Simplify CI/CD for same-swarm topology: no SSH, direct service update
Since Forgejo and the app share a swarm, the runner can: - Connect to Forgejo at http://forgejo:3000 (internal, no Traefik) - Call docker service update directly via mounted socket - Avoid SSH entirely — secrets drop from 6 to 3 infra/runner-swarm.yml: runner added to Forgejo stack, pinned to manager node (required for service API access), uses Docker Swarm Config object for act_runner config injection infra/act-runner-config.yml: runner config (bridge network for jobs, docker socket whitelisted) build.yml: deploy step replaced with docker service update --with-registry-auth --detach=false (waits for rollout, shows progress in Actions log) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,16 +1,12 @@
|
||||
# Runs only on pushes to main.
|
||||
# Builds the Docker image on the CI runner host (which has Docker socket access),
|
||||
# pushes it to the Forgejo container registry, then SSHes to the app host to restart.
|
||||
#
|
||||
# Runner requirement: act_runner with /var/run/docker.sock mounted (see infra/runner-swarm.yml).
|
||||
# The runner runs in the same swarm as Forgejo with /var/run/docker.sock mounted,
|
||||
# so it can build images and update swarm services directly — no SSH needed.
|
||||
#
|
||||
# Required secrets (Forgejo repo → Settings → Secrets):
|
||||
# REGISTRY_USER — your Forgejo username (bvandeusen)
|
||||
# REGISTRY_TOKEN — Forgejo personal access token with write:packages scope
|
||||
# DEPLOY_HOST — IP or hostname of the server running fabledassistant
|
||||
# DEPLOY_USER — SSH user on that server
|
||||
# DEPLOY_SSH_KEY — private SSH key (matching public key must be in authorized_keys on app host)
|
||||
# DEPLOY_PATH — absolute path to the directory with docker-compose.yml on the app host
|
||||
# Required secrets (repo → Settings → Secrets → Actions):
|
||||
# REGISTRY_USER — your Forgejo username
|
||||
# REGISTRY_TOKEN — Forgejo PAT with write:packages scope
|
||||
# DEPLOY_SERVICE — full swarm service name, e.g. fabledassistant_app
|
||||
name: Build & Deploy
|
||||
|
||||
on:
|
||||
@@ -46,9 +42,8 @@ jobs:
|
||||
tags: |
|
||||
${{ env.IMAGE }}:latest
|
||||
${{ env.IMAGE }}:${{ github.sha }}
|
||||
# Registry-side layer cache lives in the Forgejo container registry.
|
||||
# Unchanged layers (npm install, pip install) are reused across builds,
|
||||
# cutting typical build time from ~4 min to ~45 sec after the first run.
|
||||
# Registry-side layer cache — unchanged layers (npm install, pip install)
|
||||
# are reused between builds. Cuts typical build time from ~4 min to ~45 sec.
|
||||
cache-from: type=registry,ref=${{ env.IMAGE }}:cache
|
||||
cache-to: type=registry,ref=${{ env.IMAGE }}:cache,mode=max
|
||||
|
||||
@@ -57,19 +52,21 @@ jobs:
|
||||
needs: build
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Pull new image and restart app
|
||||
uses: appleboy/ssh-action@v1
|
||||
with:
|
||||
host: ${{ secrets.DEPLOY_HOST }}
|
||||
username: ${{ secrets.DEPLOY_USER }}
|
||||
key: ${{ secrets.DEPLOY_SSH_KEY }}
|
||||
# Pulls only the app service image, restarts only the app container.
|
||||
# Database and Ollama containers are left untouched (--no-deps).
|
||||
script: |
|
||||
set -e
|
||||
echo "${{ secrets.REGISTRY_TOKEN }}" | \
|
||||
docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin
|
||||
cd "${{ secrets.DEPLOY_PATH }}"
|
||||
docker compose pull app
|
||||
docker compose up -d --no-build --no-deps app
|
||||
docker image prune -f
|
||||
- name: Log in to registry
|
||||
run: |
|
||||
echo "${{ secrets.REGISTRY_TOKEN }}" | \
|
||||
docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin
|
||||
|
||||
- name: Update swarm service
|
||||
# --with-registry-auth forwards the login credentials to all swarm nodes
|
||||
# so they can pull the new image. --detach=false waits for the rollout to
|
||||
# complete before the job finishes (shows progress in the Actions log).
|
||||
run: |
|
||||
docker service update \
|
||||
--image ${{ env.IMAGE }}:${{ github.sha }} \
|
||||
--with-registry-auth \
|
||||
--detach=false \
|
||||
${{ secrets.DEPLOY_SERVICE }}
|
||||
|
||||
- name: Clean up old images
|
||||
run: docker image prune -f
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
# act_runner configuration — stored as a Docker Swarm Config object.
|
||||
# Referenced in runner-swarm.yml under configs.act_runner_config.
|
||||
#
|
||||
# After changing this file, update the swarm config:
|
||||
# docker config rm act_runner_config
|
||||
# docker stack deploy -c forgejo-stack.yml forgejo (or docker compose up -d)
|
||||
|
||||
log:
|
||||
level: info
|
||||
|
||||
runner:
|
||||
capacity: 2 # concurrent jobs
|
||||
timeout: 30m
|
||||
|
||||
cache:
|
||||
enabled: true
|
||||
dir: /data/.cache
|
||||
|
||||
container:
|
||||
# bridge: job containers get internet access via NAT but are isolated from
|
||||
# each other and the swarm overlay. Sufficient for npm/pip/docker push.
|
||||
network: bridge
|
||||
|
||||
# Whitelist of host paths that workflow steps are allowed to bind-mount.
|
||||
# The Docker socket is required for the build and deploy jobs.
|
||||
valid_volumes:
|
||||
- /var/run/docker.sock
|
||||
+90
-77
@@ -1,100 +1,113 @@
|
||||
# Forgejo Actions runner — deploy this on the FORGEJO HOST alongside the Forgejo stack.
|
||||
# Forgejo Actions runner — add these services to your existing Forgejo stack.
|
||||
#
|
||||
# The runner connects outbound to git.fabledsword.com to receive jobs.
|
||||
# No inbound connections from Forgejo are needed.
|
||||
# The host Docker socket is mounted so the build job can use Docker Buildx.
|
||||
# Since the runner is in the same swarm as Forgejo it can:
|
||||
# - Reach Forgejo at http://forgejo:3000 (no Traefik hop)
|
||||
# - Use the host Docker socket (manager node) to build images and update services
|
||||
# - Deploy the app via `docker service update` — no SSH needed
|
||||
#
|
||||
# One-time setup on the Forgejo host:
|
||||
# The runner MUST run on a swarm manager node so it can call the Docker service API.
|
||||
# On a single-node swarm this is automatic. On multi-node, the placement constraint
|
||||
# below ensures it.
|
||||
#
|
||||
# One-time setup:
|
||||
# 1. Get a registration token:
|
||||
# Forgejo → Site Administration → Runners → Create Runner
|
||||
# (or per-repo: repo → Settings → Actions → Runners)
|
||||
# https://git.fabledsword.com → Site Administration → Runners → Create Runner
|
||||
#
|
||||
# 2. Create an env file (keep this off git):
|
||||
# echo 'RUNNER_TOKEN=your_token_here' > /nfs/data/fabledsword/act_runner/.env
|
||||
# 2. Add RUNNER_TOKEN to your stack's env file (same .env Forgejo uses):
|
||||
# echo 'RUNNER_TOKEN=your_token_here' >> /path/to/forgejo.env
|
||||
#
|
||||
# 3. Deploy:
|
||||
# docker stack deploy -c runner-swarm.yml act-runner
|
||||
# (or: docker compose -f runner-swarm.yml up -d if not using swarm mode for this)
|
||||
# 3. Redeploy the Forgejo stack to pick up the new services:
|
||||
# docker stack deploy -c forgejo-stack.yml --with-registry-auth forgejo
|
||||
#
|
||||
# Note: docker stack deploy does not support `volumes.driver_opts` or bind mounts
|
||||
# in the same way as compose. If you hit swarm limitations with the socket bind mount,
|
||||
# run this with plain `docker compose` instead of `docker stack deploy` — the runner
|
||||
# doesn't need swarm-specific features.
|
||||
# Docker Swarm does not support bind-mounts of /var/run/docker.sock via
|
||||
# `docker stack deploy`. Deploy using docker compose instead (still managed,
|
||||
# just not as a formal stack):
|
||||
# docker compose -f forgejo-stack.yml up -d
|
||||
#
|
||||
# Required secrets in Forgejo (repo → Settings → Secrets → Actions):
|
||||
# REGISTRY_USER — your Forgejo username
|
||||
# REGISTRY_TOKEN — Forgejo PAT with write:packages scope
|
||||
# DEPLOY_SERVICE — full swarm service name for the app, e.g. fabledassistant_app
|
||||
|
||||
networks:
|
||||
overlay_proxy:
|
||||
external: true
|
||||
fabled_backend:
|
||||
external: true
|
||||
|
||||
configs:
|
||||
act_runner_config:
|
||||
# Swarm Config object — stored in the swarm, injected read-only into the container.
|
||||
# To update this config you must remove and recreate it:
|
||||
# docker config rm act_runner_config
|
||||
# then redeploy the stack.
|
||||
file: ./act-runner-config.yml
|
||||
|
||||
volumes:
|
||||
act_runner_data:
|
||||
|
||||
services:
|
||||
act_runner:
|
||||
image: gitea/act_runner:latest
|
||||
restart: unless-stopped
|
||||
# ── Existing Forgejo service (unchanged, shown for context) ───────────────────
|
||||
forgejo:
|
||||
image: codeberg.org/forgejo/forgejo:14
|
||||
environment:
|
||||
- GITEA_INSTANCE_URL=https://git.fabledsword.com
|
||||
- GITEA_RUNNER_REGISTRATION_TOKEN=${RUNNER_TOKEN}
|
||||
- GITEA_RUNNER_NAME=forgejo-host-runner
|
||||
# Labels control which `runs-on:` values this runner accepts.
|
||||
# ubuntu-latest is the label used in all workflow files.
|
||||
- GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bullseye,ubuntu-22.04:docker://node:20-bullseye
|
||||
- CONFIG_FILE=/data/config.yml
|
||||
volumes:
|
||||
# Host Docker socket — required for the build job (docker buildx).
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- act_runner_data:/data
|
||||
# act_runner creates job containers as siblings on the host docker daemon.
|
||||
# The config file (written below by the init container) tells act_runner
|
||||
# which host paths job containers are allowed to mount.
|
||||
# See the init service below for how config.yml is created.
|
||||
- USER_UID=1000
|
||||
- USER_GID=1000
|
||||
- FORGEJO__database__DB_TYPE=postgres
|
||||
- FORGEJO__database__HOST=postgres:5432
|
||||
- FORGEJO__database__NAME=forgejo
|
||||
- FORGEJO__database__USER=forgejo
|
||||
- FORGEJO__database__PASSWD=${FORGEJO_DB_PW}
|
||||
networks:
|
||||
- overlay_proxy
|
||||
- fabled_backend
|
||||
depends_on:
|
||||
- act_runner_init
|
||||
volumes:
|
||||
- /nfs/data/fabledsword/forgejo:/data
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
deploy:
|
||||
replicas: 1
|
||||
labels:
|
||||
- traefik.http.routers.fabled-git.rule=Host(`git.${BASE_DN}`)
|
||||
- traefik.http.routers.fabled-git.entrypoints=websecure
|
||||
- traefik.http.routers.fabled-git.tls=true
|
||||
- traefik.http.routers.fabled-git.tls.certresolver=letsEncrypt
|
||||
- traefik.http.services.fabled-git.loadbalancer.server.port=3000
|
||||
- traefik.http.routers.fabled-git.middlewares=chain-external-noauth@file
|
||||
- traefik.enable=true
|
||||
- traefik.http.services.fabled-git.loadbalancer.serversTransport=reg-xport@file
|
||||
|
||||
# ── New: Forgejo Actions runner ───────────────────────────────────────────────
|
||||
act_runner:
|
||||
image: gitea/act_runner:latest
|
||||
environment:
|
||||
# Use the internal service name — avoids Traefik and works even if TLS is down.
|
||||
- GITEA_INSTANCE_URL=http://forgejo:3000
|
||||
- GITEA_RUNNER_REGISTRATION_TOKEN=${RUNNER_TOKEN}
|
||||
- GITEA_RUNNER_NAME=swarm-runner
|
||||
# Maps the `runs-on: ubuntu-latest` label in workflows to a Docker image.
|
||||
# node:20-bullseye is used as a general base; the language-specific setup-*
|
||||
# actions install the correct toolchain on top.
|
||||
- GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bullseye
|
||||
- CONFIG_FILE=/config/config.yml
|
||||
configs:
|
||||
- source: act_runner_config
|
||||
target: /config/config.yml
|
||||
mode: 0444
|
||||
volumes:
|
||||
# The host Docker socket lets the runner build images and call `docker service update`.
|
||||
# This REQUIRES the runner to be on a manager node (see placement below).
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- act_runner_data:/data
|
||||
networks:
|
||||
# fabled_backend lets the runner reach http://forgejo:3000
|
||||
- fabled_backend
|
||||
deploy:
|
||||
replicas: 1
|
||||
placement:
|
||||
constraints:
|
||||
# Must be a manager node to access the full Docker socket API (service updates).
|
||||
- node.role == manager
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
|
||||
# One-shot container that writes the act_runner config file before the runner starts.
|
||||
# Runs once, exits, and the runner service picks up /data/config.yml.
|
||||
act_runner_init:
|
||||
image: busybox
|
||||
volumes:
|
||||
- act_runner_data:/data
|
||||
command: >
|
||||
sh -c "
|
||||
if [ ! -f /data/config.yml ]; then
|
||||
cat > /data/config.yml << 'EOF'
|
||||
log:
|
||||
level: info
|
||||
|
||||
runner:
|
||||
# How many jobs to run concurrently on this runner.
|
||||
capacity: 2
|
||||
# Timeout for each job.
|
||||
timeout: 30m
|
||||
|
||||
cache:
|
||||
enabled: true
|
||||
dir: /data/.cache
|
||||
|
||||
container:
|
||||
# Job containers are created on the host Docker daemon (via mounted socket).
|
||||
# They share the host network so they can reach Forgejo and the registry directly.
|
||||
network: host
|
||||
# Paths the runner is allowed to bind-mount into job containers.
|
||||
# Add any paths here that workflow steps need to access on the host.
|
||||
valid_volumes:
|
||||
- /var/run/docker.sock
|
||||
EOF
|
||||
echo 'config.yml written'
|
||||
else
|
||||
echo 'config.yml already exists, skipping'
|
||||
fi
|
||||
"
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: none
|
||||
delay: 10s
|
||||
|
||||
Reference in New Issue
Block a user