version: 2.1 orbs: aws-ecr: circleci/aws-ecr@7.0.0 jobs: build-and-push: machine: image: ubuntu-2204:current resource_class: medium parameters: docker-tag: type: string path: type: string repo: type: string dockerfile: type: string steps: - aws-ecr/build-and-push-image: checkout: true account-url: AWS_ECR_ACCOUNT_URL aws-access-key-id: AWS_ACCESS_KEY_ID aws-secret-access-key: AWS_SECRET_ACCESS_KEY create-repo: false dockerfile: <> path: <> region: AWS_REGION repo: <> tag: '<>${CIRCLE_SHA1}' deploy: machine: image: ubuntu-2204:current resource_class: medium parameters: docker-tag: type: string path: type: string deploy-name: type: string deploy-namespace: type: string steps: - checkout - run: name: kubectl apply command: | CMD='/home/ubuntu/cluster-for-B/deploy.sh <> <>'${CIRCLE_SHA1}' <> <>' echo $CMD ssh ${USER_NAME}@${HOST_NAME} ${CMD} - run: name: Send deploy Lark notification command: | bash scripts/ci/notify_feishu.sh \ --event deploy \ --service-name <> \ --namespace <> docker-hub-build-push: machine: image: ubuntu-2404:current resource_class: medium parameters: repo: type: string dockerfile: type: string docker-tag: type: string deploy: type: boolean default: false steps: - checkout - run: name: Build Docker image command: | # 检查是否为ARM构建 if [[ "<>" == *"arm64"* ]]; then # 设置Docker buildx进行多平台构建 docker buildx create --use --name multiarch docker buildx inspect --bootstrap # 构建ARM64架构的镜像 docker buildx build -t <>:<> --platform linux/arm64 --no-cache -f <> --load . else # 普通x86构建 docker build -t <>:<> --no-cache -f <> . fi - run: name: Publish Docker Image to Docker Hub command: | echo "$DOCKERHUB_PASS" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin IMAGE_TAG="0.0.${CIRCLE_BUILD_NUM}" docker tag <>:<> <>:$IMAGE_TAG docker push <>:<> docker push <>:$IMAGE_TAG # 把 IMAGE_TAG 透传到后续 step(CD SSH 部署需要使用) echo "export IMAGE_TAG=$IMAGE_TAG" >> $BASH_ENV bash scripts/ci/notify_feishu.sh \ --event docker_hub \ --image-repo <> \ --image-tag <> \ --version-tag "$IMAGE_TAG" - when: # 仅当 deploy=true 且当前分支为 onprem-release 时才触发 CD,避免其他分支误部署 condition: and: - << parameters.deploy >> - equal: [ onprem-release, << pipeline.git.branch >> ] steps: # 将预先在 CircleCI 项目设置 → SSH Keys 上传的私钥加载到 ssh-agent # ONPREM_DEPLOY_SSH_KEY_FINGERPRINT 是上传私钥后 CircleCI 返回的 MD5 指纹 - add_ssh_keys: fingerprints: - "$ONPREM_DEPLOY_SSH_KEY_FINGERPRINT" - run: name: SSH 部署到服务器(更新 catalog-agent 镜像并重启) command: | # 把服务器公钥写入 known_hosts,避免首次连接时的交互确认 # 服务器 SSH 端口通过 ONPREM_DEPLOY_SSH_PORT 环境变量控制(例如 17290) mkdir -p ~/.ssh ssh-keyscan -H -p "$ONPREM_DEPLOY_SSH_PORT" "$ONPREM_DEPLOY_SSH_HOST" >> ~/.ssh/known_hosts 2>/dev/null # 将本次生成的 IMAGE_TAG 透传到远端脚本 # - 本地 shell 展开 $IMAGE_TAG 组装成远端命令前缀 # - heredoc 使用 'REMOTE' 单引号形式,避免本地对脚本体再次展开 # - sed 直接替换 catalog-agent 的整行 image 字段(兼容 "gptbasesparticle/..." 或 # "docker.gbase.ai/..." 等任意仓库前缀、以及 0.0.x 等任意标签格式) # - 通过「标签首字符是数字」排除 arm64 等非 AMD64 镜像干扰(本 CD 仅在 AMD64 job 触发) ssh -p "$ONPREM_DEPLOY_SSH_PORT" "$ONPREM_DEPLOY_SSH_USER@$ONPREM_DEPLOY_SSH_HOST" \ "IMAGE_TAG='$IMAGE_TAG' bash -s" \<<'REMOTE' set -euo pipefail cd gbase_onprem echo "更新前 catalog-agent 镜像行:" grep -E '^[[:space:]]*image:[[:space:]]*[^#[:space:]]*catalog-agent:[0-9]' docker-compose.yml || true sed -i -E "s|^([[:space:]]*)image:[[:space:]]*[^#[:space:]]*catalog-agent:[0-9][^[:space:]]*|\1image: gptbasesparticle/catalog-agent:${IMAGE_TAG}|" docker-compose.yml echo "更新后 catalog-agent 镜像行:" grep -E "^[[:space:]]*image:[[:space:]]*gptbasesparticle/catalog-agent:${IMAGE_TAG}" docker-compose.yml docker compose down catalog-agent docker compose up catalog-agent -d REMOTE bash scripts/ci/notify_feishu.sh \ --event deploy \ --service-name catalog-agent \ --namespace onprem-release \ --image-repo <> \ --version-tag "$IMAGE_TAG" workflows: backend_build_and_push: jobs: - build-and-push: name: build-for-test context: - ecr-new path: . dockerfile: Dockerfile repo: catalog-agent docker-tag: '' filters: branches: only: - dev - deploy: name: deploy-for-test docker-tag: '' path: '/home/ubuntu/cluster-for-B/gbase-dev/catalog-agent/deploy.yaml' deploy-name: catalog-agent deploy-namespace: gbase-dev context: - ecr-new filters: branches: only: - dev requires: - build-for-test - build-and-push: name: build-for-prod context: - ecr-new path: . dockerfile: Dockerfile repo: catalog-agent docker-tag: '' filters: branches: only: - prod - build-and-push: name: build-for-staging context: - ecr-new path: . dockerfile: Dockerfile repo: catalog-agent docker-tag: '' filters: branches: only: - staging - deploy: name: deploy-for-prod docker-tag: '' path: '/home/ubuntu/cluster-for-B/default/catalog-agent/deploy.yaml' deploy-name: catalog-agent deploy-namespace: gbase-dev context: - ecr-new filters: branches: only: - prod requires: - build-for-prod - deploy: name: deploy-for-staging docker-tag: '' path: '/home/ubuntu/cluster-for-B/gbase-staging/catalog-agent/deploy.yaml' deploy-name: catalog-agent deploy-namespace: gbase-staging context: - ecr-new filters: branches: only: - staging requires: - build-for-staging - docker-hub-build-push: name: docker-hub-build-push repo: gptbasesparticle/catalog-agent dockerfile: Dockerfile docker-tag: latest # 启用 CD:构建&推送完成后 SSH 到服务器更新 catalog-agent 镜像(仅 onprem-release 分支生效,见 job 内 when 条件) deploy: true filters: branches: only: - onprem-release - docker-hub-build-push: name: docker-hub-build-push-arm repo: gptbasesparticle/catalog-agent dockerfile: Dockerfile docker-tag: latest_arm64 filters: branches: only: - onprem-release # 为 onprem-dev 环境部署 - build-and-push: name: build-for-onprem-dev context: - ecr-new path: . dockerfile: Dockerfile repo: catalog-agent docker-tag: '' filters: branches: only: - onprem-dev - deploy: name: deploy-for-onprem-dev docker-tag: '' path: '/home/ubuntu/cluster-for-B/onprem-dev/catalog-agent/deploy.yaml' deploy-name: catalog-agent deploy-namespace: onprem-dev context: - ecr-new filters: branches: only: - onprem-dev requires: - build-for-onprem-dev