feat: kustomize for local & prod k8s

.env.example

@@ -0,0 +1,12 @@
+## Root local development secrets
+#
+# This file is used by `make secret` to create a Kubernetes Secret for local Kind dev.
+# Keep this file limited to *secrets only* - non-secret configuration lives in
+# kustomize ConfigMap patches (e.g., kustomize/overlays/local/backend-configmap-local.yaml).
+#
+# Required
+WALLET_ADDRESS=
+WALLET_PRIVATE_KEY=
+#
+# Optional (only if using an external DB or a non-default password)
+# DATABASE_PASSWORD=

.github/actions/docker-build/action.yml

@@ -0,0 +1,76 @@
+name: docker-build
+description: Build a Docker image with BuildKit + GHA cache (optionally push or load).
+
+inputs:
+  context:
+    description: Docker build context
+    required: false
+    default: .
+  file:
+    description: Path to Dockerfile
+    required: true
+  tags:
+    description: Newline-separated image tags
+    required: true
+  platforms:
+    description: Target platforms (only relevant when pushing)
+    required: false
+    default: linux/amd64
+  push:
+    description: Push image to registry
+    required: false
+    default: "false"
+  load:
+    description: Load image into local Docker daemon
+    required: false
+    default: "false"
+  cache-scope:
+    description: Scope key for GHA build cache
+    required: true
+  setup-buildx:
+    description: Whether to set up docker buildx
+    required: false
+    default: "true"
+  login:
+    description: Whether to login to a registry
+    required: false
+    default: "false"
+  registry:
+    description: Registry hostname for login
+    required: false
+    default: ghcr.io
+  username:
+    description: Registry username for login
+    required: false
+    default: ""
+  password:
+    description: Registry password/token for login
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Docker Buildx
+      if: inputs.setup-buildx == 'true'
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to registry
+      if: inputs.login == 'true'
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+
+    - name: Build image
+      uses: docker/build-push-action@v6
+      with:
+        context: ${{ inputs.context }}
+        file: ${{ inputs.file }}
+        tags: ${{ inputs.tags }}
+        push: ${{ inputs.push }}
+        load: ${{ inputs.load }}
+        cache-from: type=gha,scope=${{ inputs.cache-scope }}
+        cache-to: type=gha,mode=max,scope=${{ inputs.cache-scope }}
+        platforms: ${{ inputs.platforms }}

.github/workflows/docker-build.yml

@@ -0,0 +1,78 @@
+name: Build and Push Docker Images
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: docker-build-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      backend: ${{ steps.filter.outputs.backend }}
+      web: ${{ steps.filter.outputs.web }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check for changes
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            backend:
+              - 'apps/backend/**'
+              - 'pnpm-lock.yaml'
+              - 'pnpm-workspace.yaml'
+            web:
+              - 'apps/web/**'
+              - 'pnpm-lock.yaml'
+              - 'pnpm-workspace.yaml'
+
+  integration-test:
+    needs: detect-changes
+    if: needs.detect-changes.outputs.backend == 'true' || needs.detect-changes.outputs.web == 'true'
+    uses: ./.github/workflows/reusable-k8s-test.yml
+
+  build-backend:
+    needs: [detect-changes, integration-test]
+    if: needs.detect-changes.outputs.backend == 'true'
+    permissions:
+      contents: read
+      packages: write
+    uses: ./.github/workflows/reusable-docker-build.yml
+    with:
+      app: backend
+      dockerfile: apps/backend/Dockerfile
+      image: filozone/dealbot-backend
+      tags: |
+        ghcr.io/filozone/dealbot-backend:sha-${{ github.sha }}
+        ghcr.io/filozone/dealbot-backend:sha-${{ github.run_number }}-${{ github.sha }}
+      summary: |
+        echo "backend image (sha): ghcr.io/filozone/dealbot-backend:sha-${{ github.sha }}"
+        echo "backend image (ordered): ghcr.io/filozone/dealbot-backend:sha-${{ github.run_number }}-${{ github.sha }}"
+
+  build-web:
+    needs: [detect-changes, integration-test]
+    if: needs.detect-changes.outputs.web == 'true'
+    permissions:
+      contents: read
+      packages: write
+    uses: ./.github/workflows/reusable-docker-build.yml
+    with:
+      app: web
+      dockerfile: apps/web/Dockerfile
+      image: filozone/dealbot-web
+      tags: |
+        ghcr.io/filozone/dealbot-web:sha-${{ github.sha }}
+        ghcr.io/filozone/dealbot-web:sha-${{ github.run_number }}-${{ github.sha }}
+      summary: |
+        echo "web image (sha): ghcr.io/filozone/dealbot-web:sha-${{ github.sha }}"
+        echo "web image (ordered): ghcr.io/filozone/dealbot-web:sha-${{ github.run_number }}-${{ github.sha }}"

.github/workflows/hotfix-release.yml

@@ -0,0 +1,104 @@
+name: Hotfix Release
+
+on:
+  push:
+    branches:
+      - 'hotfix/**'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  hotfix-release:
+    runs-on: ubuntu-latest
+    outputs:
+      releases_created: ${{ steps.release.outputs.releases_created }}
+      backend_release_created: ${{ steps.release.outputs['apps/backend--release_created'] }}
+      backend_tag_name: ${{ steps.release.outputs['apps/backend--tag_name'] }}
+      backend_version: ${{ steps.release.outputs['apps/backend--version'] }}
+      backend_sha: ${{ steps.release.outputs['apps/backend--sha'] }}
+      web_release_created: ${{ steps.release.outputs['apps/web--release_created'] }}
+      web_tag_name: ${{ steps.release.outputs['apps/web--tag_name'] }}
+      web_version: ${{ steps.release.outputs['apps/web--version'] }}
+      web_sha: ${{ steps.release.outputs['apps/web--sha'] }}
+    steps:
+      - uses: googleapis/release-please-action@v4
+        id: release
+        with:
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
+          target-branch: ${{ github.ref_name }}
+
+  hotfix-build-matrix:
+    needs: hotfix-release
+    runs-on: ubuntu-latest
+    outputs:
+      has_items: ${{ steps.set-matrix.outputs.has_items }}
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Build matrix
+        id: set-matrix
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          include='[]'
+
+          if [[ "${{ needs.hotfix-release.outputs.backend_release_created }}" == "true" ]]; then
+            include="$(jq -c \
+              --arg app "backend" \
+              --arg dockerfile "apps/backend/Dockerfile" \
+              --arg image "filozone/dealbot-backend" \
+              --arg sha "${{ needs.hotfix-release.outputs.backend_sha }}" \
+              --arg version "${{ needs.hotfix-release.outputs.backend_version }}" \
+              '. + [{app: $app, dockerfile: $dockerfile, image: $image, sha: $sha, version: $version}]' \
+              <<<"$include")"
+          fi
+
+          if [[ "${{ needs.hotfix-release.outputs.web_release_created }}" == "true" ]]; then
+            include="$(jq -c \
+              --arg app "web" \
+              --arg dockerfile "apps/web/Dockerfile" \
+              --arg image "filozone/dealbot-web" \
+              --arg sha "${{ needs.hotfix-release.outputs.web_sha }}" \
+              --arg version "${{ needs.hotfix-release.outputs.web_version }}" \
+              '. + [{app: $app, dockerfile: $dockerfile, image: $image, sha: $sha, version: $version}]' \
+              <<<"$include")"
+          fi
+
+          matrix="$(jq -c --argjson include "$include" '{include: $include}' <<<"{}")"
+          echo "matrix=$matrix" >>"$GITHUB_OUTPUT"
+
+          if [[ "$include" == "[]" ]]; then
+            echo "has_items=false" >>"$GITHUB_OUTPUT"
+          else
+            echo "has_items=true" >>"$GITHUB_OUTPUT"
+          fi
+
+  # Build hotfix images immediately
+  build-hotfix:
+    needs:
+      - hotfix-release
+      - hotfix-build-matrix
+    if: needs.hotfix-build-matrix.outputs.has_items == 'true'
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix: ${{ fromJSON(needs.hotfix-build-matrix.outputs.matrix) }}
+    uses: ./.github/workflows/reusable-docker-build.yml
+    with:
+      app: ${{ matrix.app }}
+      dockerfile: ${{ matrix.dockerfile }}
+      image: ${{ matrix.image }}
+      ref: ${{ matrix.sha }}
+      tags: |
+        ${{ env.REGISTRY }}/${{ matrix.image }}:v${{ matrix.version }}
+        ${{ env.REGISTRY }}/${{ matrix.image }}:hotfix-${{ matrix.sha }}
+      summary: |
+        echo "🚨 HOTFIX DEPLOYED: ${{ matrix.app }} v${{ matrix.version }}"
+        echo "Image: ${{ env.REGISTRY }}/${{ matrix.image }}:v${{ matrix.version }}"

.github/workflows/release-please.yml

@@ -0,0 +1,101 @@
+name: Release Please
+
+on:
+  workflow_run:
+    workflows: ["Build and Push Docker Images"]
+    types:
+      - completed
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      note:
+        description: "Optional note for why this run was triggered manually."
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    # Only run automatically if the image build workflow succeeded; manual runs skip this gate.
+    if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
+    outputs:
+      releases_created: ${{ steps.release.outputs.releases_created }}
+      backend_release_created: ${{ steps.release.outputs['apps/backend--release_created'] }}
+      backend_tag_name: ${{ steps.release.outputs['apps/backend--tag_name'] }}
+      backend_version: ${{ steps.release.outputs['apps/backend--version'] }}
+      backend_sha: ${{ steps.release.outputs['apps/backend--sha'] }}
+      web_release_created: ${{ steps.release.outputs['apps/web--release_created'] }}
+      web_tag_name: ${{ steps.release.outputs['apps/web--tag_name'] }}
+      web_version: ${{ steps.release.outputs['apps/web--version'] }}
+      web_sha: ${{ steps.release.outputs['apps/web--sha'] }}
+    steps:
+      - uses: googleapis/release-please-action@v4
+        id: release
+        with:
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
+
+  retag-backend:
+    needs: release-please
+    if: needs.release-please.outputs.backend_release_created == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Retag backend image
+        run: |
+          SOURCE_SHA="${{ needs.release-please.outputs.backend_sha }}"
+          VERSION="${{ needs.release-please.outputs.backend_version }}"
+          REPO="ghcr.io/filozone/dealbot-backend"
+
+          echo "Retagging ${REPO}:sha-${SOURCE_SHA} → ${REPO}:v${VERSION}"
+
+          # Use docker buildx imagetools to create a new tag pointing to the same image
+          docker buildx imagetools create \
+            --tag "${REPO}:v${VERSION}" \
+            "${REPO}:sha-${SOURCE_SHA}"
+
+          echo "✅ Backend released: v${VERSION}"
+
+  retag-web:
+    needs: release-please
+    if: needs.release-please.outputs.web_release_created == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Retag web image
+        run: |
+          SOURCE_SHA="${{ needs.release-please.outputs.web_sha }}"
+          VERSION="${{ needs.release-please.outputs.web_version }}"
+          REPO="ghcr.io/filozone/dealbot-web"
+
+          echo "Retagging ${REPO}:sha-${SOURCE_SHA} → ${REPO}:v${VERSION}"
+
+          # Use docker buildx imagetools to create a new tag pointing to the same image
+          docker buildx imagetools create \
+            --tag "${REPO}:v${VERSION}" \
+            "${REPO}:sha-${SOURCE_SHA}"
+
+          echo "✅ Web released: v${VERSION}"