# Runs only on pushes to main. # # The runner runs in the same swarm as Forgejo with /var/run/docker.sock mounted, # so it can build images and update swarm services directly — no SSH needed. # # Required secrets (repo → Settings → Secrets → Actions): # REGISTRY_USER — your Forgejo username # REGISTRY_TOKEN — Forgejo PAT with write:packages scope # DEPLOY_SERVICE — full swarm service name, e.g. fabledassistant_app name: Build & Deploy on: push: branches: [main] env: REGISTRY: git.fabledsword.com IMAGE: git.fabledsword.com/bvandeusen/fabledassistant jobs: build: name: Build & push image runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to Forgejo registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - name: Build and push uses: docker/build-push-action@v6 with: context: . push: true tags: | ${{ env.IMAGE }}:latest ${{ env.IMAGE }}:${{ github.sha }} # Registry-side layer cache — unchanged layers (npm install, pip install) # are reused between builds. Cuts typical build time from ~4 min to ~45 sec. cache-from: type=registry,ref=${{ env.IMAGE }}:cache cache-to: type=registry,ref=${{ env.IMAGE }}:cache,mode=max deploy: name: Deploy needs: build runs-on: ubuntu-latest steps: - name: Log in to registry run: | echo "${{ secrets.REGISTRY_TOKEN }}" | \ docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin - name: Update swarm service # --with-registry-auth forwards the login credentials to all swarm nodes # so they can pull the new image. --detach=false waits for the rollout to # complete before the job finishes (shows progress in the Actions log). run: | docker service update \ --image ${{ env.IMAGE }}:${{ github.sha }} \ --with-registry-auth \ --detach=false \ ${{ secrets.DEPLOY_SERVICE }} - name: Clean up old images run: docker image prune -f