Files
crop-chem-docs/.gitea/workflows/image-only.yml
T
justin 3a279212ef ci: continue-on-error for the GC step (403 with current PAT scope)
Run #122 finished green-on-everything-that-matters: indexing,
docker login (REGISTRY_TOKEN fix worked), build + push, and the
package-link API call all succeeded. The image is published with
all four expected tags: latest, c5ed5560fc, corpus-2026.05.24,
a97107de46 (manual earlier push).

Only the final GC step failed with HTTP 403 enumerating
/packages/.../versions — the PAT we use as REGISTRY_TOKEN has
push/pull scope but not the broader package-admin scope needed
to list + delete old versions.

GC is housekeeping, not part of the publish path. Marking it
continue-on-error: true keeps the whole run green so monitoring
can rely on "red = real problem." Both workflows get the same
treatment.

Followup TODO baked into the workflow comments: mint a separate
PAT with admin:package scope and add it as a second secret
(PACKAGES_ADMIN_TOKEN) — then point the GC step at it. Then
remove continue-on-error.

Workflow-only commit, doesn't trigger image-only.yml (path filter
excludes .gitea/**).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 16:29:54 -04:00

118 lines
4.3 KiB
YAML

name: Image rebuild (skip scrape)
# Fast path for code-only changes. Skips the scrape and goes straight
# to: rebuild indexes (from corpus already committed on main) + image
# build + push. Runtime ~10 min vs ~9 h for the full monthly refresh.
#
# Use when a PR only changes code/config — anything where the upstream
# corpus hasn't moved but we want the new Python in the running image.
on:
workflow_dispatch:
push:
branches:
- main
paths:
- "docs_mcp/**"
- "rag/**"
- "scrape/**"
- "requirements.txt"
- "Dockerfile"
- "sources.json"
# If multiple pushes land in quick succession, cancel the older one
# rather than queueing both — each run is ~90 min and the older
# commit's image just gets overwritten by the newer one anyway.
concurrency:
group: image-only
cancel-in-progress: true
env:
REGISTRY_PUSH: 192.168.0.2:1234
REGISTRY_PULL: git.jpaul.io
IMAGE: ${{ github.repository_owner }}/${{ github.event.repository.name }}
OLLAMA_URL: http://192.168.0.2:11434,http://192.168.0.2:11435,http://192.168.0.125:11434
EMBED_MODEL: nomic-embed-text
PRODUCT_NAME: crop_chem
jobs:
build:
runs-on: docker
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install -q --upgrade pip
python -m pip install -q -r requirements.txt
- name: Verify committed corpus is present
run: |
test -d corpus || { echo "ERROR: corpus/ missing on this ref"; exit 1; }
n_md=$(find corpus -name '*.md' | wc -l)
n_json=$(find corpus -name '*.json' | wc -l)
echo "corpus: $(du -sh corpus | cut -f1) on disk, ${n_md} .md / ${n_json} .json"
test "$n_md" -gt 100 || { echo "ERROR: corpus has fewer than 100 labels — was the rename committed?"; exit 1; }
- name: Rebuild indexes from committed corpus
run: python -m rag.index --rebuild
- name: Log in to Gitea container registry
run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "${REGISTRY_PUSH}" -u "${{ github.repository_owner }}" --password-stdin
- name: Build & push image
run: |
SHA_TAG=$(echo "$GITHUB_SHA" | cut -c1-12)
CORPUS_TAG="corpus-$(date -u +%Y.%m.%d)"
docker build \
-t "${REGISTRY_PUSH}/${IMAGE}:latest" \
-t "${REGISTRY_PUSH}/${IMAGE}:${SHA_TAG}" \
-t "${REGISTRY_PUSH}/${IMAGE}:${CORPUS_TAG}" \
.
docker push "${REGISTRY_PUSH}/${IMAGE}:latest"
docker push "${REGISTRY_PUSH}/${IMAGE}:${SHA_TAG}"
docker push "${REGISTRY_PUSH}/${IMAGE}:${CORPUS_TAG}"
- name: Link container package to this repo
env:
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
OWNER="${{ github.repository_owner }}"
PKG="${{ github.event.repository.name }}"
BODY=$(mktemp)
CODE=$(curl -sS -o "$BODY" -w "%{http_code}" -X POST \
-H "Authorization: token ${GITEA_TOKEN}" \
"https://${REGISTRY_PULL}/api/v1/packages/${OWNER}/container/${PKG}/-/link/${PKG}")
echo "link http=$CODE body=$(cat "$BODY")"
case "$CODE" in
201) echo "linked package to ${OWNER}/${PKG}" ;;
400) echo "already linked — ok" ;;
*) echo "unexpected status $CODE"; exit 1 ;;
esac
- name: Prune old container versions
# GC requires broader scope than REGISTRY_TOKEN's push perms
# (got HTTP 403 enumerating /packages/.../versions on run #122).
# Non-critical — housekeeping only. Don't fail the whole run.
# TODO: issue a separate PAT with admin:package scope and set
# as PACKAGES_ADMIN_TOKEN, then use it here.
continue-on-error: true
env:
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
python scripts/registry_gc.py \
--owner "${{ github.repository_owner }}" \
--package "${{ github.event.repository.name }}" \
--keep-days 180 \
--keep-latest 6