Internal Governance AI Transformation

iGAT

Internal Governance AI Transformation — LGU Server Releases

Official installation guide and release manifests for iGAT. Prebuilt Docker images with signed digests, automated update scripts, and separate channels for Subscription and Perpetual license tracks.

$ ./scripts/update-lgu.sh --auto --manifest-url https://releases.igat.com.ph/releases/subscription/latest.json

Requires Docker + Ubuntu 24.04 LTS · View on GitHub · subscription manifest

Installation

Deploy the full iGAT stack on a bare Ubuntu 24.04 LTS server. No source code distribution required — all images are pulled from GHCR. Estimated time: under 10 minutes on a clean machine.

Install Docker

Use the official Docker install script — not the Ubuntu snap package. Add your user to the docker group, then log out and back in.

bash

# Official Docker Engine install (not snap)
curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker $USER
# Log out and back in to apply group, then verify
docker --version && docker compose version

Authenticate with GHCR

iGAT images are hosted on GitHub Container Registry (GHCR). Create a GitHub Personal Access Token with read:packages scope at github.com/settings/tokens.

bash

echo "<YOUR_GITHUB_PAT>" | docker login ghcr.io \
  -u <your-github-username> --password-stdin
# Expected output: Login Succeeded

Clone deployment files

Sparse-clone only the deployment configuration — no application source code is transferred to the server.

bash

sudo mkdir -p /opt/igat && sudo chown $USER:$USER /opt/igat && cd /opt/igat

git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/spc-economic-zone/igat.git .

git sparse-checkout set \
  docker-compose.prod.yml docker/ scripts/ .env.prod.example

Configure environment

Copy the example env file and set required values. At minimum: a strong POSTGRES_PASSWORD and the public domain for NEXT_PUBLIC_API_URL.

env

IGAT_REGISTRY=ghcr.io
IGAT_IMAGE_PREFIX=spc-economic-zone/igat
IGAT_VERSION=1.0.0-rc.1

POSTGRES_PASSWORD=<strong-password>
NEXT_PUBLIC_API_URL=https://spc.igat.com.ph

STORAGE_PROVIDER=local
NAS_UPLOADS_PATH=./volumes/uploads
NAS_BACKUPS_PATH=./volumes/backups

Pull images and start the stack

Pull all images from GHCR. Start PostgreSQL first to allow schema initialization before the API starts.

bash

mkdir -p volumes/uploads volumes/backups
docker compose --env-file .env.prod -f docker-compose.prod.yml pull

# Start database first, wait for init
docker compose --env-file .env.prod -f docker-compose.prod.yml up -d postgres redis
sleep 8

# Start full stack
docker compose --env-file .env.prod -f docker-compose.prod.yml up -d

Run migrations and seed

Initialize the database schema and create the initial data set. Run the seed command only on first install.

bash

docker compose --env-file .env.prod -f docker-compose.prod.yml \
  exec api bun run db:migrate

# First install only
docker compose --env-file .env.prod -f docker-compose.prod.yml \
  exec api bun run db:seed

Start Cloudflare Tunnel

iGAT uses Cloudflare Tunnel for secure remote access — no inbound ports are opened on the office router. Obtain your tunnel token from Cloudflare Zero Trust → Networks → Tunnels.

bash

mkdir -p /opt/igat-gateway && cd /opt/igat-gateway
cp /opt/igat/docker/cloud-gateway/docker-compose.yml .

echo "CLOUDFLARE_TUNNEL_TOKEN=<your-token>" > .env.gateway

docker network create igat_default 2>/dev/null || true
docker compose --env-file .env.gateway up -d cloudflared

# Verify — look for "Registered tunnel connection"
docker logs igat-cloudflared --tail 20

Release Channels

Point update-lgu.sh at the manifest URL for your license track. The script validates entitlements, backs up the database, pulls the new image, and rolls back automatically on health check failure.

Every release

Subscription

All stable releases — major, minor, and patch. Updated on every release cycle.

Checking manifest…

Manifest JSON /releases/subscription/latest.json

↗

Major only

Perpetual

Major version releases only (X.0.0). Minor and patch releases are skipped.

Checking manifest…

Manifest JSON /releases/perpetual/latest.json

↗

bash — update-lgu.sh

# Subscription — pull latest stable release
./scripts/update-lgu.sh --auto \
  --manifest-url https://releases.igat.com.ph/releases/subscription/latest.json

# Perpetual — pull latest major release only
./scripts/update-lgu.sh --auto \
  --manifest-url https://releases.igat.com.ph/releases/perpetual/latest.json

# Preview a specific version without applying
./scripts/update-lgu.sh --dry-run 1.2.0

01 / Integrity

Digest-pinned

Every manifest contains SHA256 image digests. Images are verified before deployment.

02 / Resilience

Auto-rollback

Health checks run after every update. Failures automatically restore the previous version.

03 / Compliance

License-gated

Entitlement validation runs before any upgrade. Perpetual licenses cannot exceed their major cap.