solution-erp/.gitea/workflows/deploy.yml

# Gitea Actions CI/CD - build + deploy SOLUTION_ERP to IIS on same VPS.
# Trigger: push to main, or manual dispatch.
#
# Self-hosted Windows runner on VPS (shared with VIETREPORT). Runner has:
#   - git, .NET 10 SDK, Node 20, IIS
#   - Can deploy locally (no WinRM needed)
#
# Secrets required in Gitea repo settings:
#   - JWT_SECRET     (64+ chars random)
#   - DB_CONNECTION  (full connection string with vrapp password)

name: Deploy SOLUTION_ERP

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-deploy:
    runs-on: windows-latest
    steps:
      # Manual checkout thay vì `uses: actions/checkout@v4` — tránh phụ thuộc
      # github.com (act_runner mỗi run đều `git fetch` để check update action,
      # khi VPS → github.com TCP timeout 21s thì toàn job fail trước khi tới
      # test gate). Gitea internal network luôn ổn định, nên clone trực tiếp.
      # Token `${{ github.token }}` (Gitea cũng dùng tên này) tự sẵn cho job.
      - name: Checkout (manual git, bypass github.com)
        shell: powershell
        run: |
          git config --global --add safe.directory '*'
          git init -q
          git remote add origin "https://gitea-actions:${{ github.token }}@git.baocaogiaoduc.vn/${{ github.repository }}.git"
          # Fetch ref (branch) thay vì SHA — không cần Gitea allow SHA fetch.
          # Depth 30 đủ buffer nếu main đã commit thêm sau khi job pickup.
          $ref = "${{ github.ref }}"
          if ($ref -like "refs/heads/*") { $ref = $ref.Substring(11) }
          git fetch --depth=30 origin $ref
          git checkout --quiet "${{ github.sha }}"
          git log -1 --oneline

      - name: Show tool versions
        shell: powershell
        run: |
          & 'C:\Program Files\dotnet\dotnet.exe' --version
          & 'C:\Program Files\nodejs\node.exe' --version
          & 'C:\Program Files\nodejs\npm.cmd' --version

      # ============== TEST GATE ==============
      # Run tests TRƯỚC build/publish/deploy. Fail → exit non-zero → no deploy.
      # Phase 1: Domain (54 test policy state machine).
      # Phase 2: Infrastructure (17 test code generators format/sequence/year scope).
      - name: Run unit tests (Domain)
        shell: powershell
        run: |
          & 'C:\Program Files\dotnet\dotnet.exe' test tests/SolutionErp.Domain.Tests/SolutionErp.Domain.Tests.csproj `
            --configuration Release `
            --logger "trx;LogFileName=domain-tests.trx" `
            --results-directory test-results
          if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }

      - name: Run integration tests (Infrastructure - SQLite in-memory)
        shell: powershell
        run: |
          & 'C:\Program Files\dotnet\dotnet.exe' test tests/SolutionErp.Infrastructure.Tests/SolutionErp.Infrastructure.Tests.csproj `
            --configuration Release `
            --logger "trx;LogFileName=infra-tests.trx" `
            --results-directory test-results
          if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }

      # Upload test results — bỏ vì `actions/upload-artifact@v4` cũng phụ thuộc
      # github.com fetch (cùng vấn đề như actions/checkout). TRX file vẫn save
      # local trong workspace `test-results/` cho debug khi cần.
      - name: List test results (local debug)
        if: always()
        shell: powershell
        run: |
          if (Test-Path test-results) {
            Get-ChildItem test-results -Recurse | Format-Table FullName, Length
          } else {
            Write-Host "No test-results directory."
          }

      # ============== BUILD ==============
      - name: Build backend
        shell: powershell
        run: |
          & 'C:\Program Files\dotnet\dotnet.exe' restore SolutionErp.slnx
          & 'C:\Program Files\dotnet\dotnet.exe' publish src/Backend/SolutionErp.Api/SolutionErp.Api.csproj `
            --configuration Release `
            --output out/api `
            --runtime win-x64 `
            --self-contained false

      - name: Build fe-admin
        shell: powershell
        working-directory: fe-admin
        run: |
          # Vite 8 rolldown native binding must match platform; fresh resolve on Windows
          Remove-Item node_modules, package-lock.json -Recurse -Force -ErrorAction SilentlyContinue
          & 'C:\Program Files\nodejs\npm.cmd' install --no-audit --no-fund
          & 'C:\Program Files\nodejs\npm.cmd' run build

      - name: Build fe-user
        shell: powershell
        working-directory: fe-user
        run: |
          Remove-Item node_modules, package-lock.json -Recurse -Force -ErrorAction SilentlyContinue
          & 'C:\Program Files\nodejs\npm.cmd' install --no-audit --no-fund
          & 'C:\Program Files\nodejs\npm.cmd' run build

      - name: Deploy to IIS (local)
        if: github.ref == 'refs/heads/main'
        shell: powershell
        env:
          JWT_SECRET: ${{ secrets.JWT_SECRET }}
          DB_CONNECTION: ${{ secrets.DB_CONNECTION }}
        run: |
          Import-Module WebAdministration

          # Stop app pool (if running) so DLLs are writable
          $poolState = (Get-WebAppPoolState -Name SolutionErp-Api -ErrorAction SilentlyContinue).Value
          if ($poolState -eq 'Started') {
              Stop-WebAppPool -Name SolutionErp-Api
              Start-Sleep -Seconds 3
          }

          # Deploy API
          Remove-Item -Path 'C:\inetpub\solution-erp\api\*' -Recurse -Force -Exclude 'appsettings.Production.json','logs','uploads','wwwroot' -ErrorAction SilentlyContinue
          Copy-Item -Path 'out\api\*' -Destination 'C:\inetpub\solution-erp\api\' -Recurse -Force

          # Write appsettings.Production.json from source template + secrets.
          # Template is in source workspace (not in publish output - dotnet publish
          # doesn't copy .example files).
          $example = 'src\Backend\SolutionErp.Api\appsettings.Production.json.example'
          $prod    = 'C:\inetpub\solution-erp\api\appsettings.Production.json'
          $settings = Get-Content $example -Raw | ConvertFrom-Json
          $settings.ConnectionStrings.Default = $env:DB_CONNECTION
          $settings.Jwt.Secret = $env:JWT_SECRET
          $settings | ConvertTo-Json -Depth 10 | Set-Content -Path $prod -Encoding UTF8
          Write-Host "Wrote appsettings.Production.json"

          # Restrict ACL
          icacls $prod /inheritance:r | Out-Null
          icacls $prod /grant:r 'Administrators:(R,W)' 'IIS AppPool\SolutionErp-Api:(R)' | Out-Null

          # Deploy fe-admin
          Remove-Item -Path 'C:\inetpub\solution-erp\fe-admin\*' -Recurse -Force -Exclude 'web.config' -ErrorAction SilentlyContinue
          Copy-Item -Path 'fe-admin\dist\*' -Destination 'C:\inetpub\solution-erp\fe-admin\' -Recurse -Force

          # Deploy fe-user
          Remove-Item -Path 'C:\inetpub\solution-erp\fe-user\*' -Recurse -Force -Exclude 'web.config' -ErrorAction SilentlyContinue
          Copy-Item -Path 'fe-user\dist\*' -Destination 'C:\inetpub\solution-erp\fe-user\' -Recurse -Force

          # Restart app pool
          Start-WebAppPool -Name SolutionErp-Api
          Write-Host "Deploy done. App pool started."

      - name: Smoke test
        if: github.ref == 'refs/heads/main'
        shell: powershell
        run: |
          Start-Sleep -Seconds 10
          try {
              $r = Invoke-WebRequest -Uri 'https://api.solutions.com.vn/health/live' -TimeoutSec 30 -UseBasicParsing
              Write-Host "API /health/live -> $($r.StatusCode)"
          } catch {
              Write-Warning "API smoke test: $_"
          }