Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b00fe6cb73336cbb9440c3f8129e644d6a107fce
breakpilot-compliance/.gitea/workflows/build-push-deploy.yml
Sharang Parnerkar ad6e6019e9 ci: replace Coolify webhook with orca build+push+deploy pipeline 
Mirror the pitch-deck pattern: each service builds its Docker image,
pushes to registry.meghsakha.com/breakpilot/compliance-*, then triggers
orca redeploy via HMAC-signed webhook.

Requires secrets: REGISTRY_USERNAME, REGISTRY_PASSWORD, ORCA_WEBHOOK_SECRET

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 09:10:23 +02:00

222 lines
9.2 KiB
YAML
Raw Blame History

# Build + push compliance service images to registry.meghsakha.com
# and trigger orca redeploy on every push to main that touches a service.
#
# Requires Gitea Actions secrets:
# REGISTRY_USERNAME / REGISTRY_PASSWORD — registry.meghsakha.com credentials
# ORCA_WEBHOOK_SECRET — must match webhooks.json on orca master
name: Build + Deploy
on:
push:
branches: [main]
paths:
- 'admin-compliance/**'
- 'backend-compliance/**'
- 'ai-compliance-sdk/**'
- 'developer-portal/**'
- 'compliance-tts-service/**'
- 'document-crawler/**'
- 'dsms-gateway/**'
- 'dsms-node/**'
jobs:
# ── per-service builds run in parallel ────────────────────────────────────
build-admin-compliance:
runs-on: docker
container: docker:27-cli
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Login
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
- name: Build + push
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
docker build \
-t registry.meghsakha.com/breakpilot/compliance-admin:latest \
-t registry.meghsakha.com/breakpilot/compliance-admin:${SHORT_SHA} \
admin-compliance/
docker push registry.meghsakha.com/breakpilot/compliance-admin:latest
docker push registry.meghsakha.com/breakpilot/compliance-admin:${SHORT_SHA}
build-backend-compliance:
runs-on: docker
container: docker:27-cli
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Login
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
- name: Build + push
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
docker build \
-t registry.meghsakha.com/breakpilot/compliance-backend:latest \
-t registry.meghsakha.com/breakpilot/compliance-backend:${SHORT_SHA} \
backend-compliance/
docker push registry.meghsakha.com/breakpilot/compliance-backend:latest
docker push registry.meghsakha.com/breakpilot/compliance-backend:${SHORT_SHA}
build-ai-sdk:
runs-on: docker
container: docker:27-cli
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Login
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
- name: Build + push
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
docker build \
-t registry.meghsakha.com/breakpilot/compliance-sdk:latest \
-t registry.meghsakha.com/breakpilot/compliance-sdk:${SHORT_SHA} \
ai-compliance-sdk/
docker push registry.meghsakha.com/breakpilot/compliance-sdk:latest
docker push registry.meghsakha.com/breakpilot/compliance-sdk:${SHORT_SHA}
build-developer-portal:
runs-on: docker
container: docker:27-cli
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Login
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
- name: Build + push
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
docker build \
-t registry.meghsakha.com/breakpilot/compliance-portal:latest \
-t registry.meghsakha.com/breakpilot/compliance-portal:${SHORT_SHA} \
developer-portal/
docker push registry.meghsakha.com/breakpilot/compliance-portal:latest
docker push registry.meghsakha.com/breakpilot/compliance-portal:${SHORT_SHA}
build-tts:
runs-on: docker
container: docker:27-cli
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Login
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
- name: Build + push
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
docker build \
-t registry.meghsakha.com/breakpilot/compliance-tts:latest \
-t registry.meghsakha.com/breakpilot/compliance-tts:${SHORT_SHA} \
compliance-tts-service/
docker push registry.meghsakha.com/breakpilot/compliance-tts:latest
docker push registry.meghsakha.com/breakpilot/compliance-tts:${SHORT_SHA}
build-document-crawler:
runs-on: docker
container: docker:27-cli
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Login
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
- name: Build + push
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
docker build \
-t registry.meghsakha.com/breakpilot/compliance-crawler:latest \
-t registry.meghsakha.com/breakpilot/compliance-crawler:${SHORT_SHA} \
document-crawler/
docker push registry.meghsakha.com/breakpilot/compliance-crawler:latest
docker push registry.meghsakha.com/breakpilot/compliance-crawler:${SHORT_SHA}
build-dsms-gateway:
runs-on: docker
container: docker:27-cli
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Login
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin
- name: Build + push
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
docker build \
-t registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest \
-t registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA} \
dsms-gateway/
docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:latest
docker push registry.meghsakha.com/breakpilot/compliance-dsms-gateway:${SHORT_SHA}
# ── orca redeploy (only after all builds succeed) ─────────────────────────
trigger-orca:
runs-on: docker
container: docker:27-cli
needs:
- build-admin-compliance
- build-backend-compliance
- build-ai-sdk
- build-developer-portal
- build-tts
- build-document-crawler
- build-dsms-gateway
steps:
- name: Checkout (for SHA)
run: |
apk add --no-cache git curl openssl
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Trigger orca redeploy
env:
ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
ORCA_WEBHOOK_URL: http://46.225.100.82:6880/api/v1/webhooks/github
run: |
SHA=$(git rev-parse HEAD)
PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: compliance images built\"}}"
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}')
curl -sSf -k \
-X POST \
-H "Content-Type: application/json" \
-H "X-GitHub-Event: push" \
-H "X-Hub-Signature-256: sha256=$SIG" \
-d "$PAYLOAD" \
"$ORCA_WEBHOOK_URL" \
|| { echo "Orca redeploy failed"; exit 1; }
echo "Orca redeploy triggered for compliance services"
Reference in New Issue View Git Blame Copy Permalink