Files
justin 4921ce0776 Mirror drawbar CI/CD: push to LAN registry, pull via public FQDN
Split the registry endpoints like the drawbar containers. Per-component Gitea Actions workflows (build-backend, build-frontend; runs-on docker, path-filtered) push images to the LAN endpoint 192.168.0.2:1234 over plain HTTP (buildx insecure/http) to bypass Cloudflare's request-body limit, then link each package to the repo via the Gitea API. Auth via the REGISTRY_TOKEN Actions secret (the same token drawbar uses). Tag scheme: test-main / test-sha-<long> / version / latest (v* tags).

The deploy compose now PULLS git.jpaul.io/justin/provenance-{backend,frontend}:${IMAGE_TAG:-test-main} (no host build); docker-compose.dev.yml is a local-build override for dev / pre-CI. Replaces the previous single build.yml. Docs + memory updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
2026-06-06 11:19:26 -04:00

106 lines
3.5 KiB
YAML

name: build-backend
# Builds + pushes the backend image to justin/provenance-backend's package area
# on Gitea on every merge to main. Servers pull from git.jpaul.io.
#
# Push goes to the LAN registry endpoint 192.168.0.2:1234 (plain HTTP) to bypass
# Cloudflare's request-body limit; pulls use the public git.jpaul.io FQDN. Same
# Gitea registry either way. Mirrors the drawbar setup.
#
# Tag scheme: test-main | test-sha-<long> | <semver from pyproject> | latest (v* tags)
on:
workflow_dispatch:
push:
branches: [main]
tags: ['v*']
paths:
- 'backend/**'
- '.gitea/workflows/build-backend.yml'
concurrency:
group: build-backend-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: docker
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Extract version from pyproject.toml
id: ver
run: |
v=$(grep -oP '^version = "\K[^"]+' backend/pyproject.toml | head -1)
if [ -z "$v" ]; then echo "could not parse version from backend/pyproject.toml"; exit 1; fi
echo "semver=$v" >> "$GITHUB_OUTPUT"
echo "backend semver: $v"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
# LAN registry serves plain HTTP on :1234 (git.jpaul.io is the only TLS
# endpoint, via Cloudflare). Treat the LAN endpoint as insecure so
# buildkit doesn't try to upgrade the push to HTTPS.
config-inline: |
[registry."192.168.0.2:1234"]
http = true
insecure = true
- name: Configure registry credentials for buildx
env:
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
REGISTRY_USER: ${{ github.actor }}
run: |
mkdir -p ~/.docker
AUTH=$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_TOKEN" | base64 -w0)
cat > ~/.docker/config.json <<EOF
{
"auths": {
"192.168.0.2:1234": {
"auth": "$AUTH"
}
}
}
EOF
- name: Compute tags
id: meta
uses: docker/metadata-action@v5
with:
images: 192.168.0.2:1234/justin/provenance-backend
tags: |
type=ref,event=branch,prefix=test-
type=sha,prefix=test-sha-,format=long
type=raw,value=${{ steps.ver.outputs.semver }}
type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
labels: |
org.opencontainers.image.source=https://git.jpaul.io/justin/provenance
org.opencontainers.image.version=${{ steps.ver.outputs.semver }}
- name: Build and push (amd64)
uses: docker/build-push-action@v6
with:
context: ./backend
platforms: linux/amd64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Link package to the provenance repo
env:
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
code=$(curl -s -o /tmp/link.out -w "%{http_code}" -X POST \
-H "Authorization: token ${GITEA_TOKEN}" \
"https://git.jpaul.io/api/v1/packages/justin/container/provenance-backend/-/link/provenance")
echo "link -> provenance: HTTP $code"
case "$code" in
201) echo "OK — newly linked" ;;
400|409) echo "OK — already linked" ;;
*) cat /tmp/link.out; exit 1 ;;
esac