4921ce0776
Split the registry endpoints like the drawbar containers. Per-component Gitea Actions workflows (build-backend, build-frontend; runs-on docker, path-filtered) push images to the LAN endpoint 192.168.0.2:1234 over plain HTTP (buildx insecure/http) to bypass Cloudflare's request-body limit, then link each package to the repo via the Gitea API. Auth via the REGISTRY_TOKEN Actions secret (the same token drawbar uses). Tag scheme: test-main / test-sha-<long> / version / latest (v* tags).
The deploy compose now PULLS git.jpaul.io/justin/provenance-{backend,frontend}:${IMAGE_TAG:-test-main} (no host build); docker-compose.dev.yml is a local-build override for dev / pre-CI. Replaces the previous single build.yml. Docs + memory updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
106 lines
3.5 KiB
YAML
106 lines
3.5 KiB
YAML
name: build-backend
|
|
|
|
# Builds + pushes the backend image to justin/provenance-backend's package area
|
|
# on Gitea on every merge to main. Servers pull from git.jpaul.io.
|
|
#
|
|
# Push goes to the LAN registry endpoint 192.168.0.2:1234 (plain HTTP) to bypass
|
|
# Cloudflare's request-body limit; pulls use the public git.jpaul.io FQDN. Same
|
|
# Gitea registry either way. Mirrors the drawbar setup.
|
|
#
|
|
# Tag scheme: test-main | test-sha-<long> | <semver from pyproject> | latest (v* tags)
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches: [main]
|
|
tags: ['v*']
|
|
paths:
|
|
- 'backend/**'
|
|
- '.gitea/workflows/build-backend.yml'
|
|
|
|
concurrency:
|
|
group: build-backend-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: docker
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Extract version from pyproject.toml
|
|
id: ver
|
|
run: |
|
|
v=$(grep -oP '^version = "\K[^"]+' backend/pyproject.toml | head -1)
|
|
if [ -z "$v" ]; then echo "could not parse version from backend/pyproject.toml"; exit 1; fi
|
|
echo "semver=$v" >> "$GITHUB_OUTPUT"
|
|
echo "backend semver: $v"
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
# LAN registry serves plain HTTP on :1234 (git.jpaul.io is the only TLS
|
|
# endpoint, via Cloudflare). Treat the LAN endpoint as insecure so
|
|
# buildkit doesn't try to upgrade the push to HTTPS.
|
|
config-inline: |
|
|
[registry."192.168.0.2:1234"]
|
|
http = true
|
|
insecure = true
|
|
|
|
- name: Configure registry credentials for buildx
|
|
env:
|
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
REGISTRY_USER: ${{ github.actor }}
|
|
run: |
|
|
mkdir -p ~/.docker
|
|
AUTH=$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_TOKEN" | base64 -w0)
|
|
cat > ~/.docker/config.json <<EOF
|
|
{
|
|
"auths": {
|
|
"192.168.0.2:1234": {
|
|
"auth": "$AUTH"
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
|
|
- name: Compute tags
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: 192.168.0.2:1234/justin/provenance-backend
|
|
tags: |
|
|
type=ref,event=branch,prefix=test-
|
|
type=sha,prefix=test-sha-,format=long
|
|
type=raw,value=${{ steps.ver.outputs.semver }}
|
|
type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
|
|
labels: |
|
|
org.opencontainers.image.source=https://git.jpaul.io/justin/provenance
|
|
org.opencontainers.image.version=${{ steps.ver.outputs.semver }}
|
|
|
|
- name: Build and push (amd64)
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: ./backend
|
|
platforms: linux/amd64
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
|
|
- name: Link package to the provenance repo
|
|
env:
|
|
GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
|
run: |
|
|
code=$(curl -s -o /tmp/link.out -w "%{http_code}" -X POST \
|
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
"https://git.jpaul.io/api/v1/packages/justin/container/provenance-backend/-/link/provenance")
|
|
echo "link -> provenance: HTTP $code"
|
|
case "$code" in
|
|
201) echo "OK — newly linked" ;;
|
|
400|409) echo "OK — already linked" ;;
|
|
*) cat /tmp/link.out; exit 1 ;;
|
|
esac
|