ci(pipeline): trigger orca redeploy after image push, remove coolify

build-pitch-deck workflow now posts an HMAC-signed push event to orca's webhook endpoint after the image is built + pushed. This avoids the race where orca would otherwise redeploy with the old :latest image before CI finishes pushing the new one. Removed the obsolete deploy-coolify.yml (wrong branch, wrong system) and stripped the deploy-coolify job from ci.yaml. Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK
2026-04-14 08:19:48 +02:00
parent c4e993e3f8
commit 9345efc3f0
3 changed files with 28 additions and 47 deletions
--- a/.gitea/workflows/build-pitch-deck.yml
+++ b/.gitea/workflows/build-pitch-deck.yml
@@ -1,5 +1,8 @@
 # Build + push pitch-deck Docker image to registry.meghsakha.com
-# on every push to main that touches pitch-deck/ files.
+# and trigger orca redeploy on every push to main that touches pitch-deck/.
+#
+# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK
+#   (the secret printed by `orca webhooks add` on the server)

 name: Build pitch-deck

@@ -10,14 +13,14 @@ on:
      - 'pitch-deck/**'

 jobs:
-  build-and-push:
+  build-push-deploy:
    runs-on: docker
    container:
      image: docker:27-cli
    steps:
      - name: Checkout
        run: |
-          apk add --no-cache git
+          apk add --no-cache git openssl curl
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .

      - name: Build image
@@ -34,4 +37,23 @@ jobs:
          SHORT_SHA=$(git rev-parse --short HEAD)
          docker push registry.meghsakha.com/breakpilot/pitch-deck:latest
          docker push registry.meghsakha.com/breakpilot/pitch-deck:${SHORT_SHA}
-          echo "Pushed registry.meghsakha.com/breakpilot/pitch-deck:latest + :${SHORT_SHA}"
+          echo "Pushed :latest + :${SHORT_SHA}"
+
+      - name: Trigger orca redeploy
+        env:
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET_PITCH_DECK }}
+          ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github
+        run: |
+          # Post a github-style push event to orca's webhook endpoint,
+          # signed with HMAC-SHA256 using the per-webhook secret.
+          PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"after\":\"$(git rev-parse HEAD)\"}"
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}')
+          curl -sSf -k \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "X-GitHub-Event: push" \
+            -H "X-Hub-Signature-256: sha256=$SIG" \
+            -d "$PAYLOAD" \
+            "$ORCA_WEBHOOK_URL" \
+            || { echo "Orca redeploy failed"; exit 1; }
+          echo "Orca redeploy triggered"
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -140,20 +140,6 @@ jobs:
          python -m pytest tests/bqas/ -v --tb=short || true

  # ========================================
-  # Deploy via Coolify (nur main, kein PR)
+  # Deploys now handled by per-service workflows (e.g. build-pitch-deck.yml)
+  # which trigger orca webhooks directly after building + pushing the image.
  # ========================================
-
-  deploy-coolify:
-    name: Deploy
-    runs-on: docker
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    needs:
-      - test-go-consent
-    container:
-      image: alpine:latest
-    steps:
-      - name: Trigger Coolify deploy
-        run: |
-          apk add --no-cache curl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK }}" \
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
--- a/.gitea/workflows/deploy-coolify.yml
+++ b/.gitea/workflows/deploy-coolify.yml
@@ -1,27 +0,0 @@
-name: Deploy to Coolify
-
-on:
-  push:
-    branches:
-      - coolify
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Deploy via Coolify API
-        run: |
-          echo "Deploying breakpilot-core to Coolify..."
-          HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-            -X POST \
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_API_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            -d '{"uuid": "${{ secrets.COOLIFY_RESOURCE_UUID }}", "force_rebuild": true}' \
-            "${{ secrets.COOLIFY_BASE_URL }}/api/v1/deploy")
-
-          echo "HTTP Status: $HTTP_STATUS"
-          if [ "$HTTP_STATUS" -ne 200 ] && [ "$HTTP_STATUS" -ne 201 ]; then
-            echo "Deployment failed with status $HTTP_STATUS"
-            exit 1
-          fi
-          echo "Deployment triggered successfully!"