Reusable Ruby automation toolkit shared across Eiseron CI and ops. A single
CLI (eiseron) exposes small, well-tested automations that pipelines and
operators reuse instead of re-implementing logic inline.
Installed via a pinned git ref (no package registry yet):
# Gemfile
gem "eiseron_automation", git: "https://gitlab.com/eiseron/stack/automation.git", tag: "v0.1.0"Version-driven release tagging. Reads a bare semver from a version file and
creates the matching v<version> git tag through the GitLab API, lifting and
restoring tag protection around the create. Repos protect tags at "no one"
(Terraform-managed in eiseron-ops), so this command — running on a protected
ref with the protected EISERON_STACK_TOKEN — is the only way a tag gets
created. A tag therefore always maps to a reviewed change that bumped the
version file.
Environment (all provided by GitLab CI on a protected ref):
| variable | purpose |
|---|---|
EISERON_STACK_TOKEN |
Maintainer-role token used for the tag + protection API calls |
CI_API_V4_URL, CI_PROJECT_ID, CI_COMMIT_SHA |
target project + commit |
VERSION_FILE |
path to the bare-semver file (default VERSION) |
Behaviour:
- rejects an empty file, a
v-prefixed value, and anything that is notMAJOR.MINOR.PATCH(optionally with a-prerelease/+buildsuffix), each with a specific message; - idempotent — skips if the tag already exists;
- restores
create_access_level: no oneeven if the tag create fails.
Used by stack/ci's release.yml template, which installs this gem and runs
the command in consumers' release stage.
Per-merge-request preview environments on the shared host. These run from the
product's ops repo (protected scope, where the host credentials live) and
invoke the eiseron.provisioning.preview_app Ansible playbook over SSH, keeping
the complex orchestration in tested Ruby instead of inline CI shell.
deploybrings MR$PREVIEW_MR_IIDup: assemblesDATABASE_URLfrom the tenant credentials (URL-encoding the password) merged withPREVIEW_APP_EXTRA_ENV, then runs the playbook withstate=present.stoptears MR$PREVIEW_MR_IIDdown (state=absent).sweepreconciles: lists deployed previews (docker ps) against the scan project's still-open MRs (GitLab API) and tears down every preview whose MR is no longer open.
Consumed by stack/ci's preview-deploy.yml and preview-sweep.yml templates.
Environment:
| variable | used by | purpose |
|---|---|---|
EISERON_PREVIEW_APP |
all | product slug |
EISERON_PREVIEW_SUFFIX |
all | host/name suffix (e.g. -preview) |
EISERON_PREVIEW_ZONE |
deploy | preview DNS zone |
EISERON_PREVIEW_PORT |
deploy | app container port (default 4000) |
EISERON_PREVIEW_DB_SCHEME / _DB_HOST / _DB_PORT |
deploy | DATABASE_URL parts |
EISERON_PREVIEW_SCAN_PROJECT |
sweep | project whose open MRs are kept |
PREVIEW_HOST_IP, ANSIBLE_PRIVATE_KEY_FILE |
all | host IP + SSH key path |
PREVIEW_MR_IID |
deploy/stop | the merge request number |
PREVIEW_APP_IMAGE, PREVIEW_APP_EXTRA_ENV |
deploy | image + extra env (JSON) |
PREVIEW_TENANT_NAME, PREVIEW_TENANT_PASSWORD |
all | tenant role credentials |
CI_API_V4_URL, PREVIEW_SWEEP_TOKEN |
sweep | GitLab API + read-api token |
Lint gate for an Eiseron Go project. Runs gofmt, go vet and
golangci-lint, then enforces the org's no-comments rule: source carries no
line or block comments (rationale belongs in the MR description), the only
exception being //go: directives. Comment detection strips string, raw-string
and rune literals first, so a // inside a string is not a false positive, and
the restored module cache under .cache/ is excluded from every scan. Raises
with the offending file:line on any violation.
Used by stack/ci's go.yml template, which installs this gem and runs the
command in consumers' lint stage.
No-comments gate for OpenTofu/Terraform source. Scans every .tf under the
working tree (excluding .terraform/ and .git/) and raises with the
offending file:line if any carries a #, // or /* */ comment. String
literals are stripped and heredoc bodies (<<EOT, <<-EOT, <<"JSON") are
skipped before scanning, so URLs, hex colors and #/// inside embedded
scripts or policies are not false positives. Rationale belongs in the MR
description.
Used by stack/ci's tofu-lint.yml template.
Production build/deploy steps, driven from stack/ci's prod-build.yml
(product, on a tag) and prod-deploy.yml (the -ops repo, on the trigger).
Each skips gracefully (dormant) when its config vars are unset.
prod upload— syncs the digested static tree to R2 via the aws-sdk-s3TransferManager; setsContent-Typeper extension frommime-types; uploads assets (excludes*.map,*.gz— Cloudflare compresses at the edge) and sourcemaps (*.maponly) to separate buckets. ReadsPROD_ASSETS_DIR(defaultpriv/static),PROD_ASSETS_BUCKET,PROD_SOURCEMAPS_BUCKET,CLOUDFLARE_ACCOUNT_ID,AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY.prod trigger— fires the-opsdeploy pipeline (pipeline trigger token). ReadsPROD_DEPLOYER_PROJECT,PROD_DEPLOYER_TRIGGER_TOKEN,CI_COMMIT_TAG,CI_REGISTRY_IMAGE,CI_PROJECT_PATH,CI_API_V4_URL.prod deploy—kamal deployof the pre-built image with an anti-downgrade guard. ReadsPROD_TAG,PROD_PROJECT,PROD_DEPLOY_READ_TOKEN,CI_API_V4_URL;PROD_DEPLOY_ALLOW_OLD=true(web pipeline only) lifts the guard.
Runtime gems: mime-types is a gem dependency (installed with the gem).
prod upload additionally needs aws-sdk-s3 (lazily required to keep the other
commands light; the stack/ci job gem installs it), and prod deploy needs
kamal (provided by the ops image). A consumer running these outside the
stack/ci jobs must install those itself.
bundle install
bundle exec rake test # minitest
bundle exec rubocop # lintLint includes a custom cop, Eiseron/NoComments (rubocop/eiseron/no_comments.rb),
which forbids source comments so rationale stays in merge requests; magic
comments, shebangs, and rubocop: directives are allowed.
Bump VERSION in a merge request. On merge to main, the release-tag job
runs this repo's own CLI to tag v<version> (self-hosted release flow).
Maintenance releases: branch release/X.Y, bump VERSION, MR into it.