From c34f8528a7ee173674fcf2bf22946f677128b992 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Fri, 17 Apr 2026 09:11:08 +0200 Subject: [PATCH] ci: replace Coolify webhook with orca build+push+deploy pipeline Mirror the pitch-deck pattern: each service builds its Docker image, pushes to registry.meghsakha.com/breakpilot/compliance-*, then triggers orca redeploy via HMAC-signed webhook. Requires secrets: REGISTRY_USERNAME, REGISTRY_PASSWORD, ORCA_WEBHOOK_SECRET Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/build-push-deploy.yml | 221 +++++++++++++++++++++++++ .gitea/workflows/ci.yaml | 24 +-- 2 files changed, 223 insertions(+), 22 deletions(-) create mode 100644 .gitea/workflows/build-push-deploy.yml diff --git a/.gitea/workflows/build-push-deploy.yml b/.gitea/workflows/build-push-deploy.yml new file mode 100644 index 0000000..802fbce --- /dev/null +++ b/.gitea/workflows/build-push-deploy.yml @@ -0,0 +1,221 @@ +# Build + push compliance service images to registry.meghsakha.com +# and trigger orca redeploy on every push to main that touches a service. +# +# Requires Gitea Actions secrets: +# REGISTRY_USERNAME / REGISTRY_PASSWORD — registry.meghsakha.com credentials +# ORCA_WEBHOOK_SECRET — must match webhooks.json on orca master + +name: Build + Deploy + +on: + push: + branches: [main] + paths: + - 'admin-compliance/**' + - 'backend-compliance/**' + - 'ai-compliance-sdk/**' + - 'developer-portal/**' + - 'compliance-tts-service/**' + - 'document-crawler/**' + - 'dsms-gateway/**' + - 'dsms-node/**' + +jobs: + # ── per-service builds run in parallel ──────────────────────────────────── + + build-admin-compliance: + runs-on: docker + container: docker:27-cli + steps: + - name: Checkout + run: | + apk add --no-cache git + git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Login + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin + - name: Build + push + run: | + SHORT_SHA=$(git rev-parse --short HEAD) + docker build \ + -t registry.meghsakha.com/breakpilot/compliance-admin:latest \ + -t registry.meghsakha.com/breakpilot/compliance-admin:${SHORT_SHA} \ + admin-compliance/ + docker push registry.meghsakha.com/breakpilot/compliance-admin:latest + docker push registry.meghsakha.com/breakpilot/compliance-admin:${SHORT_SHA} + + build-backend-compliance: + runs-on: docker + container: docker:27-cli + steps: + - name: Checkout + run: | + apk add --no-cache git + git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Login + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin + - name: Build + push + run: | + SHORT_SHA=$(git rev-parse --short HEAD) + docker build \ + -t registry.meghsakha.com/breakpilot/compliance-backend:latest \ + -t registry.meghsakha.com/breakpilot/compliance-backend:${SHORT_SHA} \ + backend-compliance/ + docker push registry.meghsakha.com/breakpilot/compliance-backend:latest + docker push registry.meghsakha.com/breakpilot/compliance-backend:${SHORT_SHA} + + build-ai-sdk: + runs-on: docker + container: docker:27-cli + steps: + - name: Checkout + run: | + apk add --no-cache git + git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Login + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin + - name: Build + push + run: | + SHORT_SHA=$(git rev-parse --short HEAD) + docker build \ + -t registry.meghsakha.com/breakpilot/compliance-sdk:latest \ + -t registry.meghsakha.com/breakpilot/compliance-sdk:${SHORT_SHA} \ + ai-compliance-sdk/ + docker push registry.meghsakha.com/breakpilot/compliance-sdk:latest + docker push registry.meghsakha.com/breakpilot/compliance-sdk:${SHORT_SHA} + + build-developer-portal: + runs-on: docker + container: docker:27-cli + steps: + - name: Checkout + run: | + apk add --no-cache git + git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Login + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin + - name: Build + push + run: | + SHORT_SHA=$(git rev-parse --short HEAD) + docker build \ + -t registry.meghsakha.com/breakpilot/compliance-portal:latest \ + -t registry.meghsakha.com/breakpilot/compliance-portal:${SHORT_SHA} \ + developer-portal/ + docker push registry.meghsakha.com/breakpilot/compliance-portal:latest + docker push registry.meghsakha.com/breakpilot/compliance-portal:${SHORT_SHA} + + build-tts: + runs-on: docker + container: docker:27-cli + steps: + - name: Checkout + run: | + apk add --no-cache git + git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Login + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin + - name: Build + push + run: | + SHORT_SHA=$(git rev-parse --short HEAD) + docker build \ + -t registry.meghsakha.com/breakpilot/compliance-tts:latest \ + -t registry.meghsakha.com/breakpilot/compliance-tts:${SHORT_SHA} \ + compliance-tts-service/ + docker push registry.meghsakha.com/breakpilot/compliance-tts:latest + docker push registry.meghsakha.com/breakpilot/compliance-tts:${SHORT_SHA} + + build-document-crawler: + runs-on: docker + container: docker:27-cli + steps: + - name: Checkout + run: | + apk add --no-cache git + git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Login + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin + - name: Build + push + run: | + SHORT_SHA=$(git rev-parse --short HEAD) + docker build \ + -t registry.meghsakha.com/breakpilot/compliance-crawler:latest \ + -t registry.meghsakha.com/breakpilot/compliance-crawler:${SHORT_SHA} \ + document-crawler/ + docker push registry.meghsakha.com/breakpilot/compliance-crawler:latest + docker push registry.meghsakha.com/breakpilot/compliance-crawler:${SHORT_SHA} + + build-dsms-gateway: + runs-on: docker + container: docker:27-cli + steps: + - name: Checkout + run: | + apk add --no-cache git + git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Login + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin + - name: Build + push + run: | + SHORT_SHA=$(git rev-parse --short HEAD) + docker build \ + -t registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest \ + -t registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA} \ + dsms-gateway/ + docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest + docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA} + + # ── orca redeploy (only after all builds succeed) ───────────────────────── + + trigger-orca: + runs-on: docker + container: docker:27-cli + needs: + - build-admin-compliance + - build-backend-compliance + - build-ai-sdk + - build-developer-portal + - build-tts + - build-document-crawler + - build-dsms-gateway + steps: + - name: Checkout (for SHA) + run: | + apk add --no-cache git curl openssl + git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Trigger orca redeploy + env: + ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }} + ORCA_WEBHOOK_URL: http://46.225.100.82:6880/api/v1/webhooks/github + run: | + SHA=$(git rev-parse HEAD) + PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: compliance images built\"}}" + SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}') + curl -sSf -k \ + -X POST \ + -H "Content-Type: application/json" \ + -H "X-GitHub-Event: push" \ + -H "X-Hub-Signature-256: sha256=$SIG" \ + -d "$PAYLOAD" \ + "$ORCA_WEBHOOK_URL" \ + || { echo "Orca redeploy failed"; exit 1; } + echo "Orca redeploy triggered for compliance services" diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index d706806..5e780ff 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -185,25 +185,5 @@ jobs: run: | python scripts/validate-controls.py - # ======================================== - # Deploy via Coolify (nur main, kein PR) - # ======================================== - - deploy-coolify: - name: Deploy - runs-on: docker - if: github.event_name == 'push' && github.ref == 'refs/heads/main' - needs: - - test-go-ai-compliance - - test-python-backend-compliance - - test-python-document-crawler - - test-python-dsms-gateway - - validate-canonical-controls - container: - image: alpine:latest - steps: - - name: Trigger Coolify deploy - run: | - apk add --no-cache curl - curl -sf "${{ secrets.COOLIFY_WEBHOOK }}" \ - -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}" + # Deploy is handled by .gitea/workflows/build-push-deploy.yml + # which builds images, pushes to registry.meghsakha.com, and triggers orca.