# Gitea Actions CI/CD - build + deploy SOLUTION_ERP to IIS on same VPS. # Trigger: push to main, or manual dispatch. # # Self-hosted Windows runner on VPS (shared with VIETREPORT). Runner has: # - git, .NET 10 SDK, Node 20, IIS # - Can deploy locally (no WinRM needed) # # Secrets required in Gitea repo settings: # - JWT_SECRET (64+ chars random) # - DB_CONNECTION (full connection string with vrapp password) name: Deploy SOLUTION_ERP # Path filter — skip CI khi commit chỉ docs/MD/skill (~110s saved per docs commit). # Commit MD-only như "Docs: chốt session" sẽ KHÔNG trigger workflow. # Lưu ý: nếu cùng 1 commit thay đổi cả MD + code → vẫn trigger (đúng behavior). on: push: branches: [main] paths-ignore: - 'docs/**' - '**/*.md' - '.claude/skills/**' - '.gitignore' - 'scripts/**.md' workflow_dispatch: jobs: build-deploy: runs-on: windows-latest steps: # Manual checkout thay vì `uses: actions/checkout@v4` — tránh phụ thuộc # github.com (act_runner mỗi run đều `git fetch` để check update action, # khi VPS → github.com TCP timeout 21s thì toàn job fail trước khi tới # test gate). Gitea internal network luôn ổn định, nên clone trực tiếp. # Token `${{ github.token }}` (Gitea cũng dùng tên này) tự sẵn cho job. - name: Checkout (manual git, bypass github.com) shell: powershell run: | git config --global --add safe.directory '*' git init -q git remote add origin "https://gitea-actions:${{ github.token }}@git.baocaogiaoduc.vn/${{ github.repository }}.git" # Fetch ref (branch) thay vì SHA — không cần Gitea allow SHA fetch. # Depth 30 đủ buffer nếu main đã commit thêm sau khi job pickup. $ref = "${{ github.ref }}" if ($ref -like "refs/heads/*") { $ref = $ref.Substring(11) } git fetch --depth=30 origin $ref git checkout --quiet "${{ github.sha }}" git log -1 --oneline - name: Show tool versions shell: powershell run: | & 'C:\Program Files\dotnet\dotnet.exe' --version & 'C:\Program Files\nodejs\node.exe' --version & 'C:\Program Files\nodejs\npm.cmd' --version # ============== TEST GATE ============== # Run tests TRƯỚC build/publish/deploy. Fail → exit non-zero → no deploy. # Phase 1: Domain (54 test policy state machine). # Phase 2: Infrastructure (17 test code generators format/sequence/year scope). - name: Run unit tests (Domain) shell: powershell run: | & 'C:\Program Files\dotnet\dotnet.exe' test tests/SolutionErp.Domain.Tests/SolutionErp.Domain.Tests.csproj ` --configuration Release ` --logger "trx;LogFileName=domain-tests.trx" ` --results-directory test-results if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } - name: Run integration tests (Infrastructure - SQLite in-memory) shell: powershell run: | & 'C:\Program Files\dotnet\dotnet.exe' test tests/SolutionErp.Infrastructure.Tests/SolutionErp.Infrastructure.Tests.csproj ` --configuration Release ` --logger "trx;LogFileName=infra-tests.trx" ` --results-directory test-results if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE } # Upload test results — bỏ vì `actions/upload-artifact@v4` cũng phụ thuộc # github.com fetch (cùng vấn đề như actions/checkout). TRX file vẫn save # local trong workspace `test-results/` cho debug khi cần. - name: List test results (local debug) if: always() shell: powershell run: | if (Test-Path test-results) { Get-ChildItem test-results -Recurse | Format-Table FullName, Length } else { Write-Host "No test-results directory." } # ============== BUILD ============== - name: Build backend shell: powershell run: | & 'C:\Program Files\dotnet\dotnet.exe' restore SolutionErp.slnx & 'C:\Program Files\dotnet\dotnet.exe' publish src/Backend/SolutionErp.Api/SolutionErp.Api.csproj ` --configuration Release ` --output out/api ` --runtime win-x64 ` --self-contained false # ============== FE BUILD WITH NPM CACHE ============== # Cache `node_modules` ở `C:\npm-cache-erp\\\` ngoài workspace. # Cache key = SHA256(package.json) 16-char prefix → đổi deps = fresh install. # Junction từ workspace → cache (instant, không file copy). # Lần đầu (cold cache): 49s + 33s. Lần sau (warm cache): 1-2s mỗi app. # Vite 8 rolldown native binding match platform — install trên runner Windows # (gotcha #20 từ Phase 5) → cache install này dùng được lần sau. - name: Build fe-admin (with npm junction cache) shell: powershell run: | $ErrorActionPreference = 'Stop' $hash = (Get-FileHash 'fe-admin/package.json' -Algorithm SHA256).Hash.Substring(0, 16) $cacheDir = "C:\npm-cache-erp\fe-admin\$hash" $cacheNm = "$cacheDir\node_modules" $nmTarget = 'fe-admin\node_modules' # Clean junction/dir cũ trong workspace nếu còn (act_runner thường clean nhưng phòng hờ) if (Test-Path $nmTarget) { cmd /c rmdir /s /q $nmTarget } if (Test-Path $cacheNm) { Write-Host "✓ npm cache HIT fe-admin (key: $hash)" cmd /c mklink /J $nmTarget $cacheNm | Out-Null } else { Write-Host "✗ npm cache MISS fe-admin (key: $hash) — fresh install" Push-Location fe-admin try { Remove-Item package-lock.json -Force -ErrorAction SilentlyContinue & 'C:\Program Files\nodejs\npm.cmd' install --no-audit --no-fund if ($LASTEXITCODE -ne 0) { throw "npm install failed: $LASTEXITCODE" } } finally { Pop-Location } New-Item -ItemType Directory -Force $cacheDir | Out-Null Move-Item $nmTarget $cacheNm -Force cmd /c mklink /J $nmTarget $cacheNm | Out-Null } Push-Location fe-admin try { & 'C:\Program Files\nodejs\npm.cmd' run build if ($LASTEXITCODE -ne 0) { throw "npm build failed: $LASTEXITCODE" } } finally { Pop-Location } - name: Build fe-user (with npm junction cache) shell: powershell run: | $ErrorActionPreference = 'Stop' $hash = (Get-FileHash 'fe-user/package.json' -Algorithm SHA256).Hash.Substring(0, 16) $cacheDir = "C:\npm-cache-erp\fe-user\$hash" $cacheNm = "$cacheDir\node_modules" $nmTarget = 'fe-user\node_modules' if (Test-Path $nmTarget) { cmd /c rmdir /s /q $nmTarget } if (Test-Path $cacheNm) { Write-Host "✓ npm cache HIT fe-user (key: $hash)" cmd /c mklink /J $nmTarget $cacheNm | Out-Null } else { Write-Host "✗ npm cache MISS fe-user (key: $hash) — fresh install" Push-Location fe-user try { Remove-Item package-lock.json -Force -ErrorAction SilentlyContinue & 'C:\Program Files\nodejs\npm.cmd' install --no-audit --no-fund if ($LASTEXITCODE -ne 0) { throw "npm install failed: $LASTEXITCODE" } } finally { Pop-Location } New-Item -ItemType Directory -Force $cacheDir | Out-Null Move-Item $nmTarget $cacheNm -Force cmd /c mklink /J $nmTarget $cacheNm | Out-Null } Push-Location fe-user try { & 'C:\Program Files\nodejs\npm.cmd' run build if ($LASTEXITCODE -ne 0) { throw "npm build failed: $LASTEXITCODE" } } finally { Pop-Location } # Safety: convert junction → nothing trước khi act_runner có thể cleanup workspace. # `cmd /c rmdir /q` chỉ remove junction reference, KHÔNG recurse vào target. # Tránh trường hợp Remove-Item -Recurse từ runner cleanup follow junction + # delete cache contents. - name: Remove FE node_modules junctions (preserve cache) if: always() shell: powershell run: | foreach ($app in @('fe-admin', 'fe-user')) { $junction = "$app\node_modules" if (Test-Path $junction) { cmd /c rmdir /q $junction 2>$null Write-Host "Removed junction: $junction" } } # Cache cleanup — keep top 5 most recent per app (FIFO eviction). # Mỗi cache ~250MB. 5 versions × 2 app × 250MB = 2.5 GB max disk usage. - name: Prune old npm caches if: always() shell: powershell run: | foreach ($app in @('fe-admin', 'fe-user')) { $root = "C:\npm-cache-erp\$app" if (Test-Path $root) { $stale = Get-ChildItem $root -Directory | Sort-Object LastWriteTime -Descending | Select-Object -Skip 5 foreach ($d in $stale) { Write-Host "Pruning stale cache: $($d.FullName)" Remove-Item $d.FullName -Recurse -Force -ErrorAction SilentlyContinue } } } - name: Deploy to IIS (local) if: github.ref == 'refs/heads/main' shell: powershell env: JWT_SECRET: ${{ secrets.JWT_SECRET }} DB_CONNECTION: ${{ secrets.DB_CONNECTION }} run: | Import-Module WebAdministration # Stop app pool (if running) so DLLs are writable $poolState = (Get-WebAppPoolState -Name SolutionErp-Api -ErrorAction SilentlyContinue).Value if ($poolState -eq 'Started') { Stop-WebAppPool -Name SolutionErp-Api Start-Sleep -Seconds 3 } # Deploy API Remove-Item -Path 'C:\inetpub\solution-erp\api\*' -Recurse -Force -Exclude 'appsettings.Production.json','logs','uploads','wwwroot' -ErrorAction SilentlyContinue Copy-Item -Path 'out\api\*' -Destination 'C:\inetpub\solution-erp\api\' -Recurse -Force # Write appsettings.Production.json from source template + secrets. # Template is in source workspace (not in publish output - dotnet publish # doesn't copy .example files). $example = 'src\Backend\SolutionErp.Api\appsettings.Production.json.example' $prod = 'C:\inetpub\solution-erp\api\appsettings.Production.json' $settings = Get-Content $example -Raw | ConvertFrom-Json $settings.ConnectionStrings.Default = $env:DB_CONNECTION $settings.Jwt.Secret = $env:JWT_SECRET $settings | ConvertTo-Json -Depth 10 | Set-Content -Path $prod -Encoding UTF8 Write-Host "Wrote appsettings.Production.json" # Restrict ACL icacls $prod /inheritance:r | Out-Null icacls $prod /grant:r 'Administrators:(R,W)' 'IIS AppPool\SolutionErp-Api:(R)' | Out-Null # Deploy fe-admin Remove-Item -Path 'C:\inetpub\solution-erp\fe-admin\*' -Recurse -Force -Exclude 'web.config' -ErrorAction SilentlyContinue Copy-Item -Path 'fe-admin\dist\*' -Destination 'C:\inetpub\solution-erp\fe-admin\' -Recurse -Force # Deploy fe-user Remove-Item -Path 'C:\inetpub\solution-erp\fe-user\*' -Recurse -Force -Exclude 'web.config' -ErrorAction SilentlyContinue Copy-Item -Path 'fe-user\dist\*' -Destination 'C:\inetpub\solution-erp\fe-user\' -Recurse -Force # Restart app pool Start-WebAppPool -Name SolutionErp-Api Write-Host "Deploy done. App pool started." - name: Smoke test if: github.ref == 'refs/heads/main' shell: powershell run: | Start-Sleep -Seconds 10 try { $r = Invoke-WebRequest -Uri 'https://api.solutions.com.vn/health/live' -TimeoutSec 30 -UseBasicParsing Write-Host "API /health/live -> $($r.StatusCode)" } catch { Write-Warning "API smoke test: $_" }