Build & Deploy

Local prerequisites (macOS)

Run ./scripts/install-mac-prereqs.sh to install dev/test tools via Homebrew (Node 20, envsubst/gettext, kubectl, sops, Trivy, Docker Desktop).
Requires Homebrew pre-installed; set SKIP_TRIVY=1 and/or SKIP_SOPS=1 to avoid optional security tools.
After install, open Docker.app once so the daemon is running before you build or run ZAP/Trivy scans.

Pipeline at a glance

flowchart LR
    Dev["Developer"] -->|"npm run lint"| Lint
    Dev --> Build["./deploy/build.sh"]
    Lint --> Build
    Build --> Docker["Docker buildx\nmulti-stage"]
    Docker --> Image["registry.halla-aho.net/thalla/lomavuokraus-web"]
    Image --> Push["./deploy/push.sh"]
    Push --> DeployStg["./deploy/deploy-staging.sh"]
    Push --> DeployProd["./deploy/deploy-prod.sh"]
    DeployStg --> RolloutStg["kubectl apply + rollout\n(staging)"]
    DeployProd --> RolloutProd["kubectl apply + rollout\n(prod)"]

Edit the Mermaid block to reflect pipeline changes; no external tooling required.

Build Inputs

Source: Next.js app with TypeScript and Prisma.
Env: .env (local), K8s Secret lomavuokraus-web-secrets in cluster.
Local secrets: creds/secrets.env (dotenv) loadable via scripts/load-secrets.sh.
Prisma schema: prisma/schema.prisma, migrations in prisma/migrations/.

NPM Scripts

npm run lint → next lint
npm run build → next build (used inside Docker and locally)

Docker Image

Multi-stage Dockerfile:
- deps: npm ci
- builder: copy source, npx prisma generate, npm run build
- runner: Node 20 bookworm-slim, copy standalone + static
Tags: numeric (git SHA-derived) + :latest.
Scan: Trivy runs post-build if available.

Deploy Scripts

deploy/build.sh → build image, write deploy/.last-image.
deploy/push.sh → push image.
deploy/deploy.sh → envsubst k8s/app.yaml, kubectl apply, rollout.
Environment wrappers:
- deploy/deploy-staging.sh
- deploy/deploy-prod.sh
- deploy/deploy-test.sh
DNS helpers: deploy/update-test-dns.sh updates test.lomavuokraus.fi + apitest.lomavuokraus.fi via Joker DYNDNS.

Config & Env Vars

From ConfigMap (public): NEXT_PUBLIC_SITE_URL, NEXT_PUBLIC_API_BASE, APP_ENV.
From Secret: DB URL, AUTH_SECRET, SMTP, DKIM, etc. (materialize from creds/secrets.env).
App env resolution: process.env.* in Next server code.
n8n billing assistant: N8N_BILLING_API_KEY or file creds/n8n-billing.key protects /api/integrations/billing/verify.