Simplify CI/CD for same-swarm topology: no SSH, direct service update

Since Forgejo and the app share a swarm, the runner can:
- Connect to Forgejo at http://forgejo:3000 (internal, no Traefik)
- Call docker service update directly via mounted socket
- Avoid SSH entirely — secrets drop from 6 to 3

infra/runner-swarm.yml: runner added to Forgejo stack, pinned to manager
  node (required for service API access), uses Docker Swarm Config object
  for act_runner config injection
infra/act-runner-config.yml: runner config (bridge network for jobs,
  docker socket whitelisted)
build.yml: deploy step replaced with docker service update --with-registry-auth
  --detach=false (waits for rollout, shows progress in Actions log)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-08 19:06:11 -04:00
parent 1dc771cec2
commit 93fcd753a6
3 changed files with 143 additions and 106 deletions
+26 -29
View File
@@ -1,16 +1,12 @@
# Runs only on pushes to main.
# Builds the Docker image on the CI runner host (which has Docker socket access),
# pushes it to the Forgejo container registry, then SSHes to the app host to restart.
#
# Runner requirement: act_runner with /var/run/docker.sock mounted (see infra/runner-swarm.yml).
# The runner runs in the same swarm as Forgejo with /var/run/docker.sock mounted,
# so it can build images and update swarm services directly — no SSH needed.
#
# Required secrets (Forgejo repo → Settings → Secrets):
# REGISTRY_USER — your Forgejo username (bvandeusen)
# REGISTRY_TOKEN — Forgejo personal access token with write:packages scope
# DEPLOY_HOST — IP or hostname of the server running fabledassistant
# DEPLOY_USER — SSH user on that server
# DEPLOY_SSH_KEY — private SSH key (matching public key must be in authorized_keys on app host)
# DEPLOY_PATH — absolute path to the directory with docker-compose.yml on the app host
# Required secrets (repo → Settings → Secrets → Actions):
# REGISTRY_USER — your Forgejo username
# REGISTRY_TOKEN — Forgejo PAT with write:packages scope
# DEPLOY_SERVICE — full swarm service name, e.g. fabledassistant_app
name: Build & Deploy
on:
@@ -46,9 +42,8 @@ jobs:
tags: |
${{ env.IMAGE }}:latest
${{ env.IMAGE }}:${{ github.sha }}
# Registry-side layer cache lives in the Forgejo container registry.
# Unchanged layers (npm install, pip install) are reused across builds,
# cutting typical build time from ~4 min to ~45 sec after the first run.
# Registry-side layer cache — unchanged layers (npm install, pip install)
# are reused between builds. Cuts typical build time from ~4 min to ~45 sec.
cache-from: type=registry,ref=${{ env.IMAGE }}:cache
cache-to: type=registry,ref=${{ env.IMAGE }}:cache,mode=max
@@ -57,19 +52,21 @@ jobs:
needs: build
runs-on: ubuntu-latest
steps:
- name: Pull new image and restart app
uses: appleboy/ssh-action@v1
with:
host: ${{ secrets.DEPLOY_HOST }}
username: ${{ secrets.DEPLOY_USER }}
key: ${{ secrets.DEPLOY_SSH_KEY }}
# Pulls only the app service image, restarts only the app container.
# Database and Ollama containers are left untouched (--no-deps).
script: |
set -e
echo "${{ secrets.REGISTRY_TOKEN }}" | \
docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin
cd "${{ secrets.DEPLOY_PATH }}"
docker compose pull app
docker compose up -d --no-build --no-deps app
docker image prune -f
- name: Log in to registry
run: |
echo "${{ secrets.REGISTRY_TOKEN }}" | \
docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin
- name: Update swarm service
# --with-registry-auth forwards the login credentials to all swarm nodes
# so they can pull the new image. --detach=false waits for the rollout to
# complete before the job finishes (shows progress in the Actions log).
run: |
docker service update \
--image ${{ env.IMAGE }}:${{ github.sha }} \
--with-registry-auth \
--detach=false \
${{ secrets.DEPLOY_SERVICE }}
- name: Clean up old images
run: docker image prune -f