# CI for the dezky monorepo (Gitea Actions). Installs deps and typechecks each # app/service independently — the repo is NOT a single pnpm workspace yet, so # every app has its own lockfile and is built from its own directory. name: ci on: push: branches: [main] pull_request: jobs: typecheck: runs-on: ubuntu-latest strategy: fail-fast: false matrix: target: - { name: platform-api, dir: services/platform-api } - { name: portal, dir: apps/portal } - { name: booking, dir: apps/booking } - { name: website, dir: apps/website } - { name: operator, dir: apps/operator } defaults: run: working-directory: ${{ matrix.target.dir }} steps: - uses: actions/checkout@v4 # Node comes from the runner image (catthehacker ships node 24) — NOT # actions/setup-node, whose shared tool-cache races across concurrent jobs # ("node: Text file busy"). corepack (bundled with node) reads each app's # own packageManager — what this per-app monorepo (no root package.json) needs. - name: Install run: | corepack enable pnpm install --frozen-lockfile - name: Typecheck run: pnpm typecheck test: runs-on: ubuntu-latest defaults: run: working-directory: services/platform-api steps: - uses: actions/checkout@v4 - name: Install run: | corepack enable pnpm install --frozen-lockfile - name: Test run: pnpm test # Build + push app images to the Gitea container registry. Only on main, after # typecheck + test pass. Uses the runner's job token to auth to the registry # (same Gitea instance), and the dind sidecar for docker build. build: runs-on: ubuntu-latest needs: [typecheck, test] if: github.event_name == 'push' && github.ref == 'refs/heads/main' strategy: fail-fast: false matrix: app: - { name: portal, dir: apps/portal } - { name: booking, dir: apps/booking } - { name: platform-api, dir: services/platform-api } - { name: operator, dir: apps/operator } steps: - uses: actions/checkout@v4 # REGISTRY_TOKEN is a Gitea personal access token with package read+write # scope (repo Settings → Actions → Secrets). The per-job GITHUB_TOKEN # stopped being accepted by the registry's /v2/ basic-auth endpoint after # the act_runner → gitea/runner switch, so registry pushes use a PAT. - name: Registry login run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.lastcloud.io -u "${{ github.actor }}" --password-stdin - name: Build + push run: | IMG=git.lastcloud.io/ronnibaslund/dezky/${{ matrix.app.name }} # The commit SHA tag is what the deploy job pins the cluster to; # ':latest' is kept for humans / manual pulls only. docker build \ -t "$IMG:latest" \ -t "$IMG:${{ github.sha }}" \ "${{ matrix.app.dir }}" docker push "$IMG:latest" docker push "$IMG:${{ github.sha }}" # Deploy the freshly built images to the k3s cluster the runner already runs # in. No GitOps controller in between: kustomize pins each Deployment to this # commit's SHA tag and kubectl applies the manifests, so "push to main" IS # the release. Auth is the KUBECONFIG_B64 repo secret — a kubeconfig for the # ci-deployer ServiceAccount (see infrastructure/production/fleet/ci/ # ci-deployer.yaml), reaching the API server on the in-cluster service IP. deploy: runs-on: ubuntu-latest needs: [build] if: github.event_name == 'push' && github.ref == 'refs/heads/main' steps: - uses: actions/checkout@v4 - name: Install kubectl + kustomize run: | curl -fsSLo /usr/local/bin/kubectl https://dl.k8s.io/release/v1.33.4/bin/linux/amd64/kubectl chmod +x /usr/local/bin/kubectl curl -fsSL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz \ | tar -xz -C /usr/local/bin kustomize - name: Deploy to k3s env: KUBECONFIG_B64: ${{ secrets.KUBECONFIG_B64 }} run: | export KUBECONFIG=/tmp/kubeconfig echo "$KUBECONFIG_B64" | base64 -d > "$KUBECONFIG" cd infrastructure/production/fleet/apps for app in platform-api portal booking operator; do kustomize edit set image \ "git.lastcloud.io/ronnibaslund/dezky/$app=git.lastcloud.io/ronnibaslund/dezky/$app:${{ github.sha }}" done kubectl apply -k . for app in platform-api portal booking operator; do kubectl -n dezky-apps rollout status "deploy/$app" --timeout=180s done