feat(ci): Forgejo Actions deploy workflow (#30) #34

Merged

archeious merged 1 commit from feat/deploy-workflow into main

2026-04-19 18:05:58 -06:00

claude-code commented

2026-04-19 18:02:20 -06:00

Collaborator

Closes #30. Last piece of the deploy pipeline (#28 image, #29 compose, this: automation).

Summary

.forgejo/workflows/deploy.yml triggers on push to main,
runs-on: homelab (container mode, has Node.js and the host's
Docker socket mounted).
Steps: checkout → buildx → registry login → build + push → write
.env + docker compose pull + up -d → healthz smoke.
Image is tagged with both ${{ github.sha }} and latest; the
compose file reads the SHA from QUARTERMASTER_TAG written by
the workflow into .env.
No SSH step. The runner already lives on home-ctr-onyx with the
host's Docker socket bind-mounted, so docker compose from the
runner manages the production container directly. Drops the
otherwise-needed DEPLOY_SSH_KEY + DEPLOY_KNOWN_HOSTS secrets
and the associated private-key-handling risk surface.
COMPOSE_PROJECT_NAME=quartermaster is pinned in the workflow env
so compose identifies the existing container by project label no
matter which path the runner happened to unpack the checkout into.
Smoke step is one curl -fsS -u admin:… https://quartermaster.unbiasedgeek.com/healthz
with up to 10 × 3 s retries — catches TLS, Traefik routing, and
basic-auth middleware regressions in a single probe.
README gets a "CI/CD" section documenting the flow, the two
required secrets, and the v1 rollback recipe (revert main or
pin QUARTERMASTER_TAG to a prior SHA).

Secrets

Both repo-scoped on archeious/quartermaster, already provisioned:

REGISTRY_TOKEN — archeious Forgejo PAT with
read:package + write:package, used as the docker-login
password against forgejo.labbity.unbiasedgeek.com.
QUARTERMASTER_SMOKE_PASSWORD — plaintext basic-auth password
for the admin user, used by the post-deploy healthz probe.

Test plan

YAML parses; step list, env block, and secret references all
match expectations (validated via pyyaml in the #28 image).
Both required secrets confirmed present on the repo via the
Forgejo Actions secrets listing.
First merge-to-main will be the true end-to-end test: image
builds + pushes, docker compose up -d rolls the container,
healthz returns 200 through the public URL. Flagging any
failure of that first run is its own follow-up if needed.

Closes #30. Last piece of the deploy pipeline (#28 image, #29 compose, this: automation). ## Summary - `.forgejo/workflows/deploy.yml` triggers on push to `main`, `runs-on: homelab` (container mode, has Node.js and the host's Docker socket mounted). - Steps: **checkout → buildx → registry login → build + push → write `.env` + `docker compose pull` + `up -d` → healthz smoke**. - Image is tagged with both `${{ github.sha }}` and `latest`; the compose file reads the SHA from `QUARTERMASTER_TAG` written by the workflow into `.env`. - No SSH step. The runner already lives on home-ctr-onyx with the host's Docker socket bind-mounted, so `docker compose` from the runner manages the production container directly. Drops the otherwise-needed `DEPLOY_SSH_KEY` + `DEPLOY_KNOWN_HOSTS` secrets and the associated private-key-handling risk surface. - `COMPOSE_PROJECT_NAME=quartermaster` is pinned in the workflow env so compose identifies the existing container by project label no matter which path the runner happened to unpack the checkout into. - Smoke step is one `curl -fsS -u admin:… https://quartermaster.unbiasedgeek.com/healthz` with up to 10 × 3 s retries — catches TLS, Traefik routing, and basic-auth middleware regressions in a single probe. - README gets a "CI/CD" section documenting the flow, the two required secrets, and the v1 rollback recipe (revert `main` or pin `QUARTERMASTER_TAG` to a prior SHA). ## Secrets Both repo-scoped on `archeious/quartermaster`, already provisioned: - `REGISTRY_TOKEN` — archeious Forgejo PAT with `read:package` + `write:package`, used as the docker-login password against `forgejo.labbity.unbiasedgeek.com`. - `QUARTERMASTER_SMOKE_PASSWORD` — plaintext basic-auth password for the `admin` user, used by the post-deploy healthz probe. ## Test plan - [x] YAML parses; step list, env block, and secret references all match expectations (validated via pyyaml in the #28 image). - [x] Both required secrets confirmed present on the repo via the Forgejo Actions secrets listing. - [ ] First merge-to-main will be the true end-to-end test: image builds + pushes, `docker compose up -d` rolls the container, healthz returns 200 through the public URL. Flagging any failure of that first run is its own follow-up if needed.

claude-code added 1 commit 2026-04-19 18:02:20 -06:00

feat(ci): Forgejo Actions deploy workflow for home-ctr-onyx (#30 ) df4fcfc659

On push to main, the homelab runner (container mode, docker socket
mounted) builds the image, pushes it to the Forgejo registry tagged
with the commit SHA and latest, then runs docker compose pull + up -d
directly against the host Docker daemon — no SSH hop, since the
runner already lives on the deploy host. Finishes with one
curl -u admin:... against https://quartermaster.unbiasedgeek.com/healthz
to catch TLS, Traefik routing, and basic-auth regressions in a
single probe. Two repo-scoped secrets required: REGISTRY_TOKEN for
docker login and QUARTERMASTER_SMOKE_PASSWORD for the public
healthz probe.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>