{"id":24502773,"url":"https://github.com/sul-dlss/sdr-deploy","last_synced_at":"2025-03-15T08:14:05.005Z","repository":{"id":38215943,"uuid":"255647205","full_name":"sul-dlss/sdr-deploy","owner":"sul-dlss","description":"Deployment tools for SDR applications (\u0026 friends)","archived":false,"fork":false,"pushed_at":"2024-04-02T21:00:29.000Z","size":309,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":18,"default_branch":"main","last_synced_at":"2024-04-02T22:22:53.652Z","etag":null,"topics":["deployment","infrastructure","ruby"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sul-dlss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-04-14T15:26:08.000Z","updated_at":"2024-04-02T22:22:56.331Z","dependencies_parsed_at":"2023-10-05T02:26:55.028Z","dependency_job_id":"36bef8ad-6776-4bb9-a340-9a01aace6cf0","html_url":"https://github.com/sul-dlss/sdr-deploy","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sul-dlss%2Fsdr-deploy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sul-dlss%2Fsdr-deploy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sul-dlss%2Fsdr-deploy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sul-dlss%2Fsdr-deploy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sul-dlss","download_url":"https://codeload.github.com/sul-dlss/sdr-deploy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243701464,"owners_count":20333631,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deployment","infrastructure","ruby"],"created_at":"2025-01-21T23:13:53.899Z","updated_at":"2025-03-15T08:14:04.998Z","avatar_url":"https://github.com/sul-dlss.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SDR Deployment Tools\n\nThis is a central place for deploying applications in the Infrastructure team portfolio, primarily but not exclusively related to the Stanford Digital Repository (SDR). This allows all applications to be deployed together with a single set of tools.\n\n## Requirements\n\nsdr-deploy expects Ruby 3.4.\n\n## Usage\n\nMake sure that:\n\n* You are on VPN.\n* You have `kinit`-ed.\n* You have added the public SSH key, often `~/.ssh/id_rsa.pub` or `~/.ssh/id_ed25519.pub`, from your machine to [GitHub](https://github.com/settings/keys)\n* You have properly configured your local SSH setup (see below)\n* You have logged into `sdr-infra.stanford.edu` and cloned this repository.\n* You have previously `ssh`-ed into all servers.\n  * NOTE: If you are unsure about this, run `bin/sdr check_ssh -e [qa|stage|prod]` and watch the output for any errors!\n* NOTE: if you run `bin/sdr check_cocina`, you may need to ensure that you have the contribsys gem credentials available for google-books to install the sidekiq-pro gem locally (the credential is already on our deploy target VMs).\n  * The credentials are set to an environment variable on the server via puppet from values stored in vault (vault info: https://consul.stanford.edu/display/systeam/Vault+for+Developers).  To fetch without digging into vault, go to a server that has them set via puppet and view the environment variable. See below under \"Configure bundler for your local path\" for an example.\n* NOTE: You *may* invoke the `bin/` scripts via `bundle exec`.\n\nYou can turn on success output for repo cache updates and deploy logging if you find it useful.  Override the Settings.progress_file in a config/settings.local.yml and you will get one file per repo.  This is useful if you get a crash part way, as it can tell you which repos were successfully completed.\n\n### SSH Setup\n\nFollow the [GitHub Documentation](https://docs.github.com/en/authentication/connecting-to-github-with-ssh) if you need to establish new SSH keys.\n\n1. Edit your local `~/.ssh/config` file to look like [DLSS developer best practice](https://github.com/sul-dlss/DeveloperPlaybook/blob/main/best-practices/ssh_configuration.md):\n2. Add your GitHub key to your local SSH agent\n    ```shell\n    # Or whatever the path is to the private key you've added to GitHub\n    ssh-add ~/.ssh/id_ed25519\n    ```\n3. Verify the correct key(s) are forwarded to `sdr-infra.stanford.edu` by running `ssh-add -L` on both your laptop and the server and making sure they match.\n\nSee https://docs.github.com/en/authentication/connecting-to-github-with-ssh/using-ssh-agent-forwarding for more information about SSH agent forwarding.\n\n### Connecting to sdr-infra.stanford.edu\n\nWith the above configuration, you will need to connect to `sdr-infra.stanford.edu` via SSH and will be presented with a MFA challenge:\n\n```shell\nssh sdr-infra.stanford.edu\n(SUNETID@sdr-infra.stanford.edu) Duo two-factor login for SUNETID\n\nEnter a passcode or select one of the following options:\n\n 1. Duo Push to XXX-XXX-1234\n 2. Phone call to XXX-XXX-1234\n 3. SMS passcodes to XXX-XXX-1234\n\nPasscode or option (1-3): 1\n```\n\nOnce connected, you can proceed.\n\n### Configure bundler for your local path\n\nSet the bundler path:\n```\nbundle config --global path /home/[username]/.vendor/bundle\n```\n\nSetup contribsys gem authentication (Sidekiq pro):\n```\nbundle config gems.contribsys.com USER:PASS\n```\n\nIf already setup on your laptop (or on a server that has them, such as sul-gbooks-prod), you can get the value for USER:PASS needed above:\n\n```\n# on laptop or sul-gbooks-prod, it should show the USER:PASS values\necho $BUNDLE_GEMS__CONTRIBSYS__COM\nuser123:pass678\n```\n\n### Check your SSH connection to all servers\n\n```\nUsage:\n  bin/sdr check_ssh -e, --environment=ENVIRONMENT\n\nOptions:\n      [--only=one two three]               # Update only these repos\n      [--except=one two three]             # Update all except these repos\n  -s, [--skip-update], [--no-skip-update]  # Skip update repos\n  -e, --environment=ENVIRONMENT            # Environment ([\"qa\", \"prod\", \"stage\"])\n                                           # Possible values: qa, prod, stage\n      [--skip-control-master]              # Skip checking for active SSH control master connection\n\ncheck SSH connections\n\nExample:\n  bin/sdr check_ssh -s -e qa --except sul-dlss/technical-metadata-service sul-dlss/argo\n```\n\nNOTE: Watch the output for any errors\n\n### Check versions of cocina-models\n\n```\nUsage:\n  bin/sdr check_cocina\n\nOptions:\n  -s, [--skip-update], [--no-skip-update]  # Skip update repos\n  -t, --branch, [--tag=TAG]                # Check cocina version in the given tag or branch instead of the default branch\n\ncheck for cocina-models version mismatches\n\nExample:\n  bin/sdr check_cocina -s -t rel-2022-08-01\n  bin/sdr check_cocina -t my-wip-branch\n```\n\nThis will let you know which versions of cocina-models are used by each project with it in Gemfile.lock.\n\n### Create repository tags\n\nThis command tags repositories in parallel.\n\n**NOTE**: We conventionally name tags `rel-{YYYY}-{MM}-{DD}`.\n\n```\nUsage:\n  bin/sdr tag TAG_NAME\n\nOptions:\n  -m, [--message=TAG MESSAGE]           # Message to describe a newly created tag\n  -d, [--delete=DELETE], [--no-delete]  # Delete the tag locally and remotely\n  -v, [--verify]                        # Verify the tags exist remotely\n  -c, [--cocina], [--no-cocina]         # Only update repos affected by new cocina-models gem release\n\ncreate, delete, or verify a tag named TAG_NAME\n\nExamples:\n  bin/sdr tag -m 'coordinating the deploy of dependency updates' rel-2022-09-05\n  bin/sdr tag -c -m 'coordinating the release of cocina-models 0.66.6' rel-2022-09-14\n```\n\n### Run the deploys\n\nThis command deploys repositories in parallel.\n\n```\nUsage:\n  bin/sdr deploy -e, --environment=ENVIRONMENT\n\nOptions:\n      [--only=one two three]               # Update only these repos\n      [--except=one two three]             # Update all except these repos\n  -c, [--cocina], [--no-cocina]            # Only update repos affected by new cocina-models gem release\n  -b, [--before-command=BEFORE_COMMAND]    # Run this command on each host before deploying\n  -t, --branch, [--tag=TAG]                # Deploy the given tag or branch instead of the default branch\n  -s, [--skip-update], [--no-skip-update]  # Skip update repos\n  -e, --environment=ENVIRONMENT            # Deployment environment\n                                           # Possible values: qa, prod, stage\n      [--skip-control-master]              # Skip checking for active SSH control master connection\ndeploy all the services in an environment\n\nExamples:\n  bin/sdr deploy -s -e qa -t my-wip-branch --only=sul-dlss/technical-metadata-service\n  bin/sdr deploy -c -e qa -t rel-2022-09-14\n```\n\n**NOTE 0**:\n\nAs part of the deployment process, the cocina-models versions used by the apps being deployed will be checked. If all apps use the same version, the deploy will proceed. If there is divergence at the major- or minor-level, the deploy will be halted. If there is divergence at the patch-level, the user will be notified about the different versions used and then prompted to continue (defaulting to \"yes\").\n\n**NOTE 1**:\n\nIf **`io-wait`** or **`strscan`** gems update, you _may_ need to ssh to the VM and manually run `gem install io-wait` and/or `gem install strscan` to keep the deployed app from breaking.\n\nWhy? Because `io-wait` and `strscan` are \"system\" gems, and aren't managed by bundler.\n\ndlss-capistrano now automagically updates `strscan`;  see https://github.com/sul-dlss/dlss-capistrano/blob/main/lib/dlss/capistrano/tasks/strscan.rake\n\nIf there is a problem, you can use `SKIP_UPDATE_STRSCAN` env var for an individual deploy (also for all deploys?):\n\n    ```\n    cd yer_local_cloned_argo directory\n    SKIP_UPDATE_STRSCAN=true cap deploy stage\n    ```\n\nYou can update a gem for all apps for a given environment, like this:\n\n    ```\n    bin/sdr deploy -e stage -b 'gem install io-wait'\n    ```\n\nOr you can update a gem for a specific app like this:\n\n    ```\n    cd yer_local_cloned_argo directory\n    cap stage remote_execute['gem install io-wait']\n    ```\n\n**NOTE 2**: We have a couple applications that use environments outside of our standard ones (qa, prod, and stage), and sdr-deploy deploys to these oddball environments when deploying to prod. These are configured on a per-application basis in `config/settings.yml` via, e.g.:\n\n```yaml\n  - name: sul-dlss/sul_pub\n    non_standard_envs:\n      - uat\n  - name: sul-dlss/technical-metadata-service\n    non_standard_envs:\n      - retro\n```\n\n**NOTE 3**: Sometimes we want to be extra careful when deploying certain apps to certain environments. These are configured on a per-application basis in `config/settings.yml` via, e.g.:\n\n```yaml\n  - name: sul-dlss/argo\n    confirmation_required_envs:\n      - prod\n```\n\n**NOTE 4**: Sometimes we want to skip deploying to certain environments. These are configured on a per-application basis in `config/settings.yml` via, e.g.:\n\n```yaml\n  - name: sul-dlss/happy-heron\n    skip_envs:\n      - prod\n```\n\n### Only Deploy Repos Related to Cocina-Models Update\n\nNote: this includes dor-services-app and sdr-api in addition to cocina level2 updates.\n\n**[Turn off Google Books](https://sul-gbooks-prod.stanford.edu/features) when deploying to production.** This avoids failed deposit due to a temporary Cocina model mismatch. Unlike other applications, the deposits will fail without retry and require manual remediation.\n\nUse the `--cocina` or `-c` flag.\n\nThen\n\n```\n# -e can be qa or stage or prod\nbin/sdr deploy -e stage -c\n```\n\n### Only Refresh Repositories\n\nIf you have a need to pull main for all of the repositories without checking ssh or deploying, `refresh_repos` will do so.\n\n```\nUsage:\n  bin/sdr refresh_repos\n\nOptions:\n      [--only=one two three]               # Update only these repos\n      [--except=one two three]             # Update all except these repos\n```\n\n### Notes and tips:\n* All repos will be cloned to `tmp/repos`.\n* Any repos cloned to `tmp/repos` that are removed from `config/settings.yml`, *e.g.* projects that have been decommissioned, will be automatically removed from `tmp/repos` the next time any of the sdr-deploy commands are run (unless the repo update is explicitly skipped via user-provided flag).\n* If you prefer your output in color, this will work:\n```\nexport SSHKIT_COLOR='TRUE'\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsul-dlss%2Fsdr-deploy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsul-dlss%2Fsdr-deploy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsul-dlss%2Fsdr-deploy/lists"}