ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
c60937c5cb59e1150941dc6c3e807b4ccf23c395
dezky/.gitea/workflows/ci.yml
T
Ronni Baslund c60937c5cb
ci / build (map[dir:apps/booking name:booking]) (push) Has been cancelled
Details
ci / build (map[dir:apps/operator name:operator]) (push) Has been cancelled
Details
ci / build (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / build (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / deploy (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/operator name:operator]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
feat(ci): deploy to k3s straight from the pipeline (drop Flux plan) 
Push to main = release: after build, a deploy job pins each app image to the
commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits
for the rollouts. The runner already runs in-cluster, so it reaches the API
server on the in-cluster service IP with a kubeconfig for the new ci-deployer
ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret).

The drafted Flux sync/image-automation layer is removed — a GitOps controller
plus bot tag-bump commits is more machinery than a single-node cluster needs.
Sortable image tags and $imagepolicy markers go with it.

Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses,
platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart
via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers
exist) and the secrets template/README updated to match.
2026-06-10 07:53:55 +02:00

121 lines
4.5 KiB
YAML
Raw Blame History

# CI for the dezky monorepo (Gitea Actions). Installs deps and typechecks each
# app/service independently — the repo is NOT a single pnpm workspace yet, so
# every app has its own lockfile and is built from its own directory.
name: ci
on:
push:
branches: [main]
pull_request:
jobs:
typecheck:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- { name: platform-api, dir: services/platform-api }
- { name: portal, dir: apps/portal }
- { name: booking, dir: apps/booking }
- { name: website, dir: apps/website }
- { name: operator, dir: apps/operator }
defaults:
run:
working-directory: ${{ matrix.target.dir }}
steps:
- uses: actions/checkout@v4
# Node comes from the runner image (catthehacker ships node 24) — NOT
# actions/setup-node, whose shared tool-cache races across concurrent jobs
# ("node: Text file busy"). corepack (bundled with node) reads each app's
# own packageManager — what this per-app monorepo (no root package.json) needs.
- name: Install
run: |
corepack enable
pnpm install --frozen-lockfile
- name: Typecheck
run: pnpm typecheck
test:
runs-on: ubuntu-latest
defaults:
run:
working-directory: services/platform-api
steps:
- uses: actions/checkout@v4
- name: Install
run: |
corepack enable
pnpm install --frozen-lockfile
- name: Test
run: pnpm test
# Build + push app images to the Gitea container registry. Only on main, after
# typecheck + test pass. Uses the runner's job token to auth to the registry
# (same Gitea instance), and the dind sidecar for docker build.
build:
runs-on: ubuntu-latest
needs: [typecheck, test]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
strategy:
fail-fast: false
matrix:
app:
- { name: portal, dir: apps/portal }
- { name: booking, dir: apps/booking }
- { name: platform-api, dir: services/platform-api }
- { name: operator, dir: apps/operator }
steps:
- uses: actions/checkout@v4
- name: Registry login
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login git.lastcloud.io -u "${{ github.actor }}" --password-stdin
- name: Build + push
run: |
IMG=git.lastcloud.io/ronnibaslund/dezky/${{ matrix.app.name }}
# The commit SHA tag is what the deploy job pins the cluster to;
# ':latest' is kept for humans / manual pulls only.
docker build \
-t "$IMG:latest" \
-t "$IMG:${{ github.sha }}" \
"${{ matrix.app.dir }}"
docker push "$IMG:latest"
docker push "$IMG:${{ github.sha }}"
# Deploy the freshly built images to the k3s cluster the runner already runs
# in. No GitOps controller in between: kustomize pins each Deployment to this
# commit's SHA tag and kubectl applies the manifests, so "push to main" IS
# the release. Auth is the KUBECONFIG_B64 repo secret — a kubeconfig for the
# ci-deployer ServiceAccount (see infrastructure/production/fleet/ci/
# ci-deployer.yaml), reaching the API server on the in-cluster service IP.
deploy:
runs-on: ubuntu-latest
needs: [build]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Install kubectl + kustomize
run: |
curl -fsSLo /usr/local/bin/kubectl https://dl.k8s.io/release/v1.33.4/bin/linux/amd64/kubectl
chmod +x /usr/local/bin/kubectl
curl -fsSL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz \
| tar -xz -C /usr/local/bin kustomize
- name: Deploy to k3s
env:
KUBECONFIG_B64: ${{ secrets.KUBECONFIG_B64 }}
run: |
export KUBECONFIG=/tmp/kubeconfig
echo "$KUBECONFIG_B64" | base64 -d > "$KUBECONFIG"
cd infrastructure/production/fleet/apps
for app in platform-api portal booking operator; do
kustomize edit set image \
"git.lastcloud.io/ronnibaslund/dezky/$app=git.lastcloud.io/ronnibaslund/dezky/$app:${{ github.sha }}"
done
kubectl apply -k .
for app in platform-api portal booking operator; do
kubectl -n dezky-apps rollout status "deploy/$app" --timeout=180s
done
Reference in New Issue View Git Blame Copy Permalink