ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
1114be6c93a0bad95758ebe2caf9443df2762af7
dezky/.gitea/workflows/ci.yml
T
Ronni Baslund 3590c356a4
ci / build (map[dir:apps/booking name:booking]) (push) Failing after 6s
Details
ci / deploy (push) Has been skipped
Details
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 24s
Details
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 24s
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 28s
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 23s
Details
ci / test (push) Successful in 31s
Details
ci / build (map[dir:apps/operator name:operator]) (push) Failing after 6s
Details
ci / build (map[dir:apps/portal name:portal]) (push) Failing after 6s
Details
ci / build (map[dir:services/platform-api name:platform-api]) (push) Failing after 6s
Details
fix(ci): registry login via REGISTRY_TOKEN PAT 
The per-job GITHUB_TOKEN is no longer accepted by the container registry's
/v2/ basic-auth endpoint since the act_runner -> gitea/runner switch (login
fails 'unauthorized' before push). Use a personal access token with package
read+write scope, provided as the REGISTRY_TOKEN repo secret.
2026-06-10 08:18:32 +02:00

125 lines
4.8 KiB
YAML
Raw Blame History

# CI for the dezky monorepo (Gitea Actions). Installs deps and typechecks each
# app/service independently — the repo is NOT a single pnpm workspace yet, so
# every app has its own lockfile and is built from its own directory.
name: ci
on:
push:
branches: [main]
pull_request:
jobs:
typecheck:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- { name: platform-api, dir: services/platform-api }
- { name: portal, dir: apps/portal }
- { name: booking, dir: apps/booking }
- { name: website, dir: apps/website }
- { name: operator, dir: apps/operator }
defaults:
run:
working-directory: ${{ matrix.target.dir }}
steps:
- uses: actions/checkout@v4
# Node comes from the runner image (catthehacker ships node 24) — NOT
# actions/setup-node, whose shared tool-cache races across concurrent jobs
# ("node: Text file busy"). corepack (bundled with node) reads each app's
# own packageManager — what this per-app monorepo (no root package.json) needs.
- name: Install
run: |
corepack enable
pnpm install --frozen-lockfile
- name: Typecheck
run: pnpm typecheck
test:
runs-on: ubuntu-latest
defaults:
run:
working-directory: services/platform-api
steps:
- uses: actions/checkout@v4
- name: Install
run: |
corepack enable
pnpm install --frozen-lockfile
- name: Test
run: pnpm test
# Build + push app images to the Gitea container registry. Only on main, after
# typecheck + test pass. Uses the runner's job token to auth to the registry
# (same Gitea instance), and the dind sidecar for docker build.
build:
runs-on: ubuntu-latest
needs: [typecheck, test]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
strategy:
fail-fast: false
matrix:
app:
- { name: portal, dir: apps/portal }
- { name: booking, dir: apps/booking }
- { name: platform-api, dir: services/platform-api }
- { name: operator, dir: apps/operator }
steps:
- uses: actions/checkout@v4
# REGISTRY_TOKEN is a Gitea personal access token with package read+write
# scope (repo Settings → Actions → Secrets). The per-job GITHUB_TOKEN
# stopped being accepted by the registry's /v2/ basic-auth endpoint after
# the act_runner → gitea/runner switch, so registry pushes use a PAT.
- name: Registry login
run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.lastcloud.io -u "${{ github.actor }}" --password-stdin
- name: Build + push
run: |
IMG=git.lastcloud.io/ronnibaslund/dezky/${{ matrix.app.name }}
# The commit SHA tag is what the deploy job pins the cluster to;
# ':latest' is kept for humans / manual pulls only.
docker build \
-t "$IMG:latest" \
-t "$IMG:${{ github.sha }}" \
"${{ matrix.app.dir }}"
docker push "$IMG:latest"
docker push "$IMG:${{ github.sha }}"
# Deploy the freshly built images to the k3s cluster the runner already runs
# in. No GitOps controller in between: kustomize pins each Deployment to this
# commit's SHA tag and kubectl applies the manifests, so "push to main" IS
# the release. Auth is the KUBECONFIG_B64 repo secret — a kubeconfig for the
# ci-deployer ServiceAccount (see infrastructure/production/fleet/ci/
# ci-deployer.yaml), reaching the API server on the in-cluster service IP.
deploy:
runs-on: ubuntu-latest
needs: [build]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Install kubectl + kustomize
run: |
curl -fsSLo /usr/local/bin/kubectl https://dl.k8s.io/release/v1.33.4/bin/linux/amd64/kubectl
chmod +x /usr/local/bin/kubectl
curl -fsSL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz \
| tar -xz -C /usr/local/bin kustomize
- name: Deploy to k3s
env:
KUBECONFIG_B64: ${{ secrets.KUBECONFIG_B64 }}
run: |
export KUBECONFIG=/tmp/kubeconfig
echo "$KUBECONFIG_B64" | base64 -d > "$KUBECONFIG"
cd infrastructure/production/fleet/apps
for app in platform-api portal booking operator; do
kustomize edit set image \
"git.lastcloud.io/ronnibaslund/dezky/$app=git.lastcloud.io/ronnibaslund/dezky/$app:${{ github.sha }}"
done
kubectl apply -k .
for app in platform-api portal booking operator; do
kubectl -n dezky-apps rollout status "deploy/$app" --timeout=180s
done
Reference in New Issue View Git Blame Copy Permalink