
+      - name: Deploy to server
</code_context>
<issue_to_address>
**issue (bug_risk):** GitHub Actions expression syntax for `authkey` looks incorrect and will likely fail parsing.

The `authkey` line is using `&{{ ... }}`, which is a YAML anchor, not valid GitHub Actions expression syntax, and will likely fail at parse or runtime. It should be:

```yaml
authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
```

This aligns with other `secrets.*` usages and the expected input format for `tailscale/github-action`.
</issue_to_address>

### Comment 2
<location path=".github/workflows/deploy.yml" line_range="25" />
<code_context>
+      - name: Deploy to server
+        uses: appleboy/ssh-action@v1.0.0
+        with:
+          host: 107.74.35.34
+          username: ${{ secrets.SSH_USER }}
+          key: ${{ secrets.SSH_DEPLOY_PRIVATE_KEY }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Hardcoding the SSH host IP reduces flexibility and can leak infrastructure details.

Using a literal IP here makes it harder to rotate servers or separate environments, and it exposes infrastructure details in the repo. Prefer sourcing this from a secret or environment variable (e.g. `host: ${{ secrets.SSH_HOST }}`) so you can change hosts without code changes and avoid publishing the IP.

Suggested implementation:

```
      - name: Deploy to server
        uses: appleboy/ssh-action@v1.0.0
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_DEPLOY_PRIVATE_KEY }}

```

1. In your GitHub repository settings, define a `SSH_HOST` secret with the appropriate host (IP or hostname) for this deployment.
2. If you have multiple environments (e.g. staging/production), consider separate workflows or environment-specific secrets like `STAGING_SSH_HOST` and `PROD_SSH_HOST`.
</issue_to_address>

### Comment 3
<location path=".github/workflows/deploy.yml" line_range="33" />
<code_context>
+            git fetch origin main
+            git reset --hard origin/main
+            docker compose up -d --build
+            docker system prune -f
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Unscoped `docker system prune -f` can remove unrelated images/containers on the host.

On a shared host, this will remove all unused containers/images/networks, not just ones for this project, which can disrupt other services or wipe debugging artifacts. If you only need to clean up this project’s resources, consider a narrower command (e.g., `docker image prune` with labels/filters or `docker compose` cleanup) to avoid impacting unrelated workloads.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}