diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 03cdeb5..c061d32 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -1,3 +1,10 @@ +# Build image, push to Gitea registry, trigger Portainer redeploy via webhook. +# Stack managed by Portainer (type=git). Env vars live in Portainer stack Env. +# +# Repo secrets required: +# REGISTRY_TOKEN ci user token, scope write:package +# PORTAINER_WEBHOOK_URL POST URL from Portainer stack auto-update setting + name: Deploy on: @@ -5,15 +12,9 @@ on: branches: - main workflow_dispatch: - inputs: - reason: - description: "Reason for manual deploy" - required: false - default: "manual" env: - COMPOSE_PROJECT: pngx-controller - COMPOSE_FILE: docker-compose.yml + IMAGE: git.domverse-berlin.eu/ci/pngx-sync/app jobs: deploy: @@ -21,43 +22,26 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - with: - token: ${{ secrets.GITEA_TOKEN }} - - name: Bump patch version - if: github.event_name != 'workflow_dispatch' - run: | - VERSION=$(cat VERSION) - MAJOR=$(echo $VERSION | cut -d. -f1) - MINOR=$(echo $VERSION | cut -d. -f2) - PATCH=$(echo $VERSION | cut -d. -f3) - NEW_VERSION="$MAJOR.$MINOR.$((PATCH + 1))" - echo $NEW_VERSION > VERSION - echo "APP_VERSION=$NEW_VERSION" >> $GITHUB_ENV - git config user.email "ci@domverse-berlin.eu" - git config user.name "CI" - git add VERSION - git commit -m "chore: bump version to $NEW_VERSION [skip ci]" - git push + - name: Login to Gitea registry + run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.domverse-berlin.eu -u ci --password-stdin - - name: Write .env + - name: Build and push run: | - cat > .env << EOF - SECRET_KEY=${{ secrets.PNGX_SECRET_KEY }} - MASTER_URL=${{ secrets.PNGX_MASTER_URL }} - MASTER_TOKEN=${{ secrets.PNGX_MASTER_TOKEN }} - TS_AUTHKEY=${{ secrets.TS_AUTHKEY }} - EOF + docker build --build-arg APP_VERSION="${{ gitea.sha }}" \ + -t "$IMAGE:latest" -t "$IMAGE:${{ gitea.sha }}" . + docker push "$IMAGE:latest" + docker push "$IMAGE:${{ gitea.sha }}" - - name: Deploy with docker compose + - name: Trigger Portainer redeploy (retry on transient pull-lease failure) run: | - APP_VERSION=${APP_VERSION:-$(cat VERSION)} - echo "=== Deploying $APP_VERSION (commit ${{ gitea.sha }}) to ${{ gitea.ref_name }} ===" - docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" build --build-arg APP_VERSION=$APP_VERSION - docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" up -d --remove-orphans + for i in 1 2 3; do + code=$(curl -sk -X POST -o /dev/null -w '%{http_code}' "${{ secrets.PORTAINER_WEBHOOK_URL }}") + echo "attempt $i -> $code" + [ "$code" = "204" ] && exit 0 + sleep 5 + done + exit 1 - name: Prune dangling images run: docker image prune -f - - - name: Show running containers - run: docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" ps diff --git a/docker-compose.yml b/docker-compose.yml index f914f03..e42f4ea 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -26,28 +26,29 @@ services: - "traefik.http.routers.pngx-controller.rule=Host(`pngx.domverse-berlin.eu`)" - "traefik.http.routers.pngx-controller.entrypoints=https" - "traefik.http.routers.pngx-controller.tls.certresolver=http" - - "traefik.http.routers.pngx-controller.middlewares=authentik@docker" + - "traefik.http.routers.pngx-controller.middlewares=crowdsec@file,authentik@docker" - "traefik.http.services.pngx-controller.loadbalancer.server.port=8000" pngx-controller: - build: - context: . - args: - APP_VERSION: ${APP_VERSION:-dev} + image: git.domverse-berlin.eu/ci/pngx-sync/app:${TAG:-latest} container_name: pngx-controller restart: unless-stopped depends_on: - pngx-controller-ts network_mode: "service:pngx-controller-ts" - env_file: .env environment: DATABASE_URL: sqlite:////data/db.sqlite3 + SECRET_KEY: ${SECRET_KEY} + MASTER_URL: ${MASTER_URL} + MASTER_TOKEN: ${MASTER_TOKEN} volumes: - - ./data:/data + - pngx-data:/data volumes: tailscale-state: driver: local + pngx-data: + driver: local networks: default: {}