# Gitea Actions

The [`deploy`](workflows/deploy.yml) workflow runs on every push to `main`
(and via manual `workflow_dispatch`). It tests, builds, pushes the images
to a private registry, and rolls the stack over by SSH on the target host.

## Required secrets

Set under *Repo Settings → Actions → Secrets*:

| Name                 | Example                  | Purpose                                                          |
| -------------------- | ------------------------ | ---------------------------------------------------------------- |
| `REGISTRY_URL`       | `registry.example.com`   | Registry host. No scheme, no trailing slash.                     |
| `REGISTRY_USERNAME`  | `mangalord-ci`           | `docker login` user.                                             |
| `REGISTRY_PASSWORD`  | `<token>`                | `docker login` token/password.                                   |
| `SSH_HOST`           | `mangalord.example.com`  | Deploy target hostname/IP.                                       |
| `SSH_USER`           | `deploy`                 | SSH user on the target (must be in the `docker` group).          |
| `SSH_PRIVATE_KEY`    | `-----BEGIN OPENSSH...`  | Private key authorised in the target user's `authorized_keys`.   |
| `SSH_PORT`           | `22`                     | Optional. Defaults to `22` if unset.                             |

## Required variables

Set under *Repo Settings → Actions → Variables* (not secrets — they appear
in logs):

| Name          | Example                  | Purpose                                                                |
| ------------- | ------------------------ | ---------------------------------------------------------------------- |
| `DEPLOY_PATH` | `/srv/mangalord`         | Directory on target holding `docker-compose.yml`, `.env`, and the prod overlay. |

## One-time host setup

The workflow assumes the deploy target already has:

1. Docker + Docker Compose v2 installed and the `SSH_USER` in the `docker` group.
2. `$DEPLOY_PATH/docker-compose.yml` (copy of the repo's [docker-compose.yml](../docker-compose.yml)).
3. `$DEPLOY_PATH/docker-compose.prod.yml` (copy of the repo's [docker-compose.prod.yml](../docker-compose.prod.yml)).
4. `$DEPLOY_PATH/.env` populated from [.env.example](../.env.example) with production values (real `POSTGRES_PASSWORD`, `COOKIE_SECURE=true`, etc.).

Bootstrap once:

```bash
ssh deploy@mangalord.example.com
sudo mkdir -p /srv/mangalord && sudo chown deploy:deploy /srv/mangalord
cd /srv/mangalord
# place docker-compose.yml, docker-compose.prod.yml, and .env here
```

The first workflow run will pull the images, bring the stack up, and run
the embedded migrations on startup.

## Image tags

Every push produces three tags per image:

- `mangalord-{backend,frontend}:latest`
- `mangalord-{backend,frontend}:<git-sha>` — used by the deploy job; lets
  you pin a deploy to a specific commit
- `mangalord-{backend,frontend}:<version>` — the version from
  [backend/Cargo.toml](../backend/Cargo.toml) (verified in lockstep with
  [frontend/package.json](../frontend/package.json))

## Rollback

SSH to the target, set `IMAGE_TAG` to a previous commit SHA, and re-up:

```bash
cd /srv/mangalord
export REGISTRY_URL=registry.example.com
export IMAGE_TAG=<previous-sha>
docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
```