mirror of
https://github.com/ruvnet/RuView
synced 2026-06-17 11:33:19 +00:00
rUv
df617145d6
* feat(ADR-262 P3): live RuField surface — RuView sensing speaks RuField on /api/field + /ws/field Wire the P1 `wifi-densepose-rufield` bridge into the live `wifi-densepose-sensing-server` so the governed sensing cycle emits real signed RuField `FieldEvent`s on two additive endpoints. - Cargo: add the `wifi-densepose-rufield` path dep (the single coupling point, ADR-262 §5.4 — no new RuView-internal coupling). - New `src/rufield_surface.rs` (kept out of the 8k-line main.rs): `FieldSurface` holds a dedicated ed25519 `Signer` + a bounded ring of recent events + the `/ws/field` broadcast topic; `GET /api/field` and `GET /ws/field` handlers; a standalone `router()` for isolated testing. - Signer (defers the P2 key decision, ADR-262 §8 Q1): a STANDALONE dev/sensing key from `WDP_RUFIELD_SIGNING_SEED`, else a deterministic dev default with a logged WARN. Reusing the `cog-ha-matter` Ed25519 key is the deferred P2 call — P3 does not pre-empt it. - Tap: at the ESP32 governed-trust cycle (`main.rs` ~5886 observe_cycle / ~5938 SensingUpdate build), `emit_rufield_event` joins the cycle's features/classification/signal_field with the engine's effective_class/demoted trust state into a `SensingSnapshot` and surfaces it via the bridge. Existing endpoints (`/ws/sensing` etc.) are unchanged — purely additive. - Privacy egress: `network_egress_allowed` is fail-closed for an unattended live surface — only P1/P2 leave the box; P0 raw and P3/P4/P5 (identity/biometric/aggregate) are held edge-local. A `Derived` cycle maps to P4/P5 and never surfaces. - No-phantom: `emit` drops no-presence cycles (no fabricated events). Gates (tests/rufield_surface_test.rs, tower::oneshot, 4/0): well-formed signed event (WifiCsi, P2 not P1, is_fusable, real timestamp); empty cycle → no phantom; Derived trust never surfaces; mixed stream surfaces only egress-safe events. Honesty (ADR-262 §0/§6): real plumbing on a live endpoint, NOT accuracy. Single-link CSI with its existing caveats (no validated room-coordinate accuracy); dedicated dev signing key pending the P2 ownership decision; no accuracy claim. Co-Authored-By: claude-flow <ruv@ruv.net> * docs(ADR-262 P3): mark P1+P3 implemented; document /api/field + /ws/field; CHANGELOG - ADR-262 Status → "P1 + P3 implemented"; add a P3 implementation-status block (tap site, endpoints, dedicated dev signer deferring the §8 Q1 key decision, fail-closed egress, gates). Keep the honesty framing: real plumbing on a live endpoint, not accuracy. - CHANGELOG [Unreleased]: add the ADR-262 P3 entry. - user-guide: add `/api/field` to the REST table + a "RuField surface (ADR-262 P3)" section covering `/api/field` + `/ws/field`, the fail-closed P1/P2-only egress, the WDP_RUFIELD_SIGNING_SEED dev key, and the no-accuracy honesty note. Co-Authored-By: claude-flow <ruv@ruv.net> * ci: checkout submodules everywhere + Dockerfile copies vendor/rufield Making wifi-densepose-rufield (ADR-262 bridge) a v2 workspace member means EVERY cargo-on-workspace context must have the vendor/rufield submodule present (cargo loads all member manifests). P1 only fixed the rust-tests job; this adds `submodules: recursive` to all workflow checkouts that run cargo (mqtt-integration was failing on the missing submodule manifest), and makes Dockerfile.rust COPY vendor/rufield/ to /vendor/rufield (matches the bridge's ../../../vendor/rufield path-dep under the collapsed Docker layout). update-submodules.yml left alone (it manages submodules itself). Co-Authored-By: claude-flow <ruv@ruv.net> --------- Co-authored-by: ruv <ruvnet@gmail.com>
358 lines
12 KiB
YAML
358 lines
12 KiB
YAML
name: Continuous Deployment
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
tags: [ 'v*' ]
|
|
workflow_run:
|
|
workflows: ["Continuous Integration"]
|
|
types:
|
|
- completed
|
|
branches: [ main ]
|
|
workflow_dispatch:
|
|
inputs:
|
|
environment:
|
|
description: 'Deployment environment'
|
|
required: true
|
|
default: 'staging'
|
|
type: choice
|
|
options:
|
|
- staging
|
|
- production
|
|
force_deploy:
|
|
description: 'Force deployment (skip checks)'
|
|
required: false
|
|
default: false
|
|
type: boolean
|
|
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_DATA }}
|
|
|
|
jobs:
|
|
# Pre-deployment checks
|
|
pre-deployment:
|
|
name: Pre-deployment Checks
|
|
runs-on: ubuntu-latest
|
|
if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch'
|
|
outputs:
|
|
deploy_env: ${{ steps.determine-env.outputs.environment }}
|
|
image_tag: ${{ steps.determine-tag.outputs.tag }}
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
submodules: recursive
|
|
|
|
- name: Determine deployment environment
|
|
id: determine-env
|
|
env:
|
|
# Use environment variable to prevent shell injection
|
|
GITHUB_EVENT_NAME: ${{ github.event_name }}
|
|
GITHUB_REF: ${{ github.ref }}
|
|
GITHUB_INPUT_ENVIRONMENT: ${{ github.event.inputs.environment }}
|
|
run: |
|
|
if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
|
|
echo "environment=$GITHUB_INPUT_ENVIRONMENT" >> $GITHUB_OUTPUT
|
|
elif [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
|
|
echo "environment=staging" >> $GITHUB_OUTPUT
|
|
elif [[ "$GITHUB_REF" == refs/tags/v* ]]; then
|
|
echo "environment=production" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "environment=staging" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Determine image tag
|
|
id: determine-tag
|
|
run: |
|
|
if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
|
|
echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Verify image exists
|
|
run: |
|
|
docker manifest inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.determine-tag.outputs.tag }}
|
|
|
|
# Deploy to staging
|
|
deploy-staging:
|
|
name: Deploy to Staging
|
|
runs-on: ubuntu-latest
|
|
needs: [pre-deployment]
|
|
if: needs.pre-deployment.outputs.deploy_env == 'staging'
|
|
environment:
|
|
name: staging
|
|
url: https://staging.wifi-densepose.com
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
submodules: recursive
|
|
|
|
- name: Set up kubectl
|
|
uses: azure/setup-kubectl@v3
|
|
with:
|
|
version: 'v1.28.0'
|
|
|
|
- name: Configure kubectl
|
|
run: |
|
|
echo "${{ secrets.KUBE_CONFIG_DATA_STAGING }}" | base64 -d > kubeconfig
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
- name: Deploy to staging namespace
|
|
run: |
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
# Update image tag in deployment
|
|
kubectl set image deployment/wifi-densepose wifi-densepose=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.pre-deployment.outputs.image_tag }} -n wifi-densepose-staging
|
|
|
|
# Wait for rollout to complete
|
|
kubectl rollout status deployment/wifi-densepose -n wifi-densepose-staging --timeout=600s
|
|
|
|
# Verify deployment
|
|
kubectl get pods -n wifi-densepose-staging -l app=wifi-densepose
|
|
|
|
- name: Run smoke tests
|
|
run: |
|
|
sleep 30
|
|
curl -f https://staging.wifi-densepose.com/health || exit 1
|
|
curl -f https://staging.wifi-densepose.com/api/v1/info || exit 1
|
|
|
|
- name: Run integration tests against staging
|
|
run: |
|
|
python -m pytest tests/integration/ --base-url=https://staging.wifi-densepose.com -v
|
|
|
|
# Deploy to production
|
|
deploy-production:
|
|
name: Deploy to Production
|
|
runs-on: ubuntu-latest
|
|
needs: [pre-deployment, deploy-staging]
|
|
if: needs.pre-deployment.outputs.deploy_env == 'production' || (github.ref == 'refs/tags/v*' && needs.deploy-staging.result == 'success')
|
|
environment:
|
|
name: production
|
|
url: https://wifi-densepose.com
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
submodules: recursive
|
|
|
|
- name: Set up kubectl
|
|
uses: azure/setup-kubectl@v3
|
|
with:
|
|
version: 'v1.28.0'
|
|
|
|
- name: Configure kubectl
|
|
run: |
|
|
echo "${{ secrets.KUBE_CONFIG_DATA_PRODUCTION }}" | base64 -d > kubeconfig
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
- name: Pre-deployment backup
|
|
run: |
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
# Backup current deployment
|
|
kubectl get deployment wifi-densepose -n wifi-densepose -o yaml > backup-deployment.yaml
|
|
|
|
# Backup database
|
|
kubectl exec -n wifi-densepose deployment/postgres -- pg_dump -U wifi_user wifi_densepose > backup-db.sql
|
|
|
|
- name: Blue-Green Deployment
|
|
run: |
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
# Create green deployment
|
|
kubectl patch deployment wifi-densepose -n wifi-densepose -p '{"spec":{"template":{"metadata":{"labels":{"version":"green"}}}}}'
|
|
kubectl set image deployment/wifi-densepose wifi-densepose=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.pre-deployment.outputs.image_tag }} -n wifi-densepose
|
|
|
|
# Wait for green deployment to be ready
|
|
kubectl rollout status deployment/wifi-densepose -n wifi-densepose --timeout=600s
|
|
|
|
# Verify green deployment health
|
|
kubectl wait --for=condition=ready pod -l app=wifi-densepose,version=green -n wifi-densepose --timeout=300s
|
|
|
|
- name: Traffic switching validation
|
|
run: |
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
# Get green pod IP for direct testing
|
|
GREEN_POD=$(kubectl get pods -n wifi-densepose -l app=wifi-densepose,version=green -o jsonpath='{.items[0].metadata.name}')
|
|
|
|
# Test green deployment directly
|
|
kubectl exec -n wifi-densepose $GREEN_POD -- curl -f http://localhost:8000/health
|
|
kubectl exec -n wifi-densepose $GREEN_POD -- curl -f http://localhost:8000/api/v1/info
|
|
|
|
- name: Switch traffic to green
|
|
run: |
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
# Update service selector to point to green
|
|
kubectl patch service wifi-densepose-service -n wifi-densepose -p '{"spec":{"selector":{"version":"green"}}}'
|
|
|
|
# Wait for traffic switch
|
|
sleep 30
|
|
|
|
- name: Production smoke tests
|
|
run: |
|
|
curl -f https://wifi-densepose.com/health || exit 1
|
|
curl -f https://wifi-densepose.com/api/v1/info || exit 1
|
|
|
|
- name: Cleanup old deployment
|
|
run: |
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
# Remove blue version label from old pods
|
|
kubectl label pods -n wifi-densepose -l app=wifi-densepose,version!=green version-
|
|
|
|
# Scale down old replica set (optional)
|
|
# kubectl scale rs -n wifi-densepose -l app=wifi-densepose,version!=green --replicas=0
|
|
|
|
- name: Upload deployment artifacts
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: production-deployment-${{ github.run_number }}
|
|
path: |
|
|
backup-deployment.yaml
|
|
backup-db.sql
|
|
|
|
# Rollback capability
|
|
rollback:
|
|
name: Rollback Deployment
|
|
runs-on: ubuntu-latest
|
|
if: failure() && (needs.deploy-staging.result == 'failure' || needs.deploy-production.result == 'failure')
|
|
needs: [pre-deployment, deploy-staging, deploy-production]
|
|
environment:
|
|
name: ${{ needs.pre-deployment.outputs.deploy_env }}
|
|
steps:
|
|
- name: Set up kubectl
|
|
uses: azure/setup-kubectl@v3
|
|
with:
|
|
version: 'v1.28.0'
|
|
|
|
- name: Configure kubectl
|
|
run: |
|
|
if [[ "${{ needs.pre-deployment.outputs.deploy_env }}" == "production" ]]; then
|
|
echo "${{ secrets.KUBE_CONFIG_DATA_PRODUCTION }}" | base64 -d > kubeconfig
|
|
NAMESPACE="wifi-densepose"
|
|
else
|
|
echo "${{ secrets.KUBE_CONFIG_DATA_STAGING }}" | base64 -d > kubeconfig
|
|
NAMESPACE="wifi-densepose-staging"
|
|
fi
|
|
export KUBECONFIG=kubeconfig
|
|
echo "NAMESPACE=$NAMESPACE" >> $GITHUB_ENV
|
|
|
|
- name: Rollback deployment
|
|
run: |
|
|
export KUBECONFIG=kubeconfig
|
|
|
|
# Rollback to previous version
|
|
kubectl rollout undo deployment/wifi-densepose -n ${{ env.NAMESPACE }}
|
|
|
|
# Wait for rollback to complete
|
|
kubectl rollout status deployment/wifi-densepose -n ${{ env.NAMESPACE }} --timeout=600s
|
|
|
|
# Verify rollback
|
|
kubectl get pods -n ${{ env.NAMESPACE }} -l app=wifi-densepose
|
|
|
|
# Post-deployment monitoring
|
|
post-deployment:
|
|
name: Post-deployment Monitoring
|
|
runs-on: ubuntu-latest
|
|
needs: [deploy-staging, deploy-production]
|
|
if: always() && (needs.deploy-staging.result == 'success' || needs.deploy-production.result == 'success')
|
|
steps:
|
|
- name: Monitor deployment health
|
|
run: |
|
|
ENV="${{ needs.pre-deployment.outputs.deploy_env }}"
|
|
if [[ "$ENV" == "production" ]]; then
|
|
BASE_URL="https://wifi-densepose.com"
|
|
else
|
|
BASE_URL="https://staging.wifi-densepose.com"
|
|
fi
|
|
|
|
# Monitor for 5 minutes
|
|
for i in {1..10}; do
|
|
echo "Health check $i/10"
|
|
curl -f $BASE_URL/health || exit 1
|
|
curl -f $BASE_URL/api/v1/status || exit 1
|
|
sleep 30
|
|
done
|
|
|
|
- name: Update deployment status
|
|
uses: actions/github-script@v6
|
|
with:
|
|
script: |
|
|
const deployEnv = '${{ needs.pre-deployment.outputs.deploy_env }}';
|
|
const environmentUrl = deployEnv === 'production' ? 'https://wifi-densepose.com' : 'https://staging.wifi-densepose.com';
|
|
|
|
const { data: deployment } = await github.rest.repos.createDeploymentStatus({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
deployment_id: context.payload.deployment.id,
|
|
state: 'success',
|
|
environment_url: environmentUrl,
|
|
description: 'Deployment completed successfully'
|
|
});
|
|
|
|
# Notification
|
|
notify:
|
|
name: Notify Deployment Status
|
|
runs-on: ubuntu-latest
|
|
needs: [deploy-staging, deploy-production, post-deployment]
|
|
if: always()
|
|
steps:
|
|
- name: Notify Slack on success
|
|
if: needs.deploy-production.result == 'success' || needs.deploy-staging.result == 'success'
|
|
uses: 8398a7/action-slack@v3
|
|
with:
|
|
status: success
|
|
channel: '#deployments'
|
|
text: |
|
|
🚀 Deployment successful!
|
|
Environment: ${{ needs.pre-deployment.outputs.deploy_env }}
|
|
Image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.pre-deployment.outputs.image_tag }}
|
|
URL: https://${{ needs.pre-deployment.outputs.deploy_env == 'production' && 'wifi-densepose.com' || 'staging.wifi-densepose.com' }}
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
|
|
|
|
- name: Notify Slack on failure
|
|
if: needs.deploy-production.result == 'failure' || needs.deploy-staging.result == 'failure'
|
|
uses: 8398a7/action-slack@v3
|
|
with:
|
|
status: failure
|
|
channel: '#deployments'
|
|
text: |
|
|
❌ Deployment failed!
|
|
Environment: ${{ needs.pre-deployment.outputs.deploy_env }}
|
|
Please check the logs and consider rollback if necessary.
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
|
|
|
|
- name: Create deployment issue on failure
|
|
if: needs.deploy-production.result == 'failure'
|
|
uses: actions/github-script@v6
|
|
with:
|
|
script: |
|
|
github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: `Production Deployment Failed - ${new Date().toISOString()}`,
|
|
body: `
|
|
## Deployment Failure Report
|
|
|
|
**Environment:** Production
|
|
**Image Tag:** ${{ needs.pre-deployment.outputs.image_tag }}
|
|
**Workflow Run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
|
|
|
**Action Required:**
|
|
- [ ] Investigate deployment failure
|
|
- [ ] Consider rollback if necessary
|
|
- [ ] Fix underlying issues
|
|
- [ ] Re-deploy when ready
|
|
|
|
**Logs:** Check the workflow run for detailed error messages.
|
|
`,
|
|
labels: ['deployment', 'production', 'urgent']
|
|
}) |