name: build-backend # Builds + pushes the backend image to justin/provenance-backend's package area # on Gitea on every merge to main. Servers pull from git.jpaul.io. # # Push goes to the LAN registry endpoint 192.168.0.2:1234 (plain HTTP) to bypass # Cloudflare's request-body limit; pulls use the public git.jpaul.io FQDN. Same # Gitea registry either way. Mirrors the drawbar setup. # # Tag scheme: test-main | test-sha- | | latest (v* tags) on: workflow_dispatch: push: branches: [main] tags: ['v*'] paths: - 'backend/**' - '.gitea/workflows/build-backend.yml' concurrency: group: build-backend-${{ github.ref }} cancel-in-progress: true jobs: build: runs-on: docker steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Extract version from pyproject.toml id: ver run: | v=$(grep -oP '^version = "\K[^"]+' backend/pyproject.toml | head -1) if [ -z "$v" ]; then echo "could not parse version from backend/pyproject.toml"; exit 1; fi echo "semver=$v" >> "$GITHUB_OUTPUT" echo "backend semver: $v" - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: # LAN registry serves plain HTTP on :1234 (git.jpaul.io is the only TLS # endpoint, via Cloudflare). Treat the LAN endpoint as insecure so # buildkit doesn't try to upgrade the push to HTTPS. config-inline: | [registry."192.168.0.2:1234"] http = true insecure = true - name: Configure registry credentials for buildx env: REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} REGISTRY_USER: ${{ github.actor }} run: | mkdir -p ~/.docker AUTH=$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_TOKEN" | base64 -w0) cat > ~/.docker/config.json < provenance: HTTP $code" case "$code" in 201) echo "OK — newly linked" ;; 400|409) echo "OK — already linked" ;; *) cat /tmp/link.out; exit 1 ;; esac