Simplify CI/CD for same-swarm topology: no SSH, direct service update
Since Forgejo and the app share a swarm, the runner can: - Connect to Forgejo at http://forgejo:3000 (internal, no Traefik) - Call docker service update directly via mounted socket - Avoid SSH entirely — secrets drop from 6 to 3 infra/runner-swarm.yml: runner added to Forgejo stack, pinned to manager node (required for service API access), uses Docker Swarm Config object for act_runner config injection infra/act-runner-config.yml: runner config (bridge network for jobs, docker socket whitelisted) build.yml: deploy step replaced with docker service update --with-registry-auth --detach=false (waits for rollout, shows progress in Actions log) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,16 +1,12 @@
|
||||
# Runs only on pushes to main.
|
||||
# Builds the Docker image on the CI runner host (which has Docker socket access),
|
||||
# pushes it to the Forgejo container registry, then SSHes to the app host to restart.
|
||||
#
|
||||
# Runner requirement: act_runner with /var/run/docker.sock mounted (see infra/runner-swarm.yml).
|
||||
# The runner runs in the same swarm as Forgejo with /var/run/docker.sock mounted,
|
||||
# so it can build images and update swarm services directly — no SSH needed.
|
||||
#
|
||||
# Required secrets (Forgejo repo → Settings → Secrets):
|
||||
# REGISTRY_USER — your Forgejo username (bvandeusen)
|
||||
# REGISTRY_TOKEN — Forgejo personal access token with write:packages scope
|
||||
# DEPLOY_HOST — IP or hostname of the server running fabledassistant
|
||||
# DEPLOY_USER — SSH user on that server
|
||||
# DEPLOY_SSH_KEY — private SSH key (matching public key must be in authorized_keys on app host)
|
||||
# DEPLOY_PATH — absolute path to the directory with docker-compose.yml on the app host
|
||||
# Required secrets (repo → Settings → Secrets → Actions):
|
||||
# REGISTRY_USER — your Forgejo username
|
||||
# REGISTRY_TOKEN — Forgejo PAT with write:packages scope
|
||||
# DEPLOY_SERVICE — full swarm service name, e.g. fabledassistant_app
|
||||
name: Build & Deploy
|
||||
|
||||
on:
|
||||
@@ -46,9 +42,8 @@ jobs:
|
||||
tags: |
|
||||
${{ env.IMAGE }}:latest
|
||||
${{ env.IMAGE }}:${{ github.sha }}
|
||||
# Registry-side layer cache lives in the Forgejo container registry.
|
||||
# Unchanged layers (npm install, pip install) are reused across builds,
|
||||
# cutting typical build time from ~4 min to ~45 sec after the first run.
|
||||
# Registry-side layer cache — unchanged layers (npm install, pip install)
|
||||
# are reused between builds. Cuts typical build time from ~4 min to ~45 sec.
|
||||
cache-from: type=registry,ref=${{ env.IMAGE }}:cache
|
||||
cache-to: type=registry,ref=${{ env.IMAGE }}:cache,mode=max
|
||||
|
||||
@@ -57,19 +52,21 @@ jobs:
|
||||
needs: build
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Pull new image and restart app
|
||||
uses: appleboy/ssh-action@v1
|
||||
with:
|
||||
host: ${{ secrets.DEPLOY_HOST }}
|
||||
username: ${{ secrets.DEPLOY_USER }}
|
||||
key: ${{ secrets.DEPLOY_SSH_KEY }}
|
||||
# Pulls only the app service image, restarts only the app container.
|
||||
# Database and Ollama containers are left untouched (--no-deps).
|
||||
script: |
|
||||
set -e
|
||||
echo "${{ secrets.REGISTRY_TOKEN }}" | \
|
||||
docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin
|
||||
cd "${{ secrets.DEPLOY_PATH }}"
|
||||
docker compose pull app
|
||||
docker compose up -d --no-build --no-deps app
|
||||
docker image prune -f
|
||||
- name: Log in to registry
|
||||
run: |
|
||||
echo "${{ secrets.REGISTRY_TOKEN }}" | \
|
||||
docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin
|
||||
|
||||
- name: Update swarm service
|
||||
# --with-registry-auth forwards the login credentials to all swarm nodes
|
||||
# so they can pull the new image. --detach=false waits for the rollout to
|
||||
# complete before the job finishes (shows progress in the Actions log).
|
||||
run: |
|
||||
docker service update \
|
||||
--image ${{ env.IMAGE }}:${{ github.sha }} \
|
||||
--with-registry-auth \
|
||||
--detach=false \
|
||||
${{ secrets.DEPLOY_SERVICE }}
|
||||
|
||||
- name: Clean up old images
|
||||
run: docker image prune -f
|
||||
|
||||
Reference in New Issue
Block a user