ci: add Kamal CI/CD deployment workflow

- Disable Vercel deployments (deploymentEnabled: false)
- Create .github/workflows/deploy.yml with full test suite
- Deploy only after lint, type-check, unit-test, e2e-test pass
- Add Docker layer caching (type=gha) for faster builds
- Document required GitHub Secrets in docs/deployment.md

Closes rb-s6j

Amp-Thread-ID: https://ampcode.com/threads/T-019ba734-5d2d-76f9-af80-0cef9b28f467
Co-authored-by: Amp <amp@ampcode.com>

Author: zainfathoni

.github/workflows/deploy.yml

@@ -0,0 +1,246 @@
+# Kamal deployment workflow
+# Deploys to production after all tests pass on push to main
+
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch: # Allow manual deployment
+
+jobs:
+  # Run all tests before deploying
+  cache-npm:
+    name: Cache NPM libraries
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24.x'
+
+      - name: Restore NPM cache
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install locked dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: npm ci
+
+  lint:
+    name: ESLint
+    runs-on: ubuntu-latest
+    needs: cache-npm
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24.x'
+
+      - name: Restore NPM cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install locked dependencies
+        run: npm ci
+
+      - name: Generate Prisma Client
+        run: npx prisma generate
+
+      - name: Build CSS assets from Tailwind CSS
+        run: npm run build:css
+
+      - name: Lint files
+        run: npm run lint
+        env:
+          CI: true
+
+  type-check:
+    name: Type check
+    runs-on: ubuntu-latest
+    needs: cache-npm
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24.x'
+
+      - name: Restore NPM cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install locked dependencies
+        run: npm ci
+
+      - name: Generate Prisma Client
+        run: npx prisma generate
+
+      - name: Type check
+        run: npm run type-check
+        env:
+          CI: true
+
+  unit-test:
+    name: Unit and integration test
+    runs-on: ubuntu-latest
+    needs: cache-npm
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24.x'
+
+      - name: Restore NPM cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install locked dependencies
+        run: npm ci
+
+      - name: Run unit and integration tests
+        run: npm t
+        env:
+          CI: true
+
+  e2e-test:
+    name: End-to-end test
+    runs-on: ubuntu-latest
+    needs: cache-npm
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24.x'
+
+      - name: Restore NPM cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**/playwright.config.ts') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install locked dependencies
+        run: npm ci
+
+      - name: Restore cached Playwright dependencies
+        id: cache-playwright
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**/playwright.config.ts') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - name: Install Playwright browsers with dependencies
+        if: steps.cache-playwright.outputs.cache-hit != 'true'
+        run: npx playwright install --with-deps
+
+      - name: Install Playwright system dependencies (on cache hit)
+        if: steps.cache-playwright.outputs.cache-hit == 'true'
+        run: npx playwright install-deps
+
+      - name: Run end-to-end tests
+        run: npm run test:e2e:run
+        env:
+          CI: true
+          SESSION_SECRET: ${{ secrets.SESSION_SECRET }}
+          MAGIC_LINK_SECRET: ${{ secrets.MAGIC_LINK_SECRET }}
+          MAILGUN_SENDING_KEY: nothing
+          MAILGUN_DOMAIN: nothing
+
+  deploy:
+    name: Deploy to production
+    runs-on: ubuntu-latest
+    needs: [lint, type-check, unit-test, e2e-test]
+    # Only run on push to main (not on PRs)
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.KAMAL_REGISTRY_PASSWORD }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/zainfathoni/kelas.rumahberbagi.com:${{ github.sha }}
+            ghcr.io/zainfathoni/kelas.rumahberbagi.com:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64
+
+      - name: Set up Ruby for Kamal
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+
+      - name: Install Kamal
+        run: gem install kamal
+
+      - name: Set up SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -H 103.235.75.227 >> ~/.ssh/known_hosts
+
+      - name: Create Kamal secrets file
+        run: |
+          mkdir -p .kamal
+          cat > .kamal/secrets << EOF
+          KAMAL_REGISTRY_PASSWORD=${{ secrets.KAMAL_REGISTRY_PASSWORD }}
+          SESSION_SECRET=${{ secrets.SESSION_SECRET }}
+          MAGIC_LINK_SECRET=${{ secrets.MAGIC_LINK_SECRET }}
+          MAILGUN_SENDING_KEY=${{ secrets.MAILGUN_SENDING_KEY }}
+          MAILGUN_DOMAIN=${{ secrets.MAILGUN_DOMAIN }}
+          EOF
+
+      - name: Deploy with Kamal
+        run: kamal deploy --skip-push --version ${{ github.sha }}
+        env:
+          KAMAL_REGISTRY_PASSWORD: ${{ secrets.KAMAL_REGISTRY_PASSWORD }}

docs/deployment.md

@@ -0,0 +1,92 @@
+# Deployment
+
+This project uses [Kamal 2.0](https://kamal-deploy.org/) for production
+deployment.
+
+## Overview
+
+- **Production URL**: <https://kelas.rumahberbagi.com>
+- **VPS**: 103.235.75.227 (Jetorbit)
+- **Container Registry**: GitHub Container Registry (ghcr.io)
+- **SSL**: Managed by kamal-proxy (Let's Encrypt)
+
+## CI/CD Pipeline
+
+Deployment is automated via GitHub Actions:
+
+1. Push to `main` branch triggers the deploy workflow
+2. All tests must pass (lint, type-check, unit tests, E2E tests)
+3. Docker image is built with layer caching
+4. Image is pushed to GitHub Container Registry
+5. Kamal deploys to production VPS
+
+## Required GitHub Secrets
+
+Configure these secrets in your repository settings
+(`Settings > Secrets and variables > Actions`):
+
+| Secret                    | Description                                              |
+| ------------------------- | -------------------------------------------------------- |
+| `SSH_PRIVATE_KEY`         | SSH private key for accessing the VPS                    |
+| `KAMAL_REGISTRY_PASSWORD` | GitHub Personal Access Token with `write:packages` scope |
+| `SESSION_SECRET`          | Session encryption secret                                |
+| `MAGIC_LINK_SECRET`       | Magic link email authentication secret                   |
+| `MAILGUN_SENDING_KEY`     | Mailgun API key for sending emails                       |
+| `MAILGUN_DOMAIN`          | Mailgun domain (e.g., `mg.rumahberbagi.com`)             |
+
+### SSH Key Setup
+
+1. Generate an SSH key pair (if not already done):
+
+   ```bash
+   ssh-keygen -t ed25519 -C "github-actions-deploy" -f ~/.ssh/kamal_deploy
+   ```
+
+2. Add the public key to the VPS:
+
+   ```bash
+   ssh-copy-id -i ~/.ssh/kamal_deploy.pub root@103.235.75.227
+   ```
+
+3. Add the private key content to GitHub secret `SSH_PRIVATE_KEY`
+
+### GitHub Container Registry Token
+
+1. Create a Personal Access Token at <https://github.com/settings/tokens>
+2. Select scope: `write:packages`
+3. Add the token to GitHub secret `KAMAL_REGISTRY_PASSWORD`
+
+## Manual Deployment
+
+Deploy manually from your local machine:
+
+```bash
+# Set up secrets in .kamal/secrets (see .kamal/secrets.example)
+kamal deploy
+```
+
+## Configuration Files
+
+- `config/deploy.yml` - Kamal deployment configuration
+- `.github/workflows/deploy.yml` - CI/CD workflow
+- `Dockerfile` - Multi-stage Docker build
+
+## Rollback
+
+To rollback to a previous version:
+
+```bash
+kamal rollback <version>
+```
+
+## Logs
+
+View application logs:
+
+```bash
+kamal app logs
+```
+
+## Database Backups
+
+See [backup-setup.md](backup-setup.md) for database backup configuration.

vercel.json

@@ -1,4 +1,7 @@
 {
+  "git": {
+    "deploymentEnabled": false
+  },
   "build": {
     "env": {
       "ENABLE_FILE_SYSTEM_API": "1"