3a279212ef
Run #122 finished green-on-everything-that-matters: indexing, docker login (REGISTRY_TOKEN fix worked), build + push, and the package-link API call all succeeded. The image is published with all four expected tags: latest,c5ed5560fc, corpus-2026.05.24,a97107de46(manual earlier push). Only the final GC step failed with HTTP 403 enumerating /packages/.../versions — the PAT we use as REGISTRY_TOKEN has push/pull scope but not the broader package-admin scope needed to list + delete old versions. GC is housekeeping, not part of the publish path. Marking it continue-on-error: true keeps the whole run green so monitoring can rely on "red = real problem." Both workflows get the same treatment. Followup TODO baked into the workflow comments: mint a separate PAT with admin:package scope and add it as a second secret (PACKAGES_ADMIN_TOKEN) — then point the GC step at it. Then remove continue-on-error. Workflow-only commit, doesn't trigger image-only.yml (path filter excludes .gitea/**). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
118 lines
4.3 KiB
YAML
118 lines
4.3 KiB
YAML
name: Image rebuild (skip scrape)
|
|
|
|
# Fast path for code-only changes. Skips the scrape and goes straight
|
|
# to: rebuild indexes (from corpus already committed on main) + image
|
|
# build + push. Runtime ~10 min vs ~9 h for the full monthly refresh.
|
|
#
|
|
# Use when a PR only changes code/config — anything where the upstream
|
|
# corpus hasn't moved but we want the new Python in the running image.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- "docs_mcp/**"
|
|
- "rag/**"
|
|
- "scrape/**"
|
|
- "requirements.txt"
|
|
- "Dockerfile"
|
|
- "sources.json"
|
|
|
|
# If multiple pushes land in quick succession, cancel the older one
|
|
# rather than queueing both — each run is ~90 min and the older
|
|
# commit's image just gets overwritten by the newer one anyway.
|
|
concurrency:
|
|
group: image-only
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
REGISTRY_PUSH: 192.168.0.2:1234
|
|
REGISTRY_PULL: git.jpaul.io
|
|
IMAGE: ${{ github.repository_owner }}/${{ github.event.repository.name }}
|
|
OLLAMA_URL: http://192.168.0.2:11434,http://192.168.0.2:11435,http://192.168.0.125:11434
|
|
EMBED_MODEL: nomic-embed-text
|
|
PRODUCT_NAME: crop_chem
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: docker
|
|
container:
|
|
image: catthehacker/ubuntu:act-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install -q --upgrade pip
|
|
python -m pip install -q -r requirements.txt
|
|
|
|
- name: Verify committed corpus is present
|
|
run: |
|
|
test -d corpus || { echo "ERROR: corpus/ missing on this ref"; exit 1; }
|
|
n_md=$(find corpus -name '*.md' | wc -l)
|
|
n_json=$(find corpus -name '*.json' | wc -l)
|
|
echo "corpus: $(du -sh corpus | cut -f1) on disk, ${n_md} .md / ${n_json} .json"
|
|
test "$n_md" -gt 100 || { echo "ERROR: corpus has fewer than 100 labels — was the rename committed?"; exit 1; }
|
|
|
|
- name: Rebuild indexes from committed corpus
|
|
run: python -m rag.index --rebuild
|
|
|
|
- name: Log in to Gitea container registry
|
|
run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "${REGISTRY_PUSH}" -u "${{ github.repository_owner }}" --password-stdin
|
|
|
|
- name: Build & push image
|
|
run: |
|
|
SHA_TAG=$(echo "$GITHUB_SHA" | cut -c1-12)
|
|
CORPUS_TAG="corpus-$(date -u +%Y.%m.%d)"
|
|
docker build \
|
|
-t "${REGISTRY_PUSH}/${IMAGE}:latest" \
|
|
-t "${REGISTRY_PUSH}/${IMAGE}:${SHA_TAG}" \
|
|
-t "${REGISTRY_PUSH}/${IMAGE}:${CORPUS_TAG}" \
|
|
.
|
|
docker push "${REGISTRY_PUSH}/${IMAGE}:latest"
|
|
docker push "${REGISTRY_PUSH}/${IMAGE}:${SHA_TAG}"
|
|
docker push "${REGISTRY_PUSH}/${IMAGE}:${CORPUS_TAG}"
|
|
|
|
- name: Link container package to this repo
|
|
env:
|
|
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
run: |
|
|
OWNER="${{ github.repository_owner }}"
|
|
PKG="${{ github.event.repository.name }}"
|
|
BODY=$(mktemp)
|
|
CODE=$(curl -sS -o "$BODY" -w "%{http_code}" -X POST \
|
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
"https://${REGISTRY_PULL}/api/v1/packages/${OWNER}/container/${PKG}/-/link/${PKG}")
|
|
echo "link http=$CODE body=$(cat "$BODY")"
|
|
case "$CODE" in
|
|
201) echo "linked package to ${OWNER}/${PKG}" ;;
|
|
400) echo "already linked — ok" ;;
|
|
*) echo "unexpected status $CODE"; exit 1 ;;
|
|
esac
|
|
|
|
- name: Prune old container versions
|
|
# GC requires broader scope than REGISTRY_TOKEN's push perms
|
|
# (got HTTP 403 enumerating /packages/.../versions on run #122).
|
|
# Non-critical — housekeeping only. Don't fail the whole run.
|
|
# TODO: issue a separate PAT with admin:package scope and set
|
|
# as PACKAGES_ADMIN_TOKEN, then use it here.
|
|
continue-on-error: true
|
|
env:
|
|
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
run: |
|
|
python scripts/registry_gc.py \
|
|
--owner "${{ github.repository_owner }}" \
|
|
--package "${{ github.event.repository.name }}" \
|
|
--keep-days 180 \
|
|
--keep-latest 6
|