name: deploy # Fires on any `deploy--` tag pushed to main. The # runner pulls the compass-mcp image from ECR and invokes # `compass-mcp-deploy run --tag $GITHUB_REF_NAME` inside that container. on: push: tags: - "deploy-*-*" jobs: apply-migrations: runs-on: ubuntu-latest # The runner config allow-lists this network + volumes; both have # to match what bootstrap-gitea.sh wrote into runner-config.yaml. container: image: ${{ vars.COMPASS_MCP_IMAGE }} # Join the compose network so `neo4j:7687` resolves. Override # `compass_default` via the COMPASS_NETWORK repo variable if the # compose project name differs. network: ${{ vars.COMPASS_NETWORK || 'graph-db_default' }} volumes: - ${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }}:${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }} env: # Structured graph (7687). These are the ONLY credentials with # write access — kept in Gitea repo secrets and never read by # the read-side services. NEO4J_URI: ${{ secrets.NEO4J_URI }} NEO4J_USER: ${{ secrets.NEO4J_DEPLOY_USER }} NEO4J_PASSWORD: ${{ secrets.NEO4J_DEPLOY_PASSWORD }} POSTGRES_RAG_DSN: ${{ secrets.POSTGRES_RAG_DSN }} COMPASS_SNAPSHOT_DIR: ${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }} steps: - name: Check out migrations repo uses: actions/checkout@v4 with: fetch-depth: 0 fetch-tags: true - name: Ensure snapshot directory exists run: mkdir -p "$COMPASS_SNAPSHOT_DIR" - name: Apply migrations id: deploy run: | set -euo pipefail compass-mcp-deploy run \ --tag "$GITHUB_REF_NAME" \ --repo "$GITHUB_WORKSPACE" \ --snapshot-dir "$COMPASS_SNAPSHOT_DIR" \ --reviewer "$GITHUB_ACTOR" \ | tee "deploy-result-$GITHUB_REF_NAME.json" - name: Record resolved image digest if: always() run: | echo "image=${{ vars.COMPASS_MCP_IMAGE }}" >> deploy-meta.txt echo "digest=$(cat /proc/self/cgroup 2>/dev/null | head -1 || true)" >> deploy-meta.txt - name: Upload deploy result if: always() uses: actions/upload-artifact@v4 with: name: deploy-result-${{ github.ref_name }} path: | deploy-result-*.json deploy-meta.txt