From 58237fb457d1323e62db46f44f985d5a1c05f939 Mon Sep 17 00:00:00 2001
From: skulidropek <66840575+skulidropek@users.noreply.github.com>
Date: Sun, 22 Mar 2026 22:01:03 +0000
Subject: [PATCH] ci: add production deploy workflow for api

---
 .github/workflows/deploy.yml | 93 ++++++++++++++++++++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 .github/workflows/deploy.yml

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..5c6e2cc
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,93 @@
+name: Deploy API
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Check"]
+    branches: [main]
+    types: [completed]
+
+concurrency:
+  group: deploy-production
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment: production
+    steps:
+      - name: Resolve deploy ref
+        id: ref
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            echo "ref=${{ github.event.workflow_run.head_sha }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "ref=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+
+      - name: Validate required secrets
+        shell: bash
+        env:
+          PROD_VPS_USER: ${{ secrets.PROD_VPS_USER }}
+          PROD_VPS_HOST: ${{ secrets.PROD_VPS_HOST }}
+          PROD_VPS_PASSWORD: ${{ secrets.PROD_VPS_PASSWORD }}
+          PROD_PUBLIC_ORIGIN: ${{ secrets.PROD_PUBLIC_ORIGIN }}
+          PROD_TELEGRAM_BOT_TOKEN: ${{ secrets.PROD_TELEGRAM_BOT_TOKEN }}
+          PROD_TELEGRAM_BOT_USERNAME: ${{ secrets.PROD_TELEGRAM_BOT_USERNAME }}
+          PROD_TELEGRAM_MINI_APP_SHORT_NAME: ${{ secrets.PROD_TELEGRAM_MINI_APP_SHORT_NAME }}
+        run: |
+          missing=()
+          for name in \
+            PROD_VPS_USER \
+            PROD_VPS_HOST \
+            PROD_VPS_PASSWORD \
+            PROD_PUBLIC_ORIGIN \
+            PROD_TELEGRAM_BOT_TOKEN \
+            PROD_TELEGRAM_BOT_USERNAME \
+            PROD_TELEGRAM_MINI_APP_SHORT_NAME
+          do
+            if [[ -z "${!name}" ]]; then
+              missing+=("$name")
+            fi
+          done
+
+          if [[ ${#missing[@]} -gt 0 ]]; then
+            printf 'Missing required secrets: %s\n' "${missing[*]}" >&2
+            exit 1
+          fi
+
+      - name: Install sshpass
+        run: sudo apt-get update && sudo apt-get install -y sshpass
+
+      - name: Validate deploy script
+        run: bash -n scripts/deploy-prod.sh
+
+      - name: Deploy production stack
+        env:
+          PROD_VPS_USER: ${{ secrets.PROD_VPS_USER }}
+          PROD_VPS_HOST: ${{ secrets.PROD_VPS_HOST }}
+          PROD_VPS_PASSWORD: ${{ secrets.PROD_VPS_PASSWORD }}
+          PROD_PUBLIC_ORIGIN: ${{ secrets.PROD_PUBLIC_ORIGIN }}
+          PROD_TELEGRAM_BOT_TOKEN: ${{ secrets.PROD_TELEGRAM_BOT_TOKEN }}
+          PROD_TELEGRAM_BOT_USERNAME: ${{ secrets.PROD_TELEGRAM_BOT_USERNAME }}
+          PROD_TELEGRAM_MINI_APP_SHORT_NAME: ${{ secrets.PROD_TELEGRAM_MINI_APP_SHORT_NAME }}
+        run: |
+          bash ./scripts/deploy-prod.sh \
+            "$PROD_VPS_USER" \
+            "$PROD_VPS_HOST" \
+            "$PROD_VPS_PASSWORD" \
+            "$PROD_TELEGRAM_BOT_TOKEN" \
+            "$PROD_TELEGRAM_BOT_USERNAME" \
+            "$PROD_TELEGRAM_MINI_APP_SHORT_NAME" \
+            "$PROD_PUBLIC_ORIGIN"