- stack.yml: parameterize image tag with ${IMAGE_TAG:-latest} so callers
can pin the SHA; falls back to :latest for manual invocations
- flow.yml: replace service update with `docker stack deploy -c -`
piped over SSH. Handles both first-time deploy and rolling updates.
No more manual `docker stack deploy` on the manager before CI works.
Portainer can still view the stack but should not auto-update the same
one from git — two writers will conflict.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- DEPLOY_HOST / DEPLOY_USER / REGISTRY_USER now read from vars.*,
set once at /admin/actions/variables and inherited by all repos
- DEPLOY_SSH_KEY / REGISTRY_PASSWORD stay as secrets.*
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Gitea's built-in GITHUB_TOKEN was not authorized to push to the
container registry on this instance. Use an explicit PAT stored in
repo secrets instead.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The hello-world test confirmed ba-runner's default ubuntu-latest image
has docker CLI and Node. Overriding to docker:27-cli stripped Node and
broke actions/checkout@v4 (a JS action). Use the default image.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ba-runner already binds /var/run/docker.sock into every job container,
so declaring it in the workflow caused a Duplicate mount point error.
Keep the docker:27-cli image; let the runner provide the socket.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
act_runner spawns an ephemeral container per job; the default image
lacks the docker CLI and cannot reach the host's Docker daemon. Use
the official docker:27-cli image and bind-mount /var/run/docker.sock
so docker build/push target the host engine.
Requires runner config.yaml to include /var/run/docker.sock in
container.valid_volumes; otherwise the mount is rejected.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Avoids needing to configure REGISTRY_USER / REGISTRY_PASSWORD secrets.
Gitea injects a per-run token scoped to the repo's own packages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- public/index.html served via nginx.conf (port 8080)
- Dockerfile: nginx:1.27-alpine + HEALTHCHECK
- .gitea/workflows/flow.yml: build + push to Gitea registry, rolling deploy
- stack.yml: Swarm service wired to Traefik (host testwebsite.dev.serso.org)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
rlabadmin