feat(infra): automate full first-deploy pipeline

ImTotem · claude · ImTotem · commit b9bf50c19bc4 · 2026-03-18T20:40:01.000+09:00
- Add alembic migration step to deploy.sh (creates PG tables)
- Add idempotent seed step (Sheets→PG only when tables empty)
- Add n8n init script (workflow import, credential setup, activation)
- Add network alias `api` for blue-green routing from n8n
- Add env var validation (12 required vars checked before deploy)
- Mount workflows + service account into n8n container
- Include alembic files in Docker image
- Whitelist workflows/*.json in .gitignore

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -511,6 +511,7 @@ $RECYCLE.BIN/
 !package.json
 !tsconfig.json
 !pyrightconfig.json
+!workflows/*.json
 
 # Generated nginx conf (envsubst output from .template)
 infra/nginx/bcsd-api.conf
diff --git a/infra/docker/Dockerfile b/infra/docker/Dockerfile
@@ -17,6 +17,8 @@ COPY --from=deps /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.
 COPY --from=deps /usr/local/bin /usr/local/bin
 
 COPY pyproject.toml .
+COPY alembic.ini .
+COPY alembic/ alembic/
 COPY src/ src/
 RUN pip install --no-cache-dir --no-deps .
 
diff --git a/infra/docker/docker-compose.yml b/infra/docker/docker-compose.yml
@@ -13,7 +13,9 @@ services:
     command: ["uvicorn", "bcsd_api.main:app", "--host", "0.0.0.0", "--port", "8000", "--timeout-graceful-shutdown", "${GRACEFUL_TIMEOUT}"]
     stop_grace_period: ${GRACEFUL_TIMEOUT}s
     networks:
-      - bcsd
+      bcsd:
+        aliases:
+          - api
 
   api-green:
     <<: *api
@@ -33,8 +35,12 @@ services:
       N8N_BASIC_AUTH_USER: "${N8N_AUTH_USER}"
       N8N_BASIC_AUTH_PASSWORD: "${N8N_AUTH_PASSWORD}"
       N8N_ENCRYPTION_KEY: "${N8N_ENCRYPTION_KEY}"
+      SYNC_TOKEN: "${SYNC_TOKEN}"
+      GOOGLE_SHEETS_ID: "${GOOGLE_SHEETS_ID}"
     volumes:
       - n8n-data:/home/node/.n8n
+      - ../../workflows:/workflows:ro
+      - ../../${GOOGLE_SERVICE_ACCOUNT_FILE}:/credentials/sa.json:ro
     networks:
       - bcsd
 
diff --git a/infra/scripts/deploy.sh b/infra/scripts/deploy.sh
@@ -11,6 +11,13 @@ HEALTH_PATH="/openapi.json"
 MAX_RETRIES=10
 ENVSUBST_VARS='${API_BLUE_PORT} ${API_GREEN_PORT} ${N8N_PORT} ${FRONTEND_PORT} ${DOMAIN} ${N8N_DOMAIN} ${FRONTEND_DOMAIN}'
 
+REQUIRED_VARS=(
+    POSTGRES_USER POSTGRES_PASSWORD POSTGRES_DB
+    GOOGLE_SERVICE_ACCOUNT_FILE GOOGLE_SHEETS_ID
+    SYNC_TOKEN JWT_SECRET GOOGLE_CLIENT_ID
+    API_BLUE_PORT API_GREEN_PORT N8N_PORT
+)
+
 current_slot() {
     grep proxy_pass "$NGINX_CONF" 2>/dev/null | grep -q "api_blue" && echo "blue" || echo "green"
 }
@@ -34,33 +41,38 @@ health_check() {
     return 1
 }
 
-check_credentials() {
+check_env() {
     if [ ! -f .env ]; then
-        echo "FAIL: .env not found (CI/CD should have uploaded it)"
+        echo "FAIL: .env not found"
         exit 1
     fi
-    local sa_file
-    sa_file=$(grep -m1 '^GOOGLE_SERVICE_ACCOUNT_FILE=' .env | cut -d= -f2-)
-    if [ -z "$sa_file" ]; then
-        echo "FAIL: GOOGLE_SERVICE_ACCOUNT_FILE not set in .env"
+    set -a; source .env; set +a
+    local missing=()
+    for var in "${REQUIRED_VARS[@]}"; do
+        if [ -z "${!var:-}" ]; then
+            missing+=("$var")
+        fi
+    done
+    if [ ${#missing[@]} -gt 0 ]; then
+        echo "FAIL: Missing env vars: ${missing[*]}"
         exit 1
     fi
-    if [ ! -f "$sa_file" ]; then
-        echo "FAIL: $sa_file not found (CI/CD should have uploaded it)"
+    if [ ! -f "$GOOGLE_SERVICE_ACCOUNT_FILE" ]; then
+        echo "FAIL: $GOOGLE_SERVICE_ACCOUNT_FILE not found"
         exit 1
     fi
 }
 
 render_nginx() {
-    set -a; source .env; set +a
     envsubst "$ENVSUBST_VARS" < "$NGINX_TEMPLATE" > "$NGINX_CONF"
 }
 
 echo "=== BCSD API Blue-Green Deploy ==="
 
-check_credentials
+echo "0. Checking environment..."
+check_env
 
-echo "0. Ensuring DB services..."
+echo "1. Ensuring DB services..."
 $COMPOSE_DB up -d
 
 render_nginx
@@ -70,13 +82,19 @@ NEXT=$(next_slot)
 
 echo "Current: $CURRENT → Deploying: $NEXT"
 
-echo "1. Building $NEXT..."
+echo "2. Building $NEXT..."
 $COMPOSE build "api-${NEXT}"
 
-echo "2. Starting $NEXT..."
+echo "3. Running DB migrations..."
+$COMPOSE run --rm --no-deps "api-${NEXT}" alembic upgrade head
+
+echo "4. Seeding PG from Sheets (if empty)..."
+$COMPOSE run --rm --no-deps "api-${NEXT}" python -m bcsd_api.sync.seed
+
+echo "5. Starting $NEXT..."
 $COMPOSE up -d --remove-orphans "api-${NEXT}"
 
-echo "3. Health check on api-${NEXT}..."
+echo "6. Health check on api-${NEXT}..."
 if ! health_check "$NEXT"; then
     echo "FAIL: $NEXT did not become healthy"
     echo "--- Container logs ---"
@@ -86,14 +104,17 @@ if ! health_check "$NEXT"; then
     exit 1
 fi
 
-echo "4. Switching nginx → $NEXT"
+echo "7. Switching nginx → $NEXT"
 sed -i "s/proxy_pass http:\/\/api_${CURRENT}/proxy_pass http:\/\/api_${NEXT}/g" "$NGINX_CONF"
 sudo mkdir -p /var/www/certbot
 sudo cp "$NGINX_CONF" "$NGINX_AVAILABLE"
 sudo ln -sf "$NGINX_AVAILABLE" "$NGINX_ENABLED"
 sudo nginx -t && sudo nginx -s reload
 
-echo "5. Stopping old ($CURRENT)..."
+echo "8. Stopping old ($CURRENT)..."
 $COMPOSE stop "api-${CURRENT}"
 
+echo "9. Initializing n8n..."
+bash infra/scripts/init_n8n.sh
+
 echo "=== Deploy complete: $NEXT is live ==="
diff --git a/infra/scripts/init_n8n.sh b/infra/scripts/init_n8n.sh
@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# n8n workflow import + Google Sheets credential setup
+# Idempotent: skips if workflows already exist
+
+COMPOSE="sudo docker compose -p bcsd-app --env-file .env -f infra/docker/docker-compose.yml"
+N8N_CONTAINER="bcsd-app-n8n-1"
+MAX_RETRIES=15
+
+wait_n8n() {
+    local retries=0
+    while [ $retries -lt $MAX_RETRIES ]; do
+        if $COMPOSE exec -T n8n wget -qO- http://localhost:5678/healthz > /dev/null 2>&1; then
+            return 0
+        fi
+        retries=$((retries + 1))
+        echo "  n8n not ready, retry ${retries}/${MAX_RETRIES}..."
+        sleep 2
+    done
+    return 1
+}
+
+workflow_exists() {
+    local name="$1"
+    local count
+    count=$($COMPOSE exec -T n8n n8n list:workflow 2>/dev/null | grep -c "$name" || true)
+    [ "$count" -gt 0 ]
+}
+
+import_workflow() {
+    local file="$1"
+    local name="$2"
+    if workflow_exists "$name"; then
+        echo "  Workflow '$name' already exists — skipping"
+        return 0
+    fi
+    echo "  Importing '$name'..."
+    $COMPOSE exec -T n8n n8n import:workflow --input="$file"
+}
+
+activate_workflow() {
+    local name="$1"
+    local wf_id
+    wf_id=$($COMPOSE exec -T n8n n8n list:workflow 2>/dev/null | grep "$name" | awk '{print $1}')
+    if [ -z "$wf_id" ]; then
+        echo "  WARNING: Could not find workflow '$name' to activate"
+        return 1
+    fi
+    $COMPOSE exec -T n8n n8n update:workflow --id="$wf_id" --active=true
+    echo "  Activated '$name' (id: $wf_id)"
+}
+
+setup_credential() {
+    local sa_path="/credentials/sa.json"
+    local existing
+    existing=$($COMPOSE exec -T n8n n8n list:credential 2>/dev/null | grep -c "Google Sheets SA" || true)
+    if [ "$existing" -gt 0 ]; then
+        echo "  Google Sheets credential already exists — skipping"
+        return 0
+    fi
+    echo "  Creating Google Sheets service account credential..."
+    $COMPOSE exec -T n8n n8n import:credentials --input=/dev/stdin <<CRED_EOF
+[{
+  "name": "Google Sheets SA",
+  "type": "googleApi",
+  "data": {
+    "email": "$(grep client_email "$GOOGLE_SERVICE_ACCOUNT_FILE" | cut -d'"' -f4)",
+    "privateKey": "$(grep private_key "$GOOGLE_SERVICE_ACCOUNT_FILE" | cut -d'"' -f4)",
+    "impersonateUser": ""
+  }
+}]
+CRED_EOF
+}
+
+echo "=== n8n Init ==="
+
+echo "1. Starting n8n..."
+$COMPOSE up -d n8n
+
+echo "2. Waiting for n8n..."
+if ! wait_n8n; then
+    echo "FAIL: n8n did not become healthy"
+    $COMPOSE logs --tail=20 n8n
+    exit 1
+fi
+
+echo "3. Importing workflows..."
+import_workflow "/workflows/pg_sheets_sync.json" "PG → Sheets Sync (5min)"
+import_workflow "/workflows/link_auto_expire.json" "Link Auto-Expiration (hourly)"
+
+echo "4. Setting up Google Sheets credential..."
+set -a; source .env; set +a
+setup_credential
+
+echo "5. Activating workflows..."
+activate_workflow "PG → Sheets Sync"
+activate_workflow "Link Auto-Expiration"
+
+echo "=== n8n Init complete ==="
diff --git a/src/bcsd_api/sync/seed.py b/src/bcsd_api/sync/seed.py
@@ -1,5 +1,6 @@
 import logging
 
+from sqlalchemy import text
 from sqlalchemy.dialects.postgresql import insert
 
 from bcsd_api.config import Settings
@@ -52,6 +53,11 @@ def _seed_table(conn, sheets: SheetsClient, name: str) -> int:
     return len(cleaned)
 
 
+def _is_empty(conn) -> bool:
+    row = conn.execute(text("SELECT count(*) FROM members"))
+    return row.scalar() == 0
+
+
 def run_seed() -> None:
     settings = Settings()
     sheets = SheetsClient(
@@ -68,6 +74,19 @@ def run_seed() -> None:
     logger.info("Seed complete")
 
 
+def run_seed_if_empty() -> None:
+    settings = Settings()
+    engine = create_engine(settings.database_url)
+    with engine.connect() as conn:
+        if not _is_empty(conn):
+            logger.info("Tables not empty — skipping seed")
+            engine.dispose()
+            return
+    engine.dispose()
+    logger.info("Tables empty — running seed")
+    run_seed()
+
+
 if __name__ == "__main__":
     logging.basicConfig(level=logging.INFO)
-    run_seed()
+    run_seed_if_empty()
diff --git a/workflows/link_auto_expire.json b/workflows/link_auto_expire.json
diff --git a/workflows/pg_sheets_sync.json b/workflows/pg_sheets_sync.json
