feat(ci): publish steward image to the registry + remote-deploy compose
Add the rule-46 image-publish lane: a `publish` job gated on [lint, unit, integration] that builds the runtime Dockerfile in ci-builder and pushes git.fabledsword.com/bvandeusen/steward:<sha> always, :dev on dev and :latest on main. Authenticates with the REGISTRY_TOKEN repo secret (the injected GITHUB_TOKEN lacks write:package). Steward is the first family app to implement the publish lane; mechanics mirror CI-runner's build-ci-python.yml. Add compose.deploy.yml for a persistent remote instance that pulls :dev (no source bind-mounts, persistent app_data+pgdata volumes, bundled Postgres), plus a README "Remote dev instance" runbook and the POSTGRES_PASSWORD env key. Fix .env.example's database URL var to the canonical STEWARD_DATABASE_URL (single underscore) and document the publish lane in ci-requirements.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -90,3 +90,40 @@ jobs:
|
||||
pip install -e '.[dev,ansible]'
|
||||
fi
|
||||
pytest tests/integration -v -m integration --durations=10
|
||||
|
||||
# Image-publish lane — FabledRulebook rule 46: every push to dev/main publishes
|
||||
# an immutable commit-SHA image (the rollback unit); dev moves :dev, main moves
|
||||
# :latest. Gated on the three test lanes via `needs:` so a red commit never
|
||||
# produces a :dev image. Mechanics mirror CI-runner's build-ci-python.yml.
|
||||
publish:
|
||||
needs: [lint, unit, integration]
|
||||
runs-on: python-ci
|
||||
container:
|
||||
# ci-builder carries docker + buildx + git. The docker socket is
|
||||
# auto-mounted by act_runner (valid_volumes) — do NOT add a
|
||||
# container.options "-v /var/run/docker.sock:..." mount; that duplicate
|
||||
# mount fails the job at "Set up job".
|
||||
image: git.fabledsword.com/bvandeusen/ci-builder:latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Registry login
|
||||
# The injected GITHUB_TOKEN lacks write:package scope, so docker push
|
||||
# 401s with it. REGISTRY_TOKEN is a repo Actions secret holding a
|
||||
# Forgejo token scoped read:package + write:package.
|
||||
run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.fabledsword.com -u bvandeusen --password-stdin
|
||||
- name: Build + push (commit-SHA always; :dev on dev, :latest on main)
|
||||
run: |
|
||||
set -euxo pipefail
|
||||
IMAGE=git.fabledsword.com/bvandeusen/steward
|
||||
docker build -t "$IMAGE:${{ github.sha }}" .
|
||||
docker push "$IMAGE:${{ github.sha }}"
|
||||
if [ "${{ github.ref }}" = "refs/heads/dev" ]; then
|
||||
docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:dev"
|
||||
docker push "$IMAGE:dev"
|
||||
elif [ "${{ github.ref }}" = "refs/heads/main" ]; then
|
||||
docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:latest"
|
||||
docker push "$IMAGE:latest"
|
||||
fi
|
||||
- name: Prune dangling layers
|
||||
if: always()
|
||||
run: docker image prune -f
|
||||
|
||||
Reference in New Issue
Block a user