feat(ci): publish steward image to the registry + remote-deploy compose
Add the rule-46 image-publish lane: a `publish` job gated on [lint, unit, integration] that builds the runtime Dockerfile in ci-builder and pushes git.fabledsword.com/bvandeusen/steward:<sha> always, :dev on dev and :latest on main. Authenticates with the REGISTRY_TOKEN repo secret (the injected GITHUB_TOKEN lacks write:package). Steward is the first family app to implement the publish lane; mechanics mirror CI-runner's build-ci-python.yml. Add compose.deploy.yml for a persistent remote instance that pulls :dev (no source bind-mounts, persistent app_data+pgdata volumes, bundled Postgres), plus a README "Remote dev instance" runbook and the POSTGRES_PASSWORD env key. Fix .env.example's database URL var to the canonical STEWARD_DATABASE_URL (single underscore) and document the publish lane in ci-requirements.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -28,6 +28,42 @@ docker compose up -d
|
||||
|
||||
Open `http://localhost:5000`. On first run you'll be prompted to create the admin account.
|
||||
|
||||
This compose file builds the image locally and bind-mounts the source for live editing. To run a persistent instance off the published CI image instead, see **Remote dev instance** below.
|
||||
|
||||
---
|
||||
|
||||
## Remote dev instance
|
||||
|
||||
For a long-lived instance on a remote server that tracks the `dev` CI line, use `compose.deploy.yml`. It pulls the published image (`git.fabledsword.com/bvandeusen/steward:dev`) rather than building, runs no source bind-mounts, and persists data in named volumes.
|
||||
|
||||
**One-time prerequisite — registry push token (on the Git host).** CI publishes the image, so the FabledSteward repo needs a push credential. The injected `GITHUB_TOKEN` lacks `write:package`, so create a Forgejo token scoped **`read:package` + `write:package`** and add it as the repo Actions secret **`REGISTRY_TOKEN`**. Until this exists, the `publish` CI job 401s and no `:dev` image is produced.
|
||||
|
||||
**Standup (on the server):**
|
||||
|
||||
```bash
|
||||
# 1. Authenticate to the registry (read:package token is enough to pull)
|
||||
docker login git.fabledsword.com -u <user>
|
||||
|
||||
# 2. Configure secrets
|
||||
cp .env.example .env
|
||||
# Set POSTGRES_PASSWORD. Leave STEWARD_SECRET_KEY unset to let the app
|
||||
# generate + persist one on the /data volume.
|
||||
|
||||
# 3. Pull + boot
|
||||
docker compose -f compose.deploy.yml up -d
|
||||
```
|
||||
|
||||
Open `http://<server>:5000` and create the admin account on first run.
|
||||
|
||||
**Update to the latest dev build:**
|
||||
|
||||
```bash
|
||||
docker compose -f compose.deploy.yml pull
|
||||
docker compose -f compose.deploy.yml up -d
|
||||
```
|
||||
|
||||
Every push to `dev` that goes CI-green publishes a fresh `:dev` (and an immutable `:<commit-sha>` for rollback). To pin a specific commit, change the `image:` tag in `compose.deploy.yml` to `:<sha>`.
|
||||
|
||||
---
|
||||
|
||||
## Quick Start — Bare Metal
|
||||
|
||||
Reference in New Issue
Block a user