Michael Czechowski
3045ac0726
Replaces the GitHub Pages workflow with a Gitea Actions pipeline that publishes the cc image to `git.librete.ch/libretech/code-crispies` and ssh-deploys it to `/srv/cc` on netcup.
## Changes
- `.gitea/workflows/ci.yml` — npm test + sanity build (with placeholder VITE_*) on every push / PR.
- `.gitea/workflows/deploy.yml` — single-job build → push → ssh-deploy → /healthz check, gated on `vars.DEPLOY_ENABLED`. Tag push → `:vX.Y.Z` + `:latest`; main push → `:main` + `:sha-<7>`.
- `compose.yaml` — adds `image: ${CC_IMAGE:-cc:local}` so production pulls the published tag while dev still builds locally.
- Both workflows pin `git.librete.ch/libretech/runner-image:v1` (no third-party Docker Hub images, no `--user root`).
## Operator follow-up (before merging into hot deploy)
- Set repo secrets at `https://git.librete.ch/libretech/code-crispies/settings/actions/secrets`:
- `REGISTRY=git.librete.ch`
- `REGISTRY_USER=libretech` (user-namespace packages — bot can't push)
- `REGISTRY_PASS=<libretech package PAT>` (same PAT used for `libretech/runner-image`)
- `DEPLOY_HOST=root@cloud.librete.ch`
- `DEPLOY_KEY=<bot deploy private key>` (same key as librenotes deploy)
- `DEPLOY_PATH=/srv/cc`
- `HEALTH_URL=https://cc.cloud.librete.ch/`
- `VITE_SUPABASE_URL=https://yretixuyfuiresnrjkbs.supabase.co`
- `VITE_SUPABASE_ANON_KEY=<the anon key>` (public-by-design supabase key)
- Set repo variable `DEPLOY_ENABLED=true` once the secrets are in.
- Add `CC_IMAGE=git.librete.ch/libretech/code-crispies:main` to `/srv/cc/.env` on netcup (no rebuild on host).
## Verification
- `yq -e .` parses both workflow YAMLs.
- `docker compose config` resolves cleanly in both build mode (no `CC_IMAGE`) and image-pull mode (`CC_IMAGE=test:1`).
- `npm test` is the same script the previous github-pages workflow ran.
Reviewed-on: libretech/code-crispies#14
Co-authored-by: Michael Czechowski <mail@dailysh.it>
Co-committed-by: Michael Czechowski <mail@dailysh.it>
90 lines
2.9 KiB
YAML
90 lines
2.9 KiB
YAML
name: Deploy
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
tags: ["v*"]
|
|
|
|
# Required repository secrets:
|
|
# REGISTRY git.librete.ch
|
|
# REGISTRY_USER libretech (user-namespace packages — bot can't push)
|
|
# REGISTRY_PASS libretech-user PAT scoped write:package
|
|
# DEPLOY_HOST user@your-deploy-host
|
|
# DEPLOY_KEY passphrase-less private key on netcup root authorized_keys
|
|
# DEPLOY_PATH /srv/cc
|
|
# HEALTH_URL https://cc.cloud.librete.ch/
|
|
# VITE_SUPABASE_URL public; baked at build time
|
|
# VITE_SUPABASE_ANON_KEY public-by-design supabase anon key; baked at build time
|
|
#
|
|
# Required repository variable:
|
|
# DEPLOY_ENABLED "true" to enable
|
|
#
|
|
# Image: git.librete.ch/public/code-crispies
|
|
# main pushes → :main + :sha-<short>
|
|
# tag pushes → :<tag> + :latest
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: git.librete.ch/libretech/runner-image:v1
|
|
timeout-minutes: 20
|
|
if: ${{ vars.DEPLOY_ENABLED == 'true' }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: docker/setup-buildx-action@v3
|
|
|
|
- uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ secrets.REGISTRY }}
|
|
username: ${{ secrets.REGISTRY_USER }}
|
|
password: ${{ secrets.REGISTRY_PASS }}
|
|
|
|
- id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ secrets.REGISTRY }}/public/code-crispies
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=tag
|
|
type=sha,format=short
|
|
type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}
|
|
|
|
- uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
VITE_SUPABASE_URL=${{ secrets.VITE_SUPABASE_URL }}
|
|
VITE_SUPABASE_ANON_KEY=${{ secrets.VITE_SUPABASE_ANON_KEY }}
|
|
|
|
- name: Deploy to host
|
|
env:
|
|
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
|
|
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
|
|
DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
|
|
HEALTH_URL: ${{ secrets.HEALTH_URL }}
|
|
run: |
|
|
mkdir -p ~/.ssh && chmod 700 ~/.ssh
|
|
printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/id_deploy
|
|
chmod 600 ~/.ssh/id_deploy
|
|
|
|
ssh -i ~/.ssh/id_deploy \
|
|
-o StrictHostKeyChecking=accept-new \
|
|
"$DEPLOY_HOST" \
|
|
"set -e
|
|
cd '$DEPLOY_PATH'
|
|
git pull --ff-only
|
|
docker compose pull
|
|
docker compose up -d --remove-orphans"
|
|
|
|
# Wait up to 60s for the cc vhost to return a 200.
|
|
for i in $(seq 1 12); do
|
|
curl -fsS "$HEALTH_URL" >/dev/null && exit 0
|
|
sleep 5
|
|
done
|
|
echo "deploy health check failed"; exit 1
|