Hartmut
78d50b78d3
Scripts: - stop.sh: replace Linux-only fuser with cross-platform lsof fallback - start.sh: parameterize port (APP_PORT) and container name (dynamic lookup) - app-dev-start.sh: cross-platform stat (GNU -c / BSD -f) and setpriv/su fallback - deploy-compose.sh: parameterize Docker registry via DOCKER_REGISTRY env var - harden-postgres.sh: make DB_USER and DB_NAME configurable via env vars NPM security: - next: 15.5.12 → 15.5.15 (fixes HTTP request smuggling CVE) - nodemailer: 8.0.1 → 8.0.5 (fixes SMTP command injection CVEs) - lodash-es: add pnpm override to force >=4.18.0 (fixes code injection + prototype pollution) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
60 lines
1.8 KiB
Bash
Executable File
60 lines
1.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
DEPLOY_ENV="${1:-unknown}"
|
|
COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.prod.yml}"
|
|
APP_ENV_FILE="${APP_ENV_FILE:-.env.production}"
|
|
DEPLOY_ENV_FILE="${DEPLOY_ENV_FILE:-deploy.env}"
|
|
READY_URL="${READY_URL:-http://127.0.0.1:${APP_HOST_PORT:-3000}/api/ready}"
|
|
READY_ATTEMPTS="${READY_ATTEMPTS:-60}"
|
|
READY_SLEEP_SECONDS="${READY_SLEEP_SECONDS:-5}"
|
|
|
|
if [ -f "${APP_ENV_FILE}" ]; then
|
|
set -a
|
|
# Load application secrets so docker compose interpolation sees them.
|
|
. "${APP_ENV_FILE}"
|
|
set +a
|
|
fi
|
|
|
|
if [ -f "${DEPLOY_ENV_FILE}" ]; then
|
|
set -a
|
|
. "${DEPLOY_ENV_FILE}"
|
|
set +a
|
|
fi
|
|
|
|
: "${APP_IMAGE:?APP_IMAGE must be set}"
|
|
: "${MIGRATOR_IMAGE:?MIGRATOR_IMAGE must be set}"
|
|
: "${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}"
|
|
|
|
echo "Deploy environment: ${DEPLOY_ENV}"
|
|
echo "Compose file: ${COMPOSE_FILE}"
|
|
echo "App env file: ${APP_ENV_FILE}"
|
|
echo "App image: ${APP_IMAGE}"
|
|
echo "Migrator image: ${MIGRATOR_IMAGE}"
|
|
|
|
DOCKER_REGISTRY="${DOCKER_REGISTRY:-ghcr.io}"
|
|
if [ -n "${GHCR_USERNAME:-}" ] && [ -n "${GHCR_TOKEN:-}" ]; then
|
|
printf '%s\n' "${GHCR_TOKEN}" | docker login "${DOCKER_REGISTRY}" -u "${GHCR_USERNAME}" --password-stdin
|
|
fi
|
|
|
|
docker compose -f "${COMPOSE_FILE}" config -q
|
|
docker compose -f "${COMPOSE_FILE}" pull app migrator
|
|
docker compose -f "${COMPOSE_FILE}" up -d postgres redis
|
|
docker compose -f "${COMPOSE_FILE}" run --rm migrator
|
|
docker compose -f "${COMPOSE_FILE}" up -d app
|
|
|
|
for attempt in $(seq 1 "${READY_ATTEMPTS}"); do
|
|
if curl -fsS "${READY_URL}" >/dev/null 2>&1; then
|
|
echo "Application ready after attempt ${attempt}"
|
|
docker compose -f "${COMPOSE_FILE}" ps
|
|
exit 0
|
|
fi
|
|
|
|
sleep "${READY_SLEEP_SECONDS}"
|
|
done
|
|
|
|
echo "Deployment failed readiness check: ${READY_URL}" >&2
|
|
docker compose -f "${COMPOSE_FILE}" ps >&2
|
|
docker compose -f "${COMPOSE_FILE}" logs --tail 200 app >&2
|
|
exit 1
|