name: build # On push to main, build the self-contained nginx image and push it to the # build registry, then publish it so the deploy host can pull it over HTTPS # and Watchtower recreates the container. The registry address is injected # from a masked secret so it never appears in the repo or the logs. on: push: branches: [main] paths: - 'index.html' - 'favicon.svg' - 'nginx.conf' - 'Dockerfile' - '.gitea/workflows/build.yml' workflow_dispatch: concurrency: group: build-${{ github.ref }} cancel-in-progress: true jobs: build: runs-on: docker steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: # The build registry is plain HTTP — tell buildkit not to upgrade # the push to HTTPS. config-inline: | [registry."${{ secrets.REGISTRY_HOST }}"] http = true insecure = true - name: Configure registry credentials for buildx env: REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }} REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | mkdir -p ~/.docker AUTH=$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_TOKEN" | base64 -w0) cat > ~/.docker/config.json < jpaulio: HTTP $code" case "$code" in 201) echo "OK — newly linked" ;; 400|409) echo "OK — already linked" ;; *) cat /tmp/link.out; exit 1 ;; esac