fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'ci: no-SSH local deploy + Dockerfile build fixes' (#1) from fix/ci-deploy-pipeline into main
Some checks failed
deploy / test-backend (push) Failing after 7s
Details
deploy / test-frontend (push) Failing after 30s
Details
deploy / build-and-push (push) Has been skipped
Details
deploy / deploy (push) Has been skipped
Details

Browse Source
This commit was merged in pull request #1.
This commit is contained in:
fabi
2026-05-31 15:43:54 +00:00
parent a2826d6467 2a0cc24c07
commit e851355f28
3 changed files with 34 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
.gitea/workflows/deploy.yml
View File

@@ -124,28 +124,31 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build-and-push needs: build-and-push
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
# Single-host deploy: the runner lives on the same box as the stack, so we
# drive the host docker daemon directly (act_runner shares its socket via
# `docker_host: "-"`) instead of SSHing out. The compose dir is bind-mounted
# at its REAL host path so compose's relative bind-mounts (./mangalord/...,
# ./Caddyfile) resolve; this requires `/mnt/ssd/docker-data` in the runner's
# container.valid_volumes. The central compose references the images as
# registry.mc02.dev/mangalord-*:${MANGALORD_TAG:-latest}, so we only pull
# and recreate the two mangalord services at the freshly built SHA.
container:
image: docker:cli
volumes:
- /mnt/ssd/docker-data:/mnt/ssd/docker-data
steps: steps:
- name: SSH deploy - name: Deploy to the local stack
uses: appleboy/ssh-action@v1.0.3 working-directory: /mnt/ssd/docker-data
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USER }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
port: ${{ secrets.SSH_PORT || 22 }}
envs: REGISTRY_URL,REGISTRY_USERNAME,REGISTRY_PASSWORD,IMAGE_TAG,DEPLOY_PATH
script_stop: true
script: |
set -euo pipefail
cd "$DEPLOY_PATH"
echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin
export REGISTRY_URL IMAGE_TAG
docker compose -f docker-compose.yml -f docker-compose.prod.yml pull
docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
docker image prune -f
docker logout "$REGISTRY_URL"
env: env:
REGISTRY_URL: ${{ secrets.REGISTRY_URL }} REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
IMAGE_TAG: ${{ needs.build-and-push.outputs.image_tag }} IMAGE_TAG: ${{ needs.build-and-push.outputs.image_tag }}
DEPLOY_PATH: ${{ vars.DEPLOY_PATH }} run: |
set -eu
echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin
export MANGALORD_TAG="$IMAGE_TAG"
docker compose pull mangalord-backend mangalord-frontend
docker compose up -d mangalord-backend mangalord-frontend
docker image prune -f
docker logout "$REGISTRY_URL"

8
backend/Dockerfile
View File

@@ -10,7 +10,8 @@ RUN apt-get update \
# exact crate versions CI tested. Without Cargo.lock + the flag, cargo # exact crate versions CI tested. Without Cargo.lock + the flag, cargo
# would silently resolve fresh on every image build. # would silently resolve fresh on every image build.
COPY Cargo.toml Cargo.lock ./ COPY Cargo.toml Cargo.lock ./
RUN mkdir src && echo "fn main() {}" > src/main.rs && echo "" > src/lib.rs \ RUN mkdir -p src/bin && echo "fn main() {}" > src/main.rs && echo "" > src/lib.rs \
&& echo "fn main() {}" > src/bin/crawler.rs \
&& cargo build --locked --release \ && cargo build --locked --release \
&& rm -rf src && rm -rf src
@@ -18,7 +19,10 @@ COPY src ./src
COPY migrations ./migrations COPY migrations ./migrations
RUN touch src/main.rs src/lib.rs && cargo build --locked --release RUN touch src/main.rs src/lib.rs && cargo build --locked --release
FROM debian:bookworm-slim FROM debian:trixie-slim
# Runtime base must match the builder's Debian release: `rust:1-slim` tracks
# trixie (glibc 2.41), so a bookworm runtime (glibc 2.36) can't run the
# binary ("GLIBC_2.39 not found"). Keep these two in lockstep on bumps.
# `curl` is for the container HEALTHCHECK; `ca-certificates` is for # `curl` is for the container HEALTHCHECK; `ca-certificates` is for
# outbound HTTPS (crawler covers/pages). # outbound HTTPS (crawler covers/pages).
RUN apt-get update \ RUN apt-get update \

10
frontend/Dockerfile
View File

@@ -24,10 +24,12 @@ COPY --from=builder --chown=node:node /app/package.json ./
USER node USER node
EXPOSE 3000 EXPOSE 3000
# Alpine's busybox `wget` is the canonical lightweight HTTP probe. # Alpine's busybox `wget` is the canonical lightweight HTTP probe. Probe
# `--spider` doesn't follow redirects; `node build` serves a 200 on # 127.0.0.1, not `localhost`: musl resolves `localhost` to IPv6 ::1 first,
# `/` for the homepage so this works without a dedicated /health. # but the Node server binds IPv4 0.0.0.0 only, so a localhost probe gets
# "connection refused" and the container is wrongly marked unhealthy. Use a
# GET (`-O /dev/null`) since `node build` serves 200 on `/`.
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD wget -q --spider http://localhost:3000/ || exit 1 CMD wget -q -O /dev/null http://127.0.0.1:3000/ || exit 1
CMD ["node", "build"] CMD ["node", "build"]