Voidline Meet: CI/CD Implementation Plan

Last updated: 3/17/2026

📋 Executive Summary

This plan details the end-to-end CI/CD pipeline for Voidline Meet:
- Tag-based deployments from your GitHub monorepo
- Automatic building and releasing of Electron desktop app and backend
- VPS backend deployment via Docker Compose using SSH
- Static assets published to GitHub Pages
- Extensible with notifications, alternate CDNs, and future test/stage deploys

I. Versioning & Triggers

• Primary trigger: Push of a production tag (vX.X.X) to main branch.
• All builds, releases, and deployments run from this event.
• Future: Add test deploys for feature branches, PRs, and “dev” tags.

II. Electron Desktop App Build & Release

1. Build
   • Run from repo root, uses pnpm electron:build and electron-builder (unsigned for now).
2. Publish
   • Upload .exe and update assets to GitHub Releases for auto-update and downloads.
   • Optional: Also SCP .exe to your VPS for direct distribution.

III. Backend Deploy (meet-core) to VPS

1. Prepare Dockerfile
   • Move Dockerfile.meet to repo root, update Compose to point to new path.
2. Deploy Workflow
   • On release tag:
     1. CI Action SSHes into VPS (using deploy key).
        
     2. Pulls latest code (git pull or clone).
        
     3. Renders secrets.env from injected secrets.
        
     4. Prunes Docker build cache.
        
     5. Builds and restarts meet service.
3. SSH/Deploy Key
   • Convert .ppk to OpenSSH, upload public key to VPS ~/.ssh/authorized_keys, put private in GitHub Secrets.

IV. Static Asset Hosting (GitHub Pages)

1. Build Next.js static export via CI job.
2. Publish /out (or build output dir) to gh-pages branch using actions-gh-pages.
3. Serves at https://<username>.github.io/<repo>/ or custom domain.

V. Secrets Management

• All secrets (LiveKit keys, deploy keys, env vars) stored in Actions Secrets.
• At deploy, workflow renders secrets.env and/or injects into Docker Compose.

VI. GitHub Actions Workflow Outline

A single workflow, e.g. .github/workflows/release.yml triggers on tag push:

name: Release & Deploy

on:
  push:
    tags:
      - 'v*.*.*'

jobs:
  build-desktop:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v2
        with:
          version: 9
      - run: pnpm install
      - run: pnpm electron:build
      - run: pnpm electron-builder --publish always

  build-static:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pnpm install
      - run: pnpm build:web
      - uses: peaceiris/actions-gh-pages@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./packages/meet-core/out

  deploy-backend:
    needs: [build-desktop, build-static]
    runs-on: ubuntu-latest
    steps:
      - uses: appleboy/ssh-action@v1.0.0
        with:
          host: ${{ secrets.VPS_HOST }}
          username: spellsever
          key: ${{ secrets.VPS_DEPLOY_KEY }}
          passphrase: ${{ secrets.VPS_DEPLOY_KEY_PASSPHRASE }}
          script: |
            cd ~/stoat/stoat
            git pull origin main
            echo "${{ secrets.LIVEKIT_SECRETS_ENV }}" > secrets.env
            sudo docker builder prune -f
            sudo DOCKER_BUILDKIT=1 docker compose build meet
            sudo docker compose up -d meet

  # Optionally: upload .exe to VPS via SCP (see references below)
  # Optionally: add notifications to Discord/email (see resources)

VII. Key Action Items

1. Move Dockerfile.meet to repo, and update Compose.
2. Generate/OpenSSH deploy key:
   • Use PuTTYgen to convert .ppk to OpenSSH .pem.
   • Add public key to ~/.ssh/authorized_keys for deploy user on VPS.
   • Store private key as GitHub Actions Secret.
3. Store LiveKit and other secrets as Actions Secrets.
4. Implement workflow as above.
5. Tag and push to test!
6. Iterate and add notifications, CDNs, and tests as you grow.

VIII. Notes for Future Expansion

• Add dev/staging deploy jobs for test branches, PRs.
• Upgrade notification jobs: Discord, Stoat.chat, email.
• Add code signing for desktop auto-update polish.
• Migrate static assets to a CDN (Cloudflare Pages, Vercel, Netlify, or S3/MinIO).
• Consider cloud-native deploys (Vercel, Railway, Render, DigitalOcean App Platform).
• Integrate automated linter, tests, and pre-release gates when ready.
• Refine deploy user and permissions as your security needs evolve.

IX. Reference Resources

• GitHub Actions Documentation
• peaceiris/actions-gh-pages
• appleboy/ssh-action (SSH/SCP in Actions)
• Publishing .exe to VPS with SCP (appleboy/ssh-action usage)
• electron-builder CI/CD
• Storing and using GitHub Actions secrets
• Cloudflare Pages, Vercel, Netlify, MinIO (S3 self-hosted)

X. Closing Notes / Action Items

• Convert .ppk to OpenSSH key; consider a dedicated deploy user for production security.
• Move Dockerfile.meet to the repo and update Compose pathing.
• Add all production secrets as GitHub Actions “Secrets”—this includes SSH deploy keys, API keys, and your secrets.env contents.
• Draft .github/workflows/release.yml based on the above template.
• Test end-to-end with a tag push and adjust as required for production reliability.
• As you grow, add linter/tests, stage deployments, notifications, and code signing for even better automation and security.