ci: add SILL deployment workflows and sync-upstream

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JeromeBu

.github/workflows/ci.yaml

@@ -21,10 +21,9 @@ jobs:
           curl -o iocs.csv https://raw.githubusercontent.com/DataDog/indicators-of-compromise/refs/heads/main/shai-hulud-2.0/consolidated_iocs.csv
       - name: Scan dependencies against IOCs
         run: node scripts/scan-dependencies.js
-
   validations:
-    runs-on: ubuntu-latest
     needs: security-scan
+    runs-on: ubuntu-latest
     env:
       DATABASE_URL: postgresql://catalogi:pg_password@localhost:5432/db
     services:
@@ -72,169 +71,76 @@ jobs:
     runs-on: ubuntu-latest
     needs: [validations, e2e]
     outputs:
-      from_version: ${{ steps.step1.outputs.from_version }}
-      to_version: ${{ steps.step1.outputs.to_version }}
-      is_upgraded_version: ${{ steps.step1.outputs.is_upgraded_version }}
+      is_upgraded_in_preprod: ${{ steps.check_version.outputs.is_upgraded_in_preprod }}
+      is_upgraded_version: ${{ steps.check_version.outputs.is_upgraded_version }}
+      to_version: ${{ steps.check_version.outputs.to_version }}
+      from_version: ${{ steps.check_version.outputs.from_version }}
     steps:
-      - uses: garronej/ts-ci@v2.1.5
-        id: step1
-        with:
-          action_name: is_package_json_version_upgraded
-      - run: |
-          echo "from_version=${{ steps.step1.outputs.from_version }}"
-          echo "to_version=${{ steps.step1.outputs.to_version }}"
-          echo "is_upgraded_version=${{ steps.step1.outputs.is_upgraded_version }}"
-
-  create_tag:
-    name: Create version tag
-    runs-on: ubuntu-latest
-    needs:
-      - check_if_version_upgraded
-    if: needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true'
-    env:
-      TO_VERSION: ${{ needs.check_if_version_upgraded.outputs.to_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-      - name: Create tag
-        run: |
-          git config --local user.email "actions@github.com"
-          git config --local user.name "GitHub Actions"
-          git tag -a v${{ env.TO_VERSION }} -m "Deployment tag for v${{ env.TO_VERSION }}"
-          git push --tags
-
-  create_github_release:
-    name: "Create release notes"
-    runs-on: ubuntu-latest
-    needs:
-      - check_if_version_upgraded
-      - create_tag
-    if: |
-      needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true' && github.event_name == 'push'
-    env:
-      RELEASE_TAG: v${{ needs.check_if_version_upgraded.outputs.to_version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-      - name: Install Helm
-        uses: azure/setup-helm@v4
-      - name: Build Helm chart dependencies
-        run: |
-          helm dependency build helm-charts/catalogi
-      - name: Package Helm chart
-        run: |
-          helm package helm-charts/catalogi
-      - name: "Generate release on github"
-        uses: softprops/action-gh-release@v2
-        with:
-          name: Release ${{ env.RELEASE_TAG }}
-          prerelease: false
-          tag_name: ${{ env.RELEASE_TAG }}
-          generate_release_notes: true
-          files: catalogi-*.tgz
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-  publish_helm_index:
-    name: Publish Helm chart index
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    needs:
-      - check_if_version_upgraded
-      - create_github_release
-    if: needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true'
-    env:
-      TO_VERSION: ${{ needs.check_if_version_upgraded.outputs.to_version }}
-    steps:
-      - name: Generate GitHub App token
-        id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.RELEASE_APP_ID }}
-          private_key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          fetch-depth: 0
-
-      - name: Configure git
-        run: |
-          git config --local user.email "actions@github.com"
-          git config --local user.name "GitHub Actions"
-
-      - name: Setup gh-pages branch
+      - uses: actions/checkout@v6
+      - name: Check version upgrade
+        id: check_version
         run: |
-          git fetch origin
-
-          if git ls-remote --heads origin gh-pages | grep gh-pages; then
-            git checkout gh-pages
+          # Get current version from package.json
+          CURRENT_VERSION=$(jq -r '.version' package.json)
+          echo "Version in package.json: $CURRENT_VERSION"
+
+          # Get deployed version from preprod API
+          PRE_PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill-preprod/api/getApiVersion" | jq -r '.result.data.json')
+          PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill/api/getApiVersion" | jq -r '.result.data.json')
+          echo "Deployed version in preprod: $PRE_PROD_DEPLOYED_VERSION"
+          echo "Deployed version in prod: $PROD_DEPLOYED_VERSION"
+          
+          # Simple comparison: check if versions are different
+          if [ "$CURRENT_VERSION" != "$PRE_PROD_DEPLOYED_VERSION" ]; then
+            IS_UPGRADED_IN_PRE_PROD="true"
+            IS_UPGRADED="true"
+            echo "✅ Version different from preprod ($PRE_PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION"
+          elif [ "$CURRENT_VERSION" != "$PROD_DEPLOYED_VERSION" ]; then
+            IS_UPGRADED="true"
+            echo "✅ Version different from prod ($PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION"
           else
-            git checkout -b gh-pages
+            IS_UPGRADED="false"
+            echo "ℹ️ Version unchanged: $CURRENT_VERSION"
           fi
-
-          git reset --hard origin/main
-
-      - name: Install Helm
-        uses: azure/setup-helm@v4
-
-      - name: Create charts directory
-        run: mkdir -p docs/charts
-
-      - name: Download chart from release
-        run: |
-          gh release download v${TO_VERSION} --pattern "catalogi-*.tgz" --dir docs/charts/
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: Generate Helm repository index with merge
-        run: |
-          helm repo index docs/charts/ --url https://github.com/codegouvfr/catalogi/releases/download/v${TO_VERSION}/ --merge docs/charts/index.yaml
-
-      - name: Commit and push to gh-pages
-        run: |
-          git add docs/charts/index.yaml
-          git commit -m "chore: update Helm chart index for v${TO_VERSION}"
-          git push origin gh-pages --force
-
-  docker:
-    name: Build and push Docker images
-    runs-on: ubuntu-latest
+          
+          echo "Is version upgraded: $IS_UPGRADED"
+          
+          # Set outputs
+          echo "is_upgraded_version=$IS_UPGRADED" >> $GITHUB_OUTPUT
+          echo "is_upgraded_in_preprod=$IS_UPGRADED_IN_PRE_PROD" >> $GITHUB_OUTPUT
+          echo "to_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          echo "from_version=$PRE_PROD_DEPLOYED_VERSION" >> $GITHUB_OUTPUT
+
+  trigger_pre_production_deploy:
     needs:
       - check_if_version_upgraded
-    if: needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true'
-    steps:
-      - uses: actions/checkout@v6
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Computing Docker image tags
-        id: step1
-        env:
-          TO_VERSION: ${{ needs.check_if_version_upgraded.outputs.to_version }}
-        run: |
-          OUT_API=$GITHUB_REPOSITORY-api:$TO_VERSION,$GITHUB_REPOSITORY-api:latest
-          OUT_API=$(echo "$OUT_API" | awk '{print tolower($0)}')
-          echo ::set-output name=docker_api_tags::$OUT_API
-
-          OUT_WEB=$GITHUB_REPOSITORY-web:$TO_VERSION,$GITHUB_REPOSITORY-web:latest
-          OUT_WEB=$(echo "$OUT_WEB" | awk '{print tolower($0)}')
-          echo ::set-output name=docker_web_tags::$OUT_WEB
-
-      - uses: docker/build-push-action@v5
-        with:
-          push: true
-          context: .
-          file: ./Dockerfile.api
-          tags: ${{ steps.step1.outputs.docker_api_tags }}
-      - uses: docker/build-push-action@v5
-        with:
-          push: true
-          context: .
-          file: ./Dockerfile.web
-          tags: ${{ steps.step1.outputs.docker_web_tags }}
+    if: needs.check_if_version_upgraded.outputs.is_upgraded_in_preprod == 'true'
+    uses: ./.github/workflows/trigger-deploy.yaml
+    with:
+      server_host: code.gouv.fr
+      server_user: web
+      deploy_script_path: ./update-sill-preprod.sh
+      server_ssh_key_path: ~/.ssh/sill-data
+      environment_name: pre-production
+      version: v${{ needs.check_if_version_upgraded.outputs.to_version }}
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+
+
+  trigger_production_deploy:
+    needs:
+      - trigger_pre_production_deploy
+      - check_if_version_upgraded
+    if: needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true' && (needs.trigger_pre_production_deploy.result == 'success' || needs.trigger_pre_production_deploy.result == 'skipped')
+    uses: ./.github/workflows/trigger-deploy.yaml
+    with:
+      server_host: code.gouv.fr
+      server_user: web
+      deploy_script_path: ./update-sill-docker-compose.sh
+      server_ssh_key_path: ~/.ssh/sill-data
+      environment_name: production
+      version: v${{ needs.check_if_version_upgraded.outputs.to_version }}
+      github_environment: production
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
 

.github/workflows/sync-upstream.yaml

@@ -0,0 +1,35 @@
+name: Sync upstream
+
+on:
+  schedule:
+    - cron: '0 7 * * *' # every day at 7 AM UTC
+  workflow_dispatch:
+
+jobs:
+  sync:
+    name: Sync repository with upstream repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout fork
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PAT_FOR_UPSTREAM_SYNC }}
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Add upstream remote
+        run: |
+          git remote add upstream https://github.com/codegouvfr/catalogi.git
+          git fetch upstream
+
+      - name: Sync with upstream/main
+        run: |
+          git checkout main
+          git rebase upstream/main
+
+      - name: Push to origin
+        run: git push origin main --force-with-lease --no-verify

.github/workflows/trigger-deploy.yaml

@@ -0,0 +1,64 @@
+name: Deploy to Server
+
+on:
+  workflow_call:
+    inputs:
+      server_host:
+        description: 'Server hostname or IP address'
+        required: true
+        type: string
+      server_user:
+        description: 'SSH user'
+        required: true
+        type: string
+      deploy_script_path:
+        description: 'Deployment script path on remote server (e.g., ./update-sill-preprod.sh)'
+        required: true
+        type: string
+      server_ssh_key_path:
+        description: 'Path to SSH key on remote server for GitHub access (e.g., ~/.ssh/sill-data)'
+        required: false
+        type: string
+        default: '~/.ssh/sill-data'
+      environment_name:
+        description: 'Environment name for display purposes'
+        required: true
+        type: string
+      version:
+        description: 'Version to deploy (with v prefix)'
+        required: true
+        type: string
+      github_environment:
+        description: 'GitHub environment for approvals (optional)'
+        required: false
+        type: string
+    secrets:
+      SSH_PRIVATE_KEY:
+        required: true
+
+jobs:
+  deploy:
+    name: "Deploy to ${{ inputs.environment_name }}"
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.github_environment }}
+    concurrency:
+      group: deploy-to-${{ inputs.environment_name }}
+      cancel-in-progress: true
+    steps:
+      - run: echo "${{ inputs.version }} - Triggering ${{ inputs.environment_name }} deploy"
+      - name: Set up SSH, trigger deployment script
+        timeout-minutes: 10
+        run: |
+          set -e
+          set -o pipefail
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan ${{ inputs.server_host }} >> ~/.ssh/known_hosts
+
+          echo "Connecting to ${{ inputs.server_host }} and running deployment script..."
+          ssh ${{ inputs.server_user }}@${{ inputs.server_host }} "bash -c 'set -e && eval \"\$(ssh-agent -s)\" && ssh-add ${{ inputs.server_ssh_key_path }} && ${{ inputs.deploy_script_path }} ${{ inputs.version }}'" 2>&1 | tee deploy.log
+
+          echo "✅ ${{ inputs.environment_name }} deployment completed successfully"
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}

README.md

@@ -19,7 +19,7 @@ Documentation is available [here](https://codegouvfr.github.io/catalogi/)
 
 ## Code organization
 
-This monorepo is made of several directories:
+Mais quels logiciels libres utiliser et pourquoi ? Quand plusieurs logiciels libres remplissent la même fonction, lequel privilégier ? Quelle version minimale est acceptable ?
 
 - api: Application API (also includes jobs, that can be run periodically)
 - web: Web frontend
@@ -28,18 +28,14 @@ This monorepo is made of several directories:
 
 ## Governance and contributions
 
-[![img](https://img.shields.io/badge/code.gouv.fr-contributif-blue.svg)](https://code.gouv.fr/documentation/#quels-degres-douverture-pour-les-codes-sources)
+# Historique
 
-See [GOVERNANCE](GOVERNANCE.md) and [CONTRIBUTING](CONTRIBUTING.md).
-
-## Discuss with us
-
-You are welcome to join the [Catalogi Matrix channel](https://matrix.to/#/#catalogi:matrix.org).
+Le SILL était à l'origine une liste sous format PDF qui était mise à jour tous les ans par les groupes MIM (Mutualisation InterMinistérielle).
 
 ## License
 
-2021-2025 Direction interministérielle du numérique, mission logiciels libres.
+Cette liste servaient aux DSI des ministères à faire les mises à jour nécessaires et à découvrir des logiciels libres utilisés par d'autres ministères.
 
-The code in this repository is published under [licence MIT](LICENSES/MIT.txt).
+En 2019, le SILL a été publié sous forme d'une application web à l'adresse https://sill.etalab.gouv.fr, qui redirigeait vers https://sill.code.gouv.fr depuis février 2023 jusqu'à présent, et désormais sur https://code.gouv.fr/sill. La page de visualisation était générée à partir de fichiers `csv` maintenus manuellement sur un dépôt public.
 
 The documentation is published under [licence Ouverte 2.0](LICENSES/Etalab-2.0.md) and [CC-BY-4.0](LICENSES/CC-BY-4.0.txt).