rlabadmin
db407a1705
Gitea's built-in GITHUB_TOKEN was not authorized to push to the container registry on this instance. Use an explicit PAT stored in repo secrets instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
91 lines
3.2 KiB
YAML
91 lines
3.2 KiB
YAML
# .gitea/workflows/flow.yml
|
|
# =============================================================
|
|
# serso — generic CI/CD flow
|
|
# Copy into any app repo as .gitea/workflows/flow.yml
|
|
# Adjust the env block (STACK_NAME, SERVICE_NAME, APP_DOMAIN) per app
|
|
# =============================================================
|
|
|
|
name: Build & Deploy
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
# ─── Registry ─────────────────────────────────────────────
|
|
REGISTRY: git.dev.serso.org
|
|
IMAGE: ${{ github.repository }} # → owner/reponame
|
|
|
|
# ─── Per-app knobs (edit these) ───────────────────────────
|
|
STACK_NAME: testwebsite # Swarm stack name
|
|
SERVICE_NAME: testwebsite_web # {stack}_{service}
|
|
APP_DOMAIN: testwebsite.dev.serso.org # used only for logging
|
|
|
|
jobs:
|
|
|
|
# ============================================================
|
|
# 1. Build image + push to Gitea registry
|
|
# ============================================================
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
image_tag: ${{ steps.meta.outputs.tag }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Compute tag
|
|
id: meta
|
|
run: echo "tag=${{ github.sha }}" >> $GITHUB_OUTPUT
|
|
|
|
- name: Log in to Gitea registry
|
|
run: |
|
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | \
|
|
docker login ${{ env.REGISTRY }} \
|
|
--username "${{ secrets.REGISTRY_USER }}" \
|
|
--password-stdin
|
|
|
|
- name: Build image
|
|
run: |
|
|
docker build \
|
|
-t ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ steps.meta.outputs.tag }} \
|
|
-t ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest \
|
|
.
|
|
|
|
- name: Push image
|
|
run: |
|
|
docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ steps.meta.outputs.tag }}
|
|
docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest
|
|
|
|
# ============================================================
|
|
# 2. Deploy to Swarm (rolling update)
|
|
# ============================================================
|
|
deploy:
|
|
needs: build
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Prepare SSH
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/deploy_key
|
|
chmod 600 ~/.ssh/deploy_key
|
|
ssh-keyscan -H ${{ secrets.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
|
|
|
- name: Rolling deploy on Swarm
|
|
run: |
|
|
ssh -i ~/.ssh/deploy_key \
|
|
${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} \
|
|
"docker service update \
|
|
--image ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ needs.build.outputs.image_tag }} \
|
|
--with-registry-auth \
|
|
--update-order start-first \
|
|
--update-failure-action rollback \
|
|
${{ env.SERVICE_NAME }}"
|
|
|
|
- name: Deployed 🎉
|
|
run: |
|
|
echo "App deployed at https://${{ env.APP_DOMAIN }}"
|
|
echo "Image: ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ needs.build.outputs.image_tag }}"
|