From 9345efc3f03a64ba8c2a1018283f35c03fa5eff7 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 08:19:48 +0200 Subject: [PATCH 1/8] ci(pipeline): trigger orca redeploy after image push, remove coolify build-pitch-deck workflow now posts an HMAC-signed push event to orca's webhook endpoint after the image is built + pushed. This avoids the race where orca would otherwise redeploy with the old :latest image before CI finishes pushing the new one. Removed the obsolete deploy-coolify.yml (wrong branch, wrong system) and stripped the deploy-coolify job from ci.yaml. Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK --- .gitea/workflows/build-pitch-deck.yml | 30 +++++++++++++++++++++++---- .gitea/workflows/ci.yaml | 18 ++-------------- .gitea/workflows/deploy-coolify.yml | 27 ------------------------ 3 files changed, 28 insertions(+), 47 deletions(-) delete mode 100644 .gitea/workflows/deploy-coolify.yml diff --git a/.gitea/workflows/build-pitch-deck.yml b/.gitea/workflows/build-pitch-deck.yml index 36968c6..219c3e3 100644 --- a/.gitea/workflows/build-pitch-deck.yml +++ b/.gitea/workflows/build-pitch-deck.yml @@ -1,5 +1,8 @@ # Build + push pitch-deck Docker image to registry.meghsakha.com -# on every push to main that touches pitch-deck/ files. +# and trigger orca redeploy on every push to main that touches pitch-deck/. +# +# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK +# (the secret printed by `orca webhooks add` on the server) name: Build pitch-deck @@ -10,14 +13,14 @@ on: - 'pitch-deck/**' jobs: - build-and-push: + build-push-deploy: runs-on: docker container: image: docker:27-cli steps: - name: Checkout run: | - apk add --no-cache git + apk add --no-cache git openssl curl git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Build image @@ -34,4 +37,23 @@ jobs: SHORT_SHA=$(git rev-parse --short HEAD) docker push registry.meghsakha.com/breakpilot/pitch-deck:latest docker push registry.meghsakha.com/breakpilot/pitch-deck:${SHORT_SHA} - echo "Pushed registry.meghsakha.com/breakpilot/pitch-deck:latest + :${SHORT_SHA}" + echo "Pushed :latest + :${SHORT_SHA}" + + - name: Trigger orca redeploy + env: + ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET_PITCH_DECK }} + ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github + run: | + # Post a github-style push event to orca's webhook endpoint, + # signed with HMAC-SHA256 using the per-webhook secret. + PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"after\":\"$(git rev-parse HEAD)\"}" + SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}') + curl -sSf -k \ + -X POST \ + -H "Content-Type: application/json" \ + -H "X-GitHub-Event: push" \ + -H "X-Hub-Signature-256: sha256=$SIG" \ + -d "$PAYLOAD" \ + "$ORCA_WEBHOOK_URL" \ + || { echo "Orca redeploy failed"; exit 1; } + echo "Orca redeploy triggered" diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index f7c69e7..32c12aa 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -140,20 +140,6 @@ jobs: python -m pytest tests/bqas/ -v --tb=short || true # ======================================== - # Deploy via Coolify (nur main, kein PR) + # Deploys now handled by per-service workflows (e.g. build-pitch-deck.yml) + # which trigger orca webhooks directly after building + pushing the image. # ======================================== - - deploy-coolify: - name: Deploy - runs-on: docker - if: github.event_name == 'push' && github.ref == 'refs/heads/main' - needs: - - test-go-consent - container: - image: alpine:latest - steps: - - name: Trigger Coolify deploy - run: | - apk add --no-cache curl - curl -sf "${{ secrets.COOLIFY_WEBHOOK }}" \ - -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}" diff --git a/.gitea/workflows/deploy-coolify.yml b/.gitea/workflows/deploy-coolify.yml deleted file mode 100644 index b65f762..0000000 --- a/.gitea/workflows/deploy-coolify.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Deploy to Coolify - -on: - push: - branches: - - coolify - -jobs: - deploy: - runs-on: ubuntu-latest - steps: - - name: Deploy via Coolify API - run: | - echo "Deploying breakpilot-core to Coolify..." - HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ - -X POST \ - -H "Authorization: Bearer ${{ secrets.COOLIFY_API_TOKEN }}" \ - -H "Content-Type: application/json" \ - -d '{"uuid": "${{ secrets.COOLIFY_RESOURCE_UUID }}", "force_rebuild": true}' \ - "${{ secrets.COOLIFY_BASE_URL }}/api/v1/deploy") - - echo "HTTP Status: $HTTP_STATUS" - if [ "$HTTP_STATUS" -ne 200 ] && [ "$HTTP_STATUS" -ne 201 ]; then - echo "Deployment failed with status $HTTP_STATUS" - exit 1 - fi - echo "Deployment triggered successfully!" From dbb476cc3b861d54863ed153b7dc8db4d4414d64 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 08:27:22 +0200 Subject: [PATCH 2/8] ci: drop HMAC signing (orca webhooks have no secret by default) --- .gitea/workflows/build-pitch-deck.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.gitea/workflows/build-pitch-deck.yml b/.gitea/workflows/build-pitch-deck.yml index 219c3e3..73c51eb 100644 --- a/.gitea/workflows/build-pitch-deck.yml +++ b/.gitea/workflows/build-pitch-deck.yml @@ -1,8 +1,8 @@ # Build + push pitch-deck Docker image to registry.meghsakha.com # and trigger orca redeploy on every push to main that touches pitch-deck/. # -# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK -# (the secret printed by `orca webhooks add` on the server) +# Orca's webhook endpoint doesn't require HMAC signing unless a secret is +# configured on the webhook (orca webhooks add doesn't set one by default). name: Build pitch-deck @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout run: | - apk add --no-cache git openssl curl + apk add --no-cache git curl git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Build image @@ -41,18 +41,14 @@ jobs: - name: Trigger orca redeploy env: - ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET_PITCH_DECK }} ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github run: | - # Post a github-style push event to orca's webhook endpoint, - # signed with HMAC-SHA256 using the per-webhook secret. - PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"after\":\"$(git rev-parse HEAD)\"}" - SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}') + SHA=$(git rev-parse HEAD) + PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: pitch-deck image build\"}}" curl -sSf -k \ -X POST \ -H "Content-Type: application/json" \ -H "X-GitHub-Event: push" \ - -H "X-Hub-Signature-256: sha256=$SIG" \ -d "$PAYLOAD" \ "$ORCA_WEBHOOK_URL" \ || { echo "Orca redeploy failed"; exit 1; } From eb118ebf92e08bc295a2d7449239278c8615a5c5 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 08:31:29 +0200 Subject: [PATCH 3/8] ci: re-add HMAC-SHA256 signing on orca webhook (ORCA_WEBHOOK_SECRET) --- .gitea/workflows/build-pitch-deck.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/build-pitch-deck.yml b/.gitea/workflows/build-pitch-deck.yml index 73c51eb..357e26c 100644 --- a/.gitea/workflows/build-pitch-deck.yml +++ b/.gitea/workflows/build-pitch-deck.yml @@ -1,8 +1,8 @@ # Build + push pitch-deck Docker image to registry.meghsakha.com # and trigger orca redeploy on every push to main that touches pitch-deck/. # -# Orca's webhook endpoint doesn't require HMAC signing unless a secret is -# configured on the webhook (orca webhooks add doesn't set one by default). +# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET +# (must match the `secret` field in ~/.orca/webhooks.json on the orca master) name: Build pitch-deck @@ -20,7 +20,7 @@ jobs: steps: - name: Checkout run: | - apk add --no-cache git curl + apk add --no-cache git openssl curl git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Build image @@ -41,14 +41,17 @@ jobs: - name: Trigger orca redeploy env: + ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }} ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github run: | SHA=$(git rev-parse HEAD) PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: pitch-deck image build\"}}" + SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}') curl -sSf -k \ -X POST \ -H "Content-Type: application/json" \ -H "X-GitHub-Event: push" \ + -H "X-Hub-Signature-256: sha256=$SIG" \ -d "$PAYLOAD" \ "$ORCA_WEBHOOK_URL" \ || { echo "Orca redeploy failed"; exit 1; } From 1af160eed07f28d7cb9a9b6a91b7b8ec45c9d711 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 09:22:10 +0200 Subject: [PATCH 4/8] test: trigger orca webhook via CI --- pitch-deck/README.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 pitch-deck/README.md diff --git a/pitch-deck/README.md b/pitch-deck/README.md new file mode 100644 index 0000000..e963460 --- /dev/null +++ b/pitch-deck/README.md @@ -0,0 +1,2 @@ + +Tue Apr 14 09:22:10 AM CEST 2026 From f794347827e2a685b33ce227078c9c71d14f209b Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 09:26:12 +0200 Subject: [PATCH 5/8] ci: add docker login step for registry.meghsakha.com Requires Gitea Actions secrets: REGISTRY_USERNAME, REGISTRY_PASSWORD --- .gitea/workflows/build-pitch-deck.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.gitea/workflows/build-pitch-deck.yml b/.gitea/workflows/build-pitch-deck.yml index 357e26c..dd26410 100644 --- a/.gitea/workflows/build-pitch-deck.yml +++ b/.gitea/workflows/build-pitch-deck.yml @@ -23,6 +23,13 @@ jobs: apk add --no-cache git openssl curl git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . + - name: Login to registry + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + run: | + echo "$REGISTRY_PASSWORD" | docker login registry.meghsakha.com -u "$REGISTRY_USERNAME" --password-stdin + - name: Build image run: | cd pitch-deck From 8e92a93aa8510c87f644bec028401e5d4a128cc5 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 09:27:05 +0200 Subject: [PATCH 6/8] test: verify full CI pipeline with registry auth + orca webhook --- pitch-deck/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pitch-deck/README.md b/pitch-deck/README.md index e963460..c39838d 100644 --- a/pitch-deck/README.md +++ b/pitch-deck/README.md @@ -1,2 +1,4 @@ Tue Apr 14 09:22:10 AM CEST 2026 + +Tue Apr 14 09:27:05 AM CEST 2026 From d0539d0f2f2cb3820279a4b215bc4cfd34a82b93 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 09:32:08 +0200 Subject: [PATCH 7/8] ci: use http:// for orca webhook (port 6880 serves plain HTTP) --- .gitea/workflows/build-pitch-deck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/build-pitch-deck.yml b/.gitea/workflows/build-pitch-deck.yml index dd26410..8e91ad3 100644 --- a/.gitea/workflows/build-pitch-deck.yml +++ b/.gitea/workflows/build-pitch-deck.yml @@ -49,7 +49,7 @@ jobs: - name: Trigger orca redeploy env: ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }} - ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github + ORCA_WEBHOOK_URL: http://46.225.100.82:6880/api/v1/webhooks/github run: | SHA=$(git rev-parse HEAD) PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"head_commit\":{\"id\":\"$SHA\",\"message\":\"ci: pitch-deck image build\"}}" From ebb7575f2c460fd808cb4a853317bca81ea5a208 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Tue, 14 Apr 2026 09:32:36 +0200 Subject: [PATCH 8/8] test: retrigger with http:// webhook URL --- pitch-deck/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/pitch-deck/README.md b/pitch-deck/README.md index c39838d..82112e2 100644 --- a/pitch-deck/README.md +++ b/pitch-deck/README.md @@ -2,3 +2,4 @@ Tue Apr 14 09:22:10 AM CEST 2026 Tue Apr 14 09:27:05 AM CEST 2026 +Tue Apr 14 09:32:36 AM CEST 2026