Merge pull request #485 from ukwhatn/develop

デプロイ系改善

Author: ukwhatn

.env.example

@@ -54,3 +54,10 @@ AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=
 AWS_REGION=auto
 S3_BUCKET_NAME=
+
+# ========================================
+# GitHub設定（デプロイ用）
+# ========================================
+GITHUB_REPOSITORY=ukwhatn/fastapi-template
+GITHUB_USER=
+GITHUB_TOKEN=

.github/workflows/cd-dev.yml

@@ -0,0 +1,25 @@
+name: Deploy to Dev
+
+on:
+  push:
+    branches:
+      - develop
+  workflow_dispatch:
+
+jobs:
+  build-and-push:
+    uses: ./.github/workflows/cd_builder.yml
+    secrets: inherit
+
+  deploy:
+    needs: build-and-push
+    uses: ./.github/workflows/cd_deliverer.yml
+    with:
+      environment: dev
+      branch: develop
+      image_tag: develop
+    secrets:
+      SSH_HOST: ${{ secrets.DEV_SSH_HOST }}
+      SSH_USER: ${{ secrets.DEV_SSH_USER }}
+      SSH_PORT: ${{ secrets.DEV_SSH_PORT }}
+      SSH_PRIVATE_KEY: ${{ secrets.DEV_SSH_PRIVATE_KEY }}

.github/workflows/cd-prod.yml

@@ -0,0 +1,25 @@
+name: Deploy to Production
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  build-and-push:
+    uses: ./.github/workflows/cd_builder.yml
+    secrets: inherit
+
+  deploy:
+    needs: build-and-push
+    uses: ./.github/workflows/cd_deliverer.yml
+    with:
+      environment: production
+      branch: main
+      image_tag: latest
+    secrets:
+      SSH_HOST: ${{ secrets.PROD_SSH_HOST }}
+      SSH_USER: ${{ secrets.PROD_SSH_USER }}
+      SSH_PORT: ${{ secrets.PROD_SSH_PORT }}
+      SSH_PRIVATE_KEY: ${{ secrets.PROD_SSH_PRIVATE_KEY }}

.github/workflows/cd_build-push.yml .github/workflows/cd_builder.yml.github/workflows/cd_build-push.yml renamed to .github/workflows/cd_builder.yml

@@ -0,0 +1,77 @@
+name: Deploy (Reusable)
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string  # dev or prod
+      branch:
+        required: true
+        type: string  # develop or main
+      image_tag:
+        required: true
+        type: string  # develop or latest
+    secrets:
+      SSH_HOST:
+        required: false
+      SSH_USER:
+        required: false
+      SSH_PORT:
+        required: false
+      SSH_PRIVATE_KEY:
+        required: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Check SSH secrets
+        id: check-secrets
+        run: |
+          if [ -z "${{ secrets.SSH_HOST }}" ] || [ -z "${{ secrets.SSH_USER }}" ] || \
+             [ -z "${{ secrets.SSH_PORT }}" ] || [ -z "${{ secrets.SSH_PRIVATE_KEY }}" ]; then
+            echo "SSH secrets not configured. Skipping deployment."
+            echo "skip=true" >> $GITHUB_OUTPUT
+          else
+            echo "SSH secrets configured. Proceeding with deployment."
+            echo "skip=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Deploy to ${{ inputs.environment }}
+        if: steps.check-secrets.outputs.skip != 'true'
+        uses: appleboy/[email protected]
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: ${{ secrets.SSH_USER }}
+          port: ${{ secrets.SSH_PORT }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          script: |
+            # ディレクトリ存在チェック
+            cd ${{ github.event.repository.name }} || { echo "Directory not found. Run initial setup first."; exit 1; }
+
+            # 最新コード取得
+            git pull origin ${{ inputs.branch }}
+
+            # .env存在チェック
+            [ -f .env ] || { echo ".env not found. Decrypt .env.${{ inputs.environment }}.enc first."; exit 1; }
+
+            # イメージ取得＆再起動
+            ENV=${{ inputs.environment }} make compose:pull
+            ENV=${{ inputs.environment }} docker compose -f compose.${{ inputs.environment }}.yml up -d --force-recreate --remove-orphans
+
+            # ヘルスチェック
+            echo "Waiting for health check..."
+            for i in {1..12}; do
+              if ENV=${{ inputs.environment }} make compose:ps | grep -q "healthy"; then
+                echo "Deployment successful!"
+                exit 0
+              fi
+              echo "Waiting... ($((i*5))s/60s)"
+              sleep 5
+            done
+
+            echo "Health check timeout. Check logs:"
+            ENV=${{ inputs.environment }} make compose:logs
+            exit 1

.github/workflows/cd_deliverer.yml

@@ -1,4 +1,4 @@
-name: CI & Build
+name: CI
 
 on:
   push:
@@ -31,13 +31,6 @@ jobs:
     uses: ./.github/workflows/ci_docker-test.yml
     secrets: inherit
 
-  # Build and push Docker image (main push or PR to main opened/reopened)
-  build-and-push:
-    needs: [lint, type-check, security, test, docker-test]
-    if: github.event_name == 'push'
-    uses: ./.github/workflows/cd_build-push.yml
-    secrets: inherit
-
   # Branch Protection Rules 用
   # ci-success:
   #   runs-on: ubuntu-latest

.github/workflows/check-and-build.yml .github/workflows/ci.yml.github/workflows/check-and-build.yml renamed to .github/workflows/ci.yml

@@ -97,19 +97,18 @@ make ps                     # Show running containers
 docker compose -f compose.local.yml up -d
 uv run fastapi dev app/main.py
 
-# Dev environment (auto-deploy via Watchtower)
-make dev:deploy             # Deploy to dev environment
+# Dev environment (auto-deploy via GitHub Actions)
+# Server setup (one-time): ./scripts/setup-server.sh dev
+# Then push to develop branch for auto-deploy
 make dev:logs               # View dev logs
 make dev:ps                 # Check dev status
 
-# Production environment (auto-deploy via Watchtower)
-make prod:deploy            # Deploy to production (with confirmation)
+# Production environment (auto-deploy via GitHub Actions)
+# Server setup (one-time): ./scripts/setup-server.sh prod
+# Then push to main branch for auto-deploy
 make prod:logs              # View production logs
 make prod:ps                # Check production status
 
-# Watchtower setup (one-time per server)
-./scripts/setup-watchtower.sh
-
 # Secrets management (SOPS + age)
 make secrets:encrypt:dev    # Encrypt dev secrets
 make secrets:encrypt:prod   # Encrypt prod secrets
@@ -246,10 +245,9 @@ IMPORTANT: Follow these conventions strictly:
 - **Automatic execution**: Migrations run on application startup (FastAPI lifespan event)
 - **Location**: `app/infrastructure/database/alembic/versions/`
 - **Safety**: If migration fails, application startup stops (prevents data corruption)
-- **Watchtower compatibility**: When Watchtower updates the server image, migrations run automatically
+- **Auto-deploy compatibility**: When GitHub Actions deploys new image, migrations run automatically
 - **Idempotency**: Alembic ensures migrations only run once (safe to restart)
 - **Manual rollback**: Use `make db:downgrade REV=-1` if needed
-- **Legacy db-migrator**: Removed (migrations now embedded in server container)
 
 ### Docker Profiles
 - Use `--profile local-db` to enable local database container
@@ -263,15 +261,15 @@ IMPORTANT: Follow these conventions strictly:
 
 ## Deployment Architecture
 
-IMPORTANT: The project uses three distinct deployment environments with automatic updates.
+IMPORTANT: The project uses three distinct deployment environments with GitHub Actions auto-deploy.
 
 ### Environment Overview
 
 | Environment | App Execution | Database | Proxy | Auto-Deploy | Compose File |
 |-------------|--------------|----------|-------|-------------|--------------|
 | **Local** | uv native (hot reload) | Docker (optional) | None | No | `compose.local.yml` |
-| **Dev** | Docker (GHCR.io) | Docker PostgreSQL | Cloudflare Tunnels | Watchtower (develop) | `compose.dev.yml` |
-| **Prod** | Docker (GHCR.io) | External (Supabase) | nginx + Cloudflare | Watchtower (latest) | `compose.prod.yml` |
+| **Dev** | Docker (GHCR.io) | Docker PostgreSQL | Cloudflare Tunnels | GitHub Actions (develop) | `compose.dev.yml` |
+| **Prod** | Docker (GHCR.io) | External (Supabase) | nginx + Cloudflare | GitHub Actions (main) | `compose.prod.yml` |
 
 ### Key Deployment Features
 
@@ -281,29 +279,12 @@ IMPORTANT: The project uses three distinct deployment environments with automati
 - `main` branch → `latest` + `main` + `main-sha-xxx` tags
 - `develop` branch → `develop` + `develop-sha-xxx` tags
 
-**Automatic deployment**: Watchtower monitors GHCR.io and auto-updates containers (10 min polling)
+**Automatic deployment**: GitHub Actions SSHs into server and deploys on push to develop/main
 
-**Label-based control**: Only containers with `com.centurylinklabs.watchtower.enable=true` update
+**Sparse checkout**: Server only clones necessary files (compose.yml, Makefile, etc.) to minimize disk usage
 
 **Secrets management**: SOPS + age for encrypted environment files (`.env.dev.enc`, `.env.prod.enc`)
 
-### Watchtower Setup
-
-**One Watchtower per server** (not per project):
-- Label-based control prevents unintended updates
-- Weekly self-update via cron
-- Discord/Slack notifications via Shoutrrr
-- Setup: `./scripts/setup-watchtower.sh`
-
-**Auto-update enabled for**:
-- `server` container
-- `db-dumper` container (from ukwhatn/postgres-tools)
-- `db-migrator` container (from ukwhatn/postgres-tools)
-
-**Auto-update disabled for**:
-- `db` container (PostgreSQL)
-- `cloudflared` container
-
 ### Secrets Management (SOPS + age)
 
 **Why**: Encrypted secrets can be safely committed to Git with full audit trail
@@ -316,9 +297,12 @@ IMPORTANT: The project uses three distinct deployment environments with automati
 5. Commit encrypted file to Git
 
 **Deployment flow**:
-1. Deploy script decrypts `.env.dev.enc` → `.env`
-2. Starts containers with decrypted secrets
-3. Removes `.env` after deployment
+1. GitHub Actions builds image and pushes to GHCR.io
+2. GitHub Actions SSHs into server
+3. Server runs `git pull` to get latest compose.yml
+4. Server runs `docker compose pull` to get latest image
+5. Server runs `docker compose up -d --force-recreate` to restart containers
+6. Health check confirmation (60s timeout)
 
 **Reference**: See `docs/secrets-management.md` for detailed guide
 
@@ -332,36 +316,40 @@ uv run fastapi dev app/main.py
 
 **Dev deployment** (initial):
 ```bash
-./scripts/setup-watchtower.sh  # One-time per server
-./scripts/deploy-dev.sh         # Deploy
+# On server (one-time setup)
+./scripts/setup-server.sh dev
+
+# Configure GitHub Secrets (one-time):
+# DEV_SSH_HOST, DEV_SSH_USER, DEV_SSH_PORT, DEV_SSH_PRIVATE_KEY
 ```
 
 **Dev deployment** (subsequent):
 ```bash
-git push origin develop        # GitHub Actions builds and pushes
-# Watchtower auto-updates within 10 minutes
+git push origin develop        # GitHub Actions auto-deploys
 ```
 
 **Production deployment** (initial):
 ```bash
-./scripts/setup-watchtower.sh  # One-time per server
-./scripts/deploy-prod.sh        # Deploy with confirmation
+# On server (one-time setup)
+./scripts/setup-server.sh prod
+
+# Configure GitHub Secrets (one-time):
+# PROD_SSH_HOST, PROD_SSH_USER, PROD_SSH_PORT, PROD_SSH_PRIVATE_KEY
 ```
 
 **Production deployment** (subsequent):
 ```bash
-git push origin main           # GitHub Actions builds and pushes
-# Watchtower auto-updates within 10 minutes
+git push origin main           # GitHub Actions auto-deploys
 ```
 
 ### Important Deployment Notes
 
-- **No SSH required**: All deployments use GHCR.io pull + Watchtower
-- **Downtime**: 10-30 seconds during auto-updates
-- **Branch isolation**: develop and main branches use different tags (no cross-contamination)
-- **Rollback**: Use SHA tags for specific version deployment
-- **Monitoring**: Check Watchtower logs with `docker logs watchtower -f`
-- **Health checks**: Containers have built-in health checks; Watchtower respects them
+- **SSH managed by GitHub Actions**: Developers don't need server access
+- **Downtime**: ~10-30 seconds during deploys (forced container recreation)
+- **Branch isolation**: develop and main branches use different tags and servers
+- **Rollback**: Use `git revert` and push, or manually checkout previous commit on server
+- **Monitoring**: Check GitHub Actions logs and server logs with `ENV={dev|prod} make compose:logs`
+- **Health checks**: Deployment fails if health check doesn't pass within 60 seconds
 
 **Reference**: See `docs/deployment.md` for comprehensive deployment guide
 

CLAUDE.md

@@ -277,19 +277,6 @@ prod\:ps:
 prod\:down:
 	@ENV=prod $(MAKE) compose:down
 
-# ==== Watchtower管理コマンド ====
-watchtower\:setup:
-	@./scripts/setup-watchtower.sh
-
-watchtower\:logs:
-	@docker logs watchtower -f
-
-watchtower\:status:
-	@docker ps --filter "name=watchtower"
-
-watchtower\:restart:
-	@docker restart watchtower
-
 # ==== 秘密情報管理コマンド ====
 secrets\:encrypt\:dev:
 	@if [ ! -f .env.dev ]; then \
@@ -380,4 +367,4 @@ template\:apply\:force:
 	git checkout $$commit_hash -- . && \
 	echo "テンプレートの変更が強制的に適用されました。変更を確認しgit add/commitしてください。"
 
-.PHONY: build build\:no-cache up down reload reset logs logs\:once ps pr\:create deploy\:prod uv\:add uv\:add\:dev uv\:lock uv\:update uv\:update\:all dev\:setup lint lint\:fix format format\:check type-check security\:scan security\:scan\:code security\:scan\:code\:critical security\:scan\:sast security\:scan\:sast\:critical security\:scan\:trivy test test\:cov db\:revision\:create db\:migrate db\:downgrade db\:current db\:history db\:backup\:oneshot db\:backup\:list db\:backup\:list\:remote db\:backup\:diff db\:backup\:diff\:s3 db\:backup\:restore db\:backup\:restore\:s3 db\:backup\:restore\:dry-run env openapi\:generate compose\:up compose\:down compose\:down\:v compose\:logs compose\:ps compose\:pull compose\:restart compose\:build local\:up local\:down local\:down\:v local\:logs local\:ps local\:serve dev\:deploy dev\:logs dev\:ps dev\:down prod\:deploy prod\:logs prod\:ps prod\:down watchtower\:setup watchtower\:logs watchtower\:status watchtower\:restart secrets\:encrypt\:dev secrets\:encrypt\:prod secrets\:decrypt\:dev secrets\:decrypt\:prod secrets\:edit\:dev secrets\:edit\:prod project\:rename project\:init template\:list template\:apply template\:apply\:range template\:apply\:force pre-commit\:install pre-commit\:run pre-commit\:update
+.PHONY: build build\:no-cache up down reload reset logs logs\:once ps pr\:create deploy\:prod uv\:add uv\:add\:dev uv\:lock uv\:update uv\:update\:all dev\:setup lint lint\:fix format format\:check type-check security\:scan security\:scan\:code security\:scan\:code\:critical security\:scan\:sast security\:scan\:sast\:critical security\:scan\:trivy test test\:cov db\:revision\:create db\:migrate db\:downgrade db\:current db\:history db\:backup\:oneshot db\:backup\:list db\:backup\:list\:remote db\:backup\:diff db\:backup\:diff\:s3 db\:backup\:restore db\:backup\:restore\:s3 db\:backup\:restore\:dry-run env openapi\:generate compose\:up compose\:down compose\:down\:v compose\:logs compose\:ps compose\:pull compose\:restart compose\:build local\:up local\:down local\:down\:v local\:logs local\:ps local\:serve dev\:deploy dev\:logs dev\:ps dev\:down prod\:deploy prod\:logs prod\:ps prod\:down secrets\:encrypt\:dev secrets\:encrypt\:prod secrets\:decrypt\:dev secrets\:decrypt\:prod secrets\:edit\:dev secrets\:edit\:prod project\:rename project\:init template\:list template\:apply template\:apply\:range template\:apply\:force pre-commit\:install pre-commit\:run pre-commit\:update

Makefile

@@ -11,7 +11,7 @@
 services:
   server:
     container_name: ${COMPOSE_PROJECT_NAME:-fastapi-template}-server-dev
-    image: ghcr.io/${GITHUB_REPOSITORY:-owner/repo}:develop
+    image: ghcr.io/${GITHUB_REPOSITORY:-ukwhatn/fastapi-template}:develop
     command:
       - /bin/sh
       - -c
@@ -36,8 +36,6 @@ services:
         required: false
     networks:
       - db-dev
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
 
   db:
     container_name: ${COMPOSE_PROJECT_NAME:-fastapi-template}-db-dev
@@ -59,8 +57,6 @@ services:
       - db-dev
     profiles:
       - local-db
-    labels:
-      - "com.centurylinklabs.watchtower.enable=false"
 
 volumes:
   pg_data_dev: