[Infra] CI/CD pipeline — build, test, deploy to Digital Ocean #23
Description
Summary
Set up GitHub Actions CI/CD pipeline to build, test, and deploy the application to Digital Ocean.
Details
CI Pipeline (on every PR and push to main)
jobs:
backend:
- Checkout
- Set up Go
- Run go vet
- Run go test ./...
- Build binary
frontend:
- Checkout
- Set up Node
- npm ci
- npm run lint
- npm run type-check
- npm run build
docker:
- Build Docker image (multi-stage: build frontend + backend, copy into minimal image)
- Push to GitHub Container Registry (ghcr.io) on main branch onlyCD Pipeline (on push to main, after CI passes)
- Build Docker image with embedded frontend
- Push to container registry
- Deploy to Digital Ocean (App Platform deploy hook or Droplet SSH + docker pull)
- Run database migrations
- Health check after deployment
Dockerfile (multi-stage)
# Stage 1: Build frontend
FROM node:22-alpine AS frontend
WORKDIR /app/web
COPY web/ .
RUN npm ci && npm run build
# Stage 2: Build backend
FROM golang:1.23-alpine AS backend
WORKDIR /app
COPY go.* ./
RUN go mod download
COPY . .
COPY --from=frontend /app/web/dist ./web/dist
RUN go build -o server ./cmd/server
# Stage 3: Runtime
FROM alpine:3.20
COPY --from=backend /app/server /server
COPY --from=backend /app/migrations /migrations
EXPOSE 8080
CMD ["/server"]Secrets Management
- GitHub Actions secrets for:
DIGITALOCEAN_TOKEN,DATABASE_URL,COD_SSO_TOKEN - Never print secrets in logs
- Use environment-specific secrets (staging vs production if applicable)
Acceptance Criteria
- CI runs on every PR: lint, type-check, test, build
- Docker image builds successfully with embedded frontend
- CD deploys to Digital Ocean on merge to main
- Database migrations run automatically on deploy
- Health check verifies deployment success
- No secrets exposed in logs or artifacts