9345efc3f0
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-consent (push) Successful in 33s
CI / test-python-voice (push) Successful in 33s
CI / test-bqas (push) Successful in 32s
build-pitch-deck workflow now posts an HMAC-signed push event to orca's webhook endpoint after the image is built + pushed. This avoids the race where orca would otherwise redeploy with the old :latest image before CI finishes pushing the new one. Removed the obsolete deploy-coolify.yml (wrong branch, wrong system) and stripped the deploy-coolify job from ci.yaml. Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK
60 lines
2.2 KiB
YAML
60 lines
2.2 KiB
YAML
# Build + push pitch-deck Docker image to registry.meghsakha.com
|
|
# and trigger orca redeploy on every push to main that touches pitch-deck/.
|
|
#
|
|
# Requires Gitea Actions secret: ORCA_WEBHOOK_SECRET_PITCH_DECK
|
|
# (the secret printed by `orca webhooks add` on the server)
|
|
|
|
name: Build pitch-deck
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'pitch-deck/**'
|
|
|
|
jobs:
|
|
build-push-deploy:
|
|
runs-on: docker
|
|
container:
|
|
image: docker:27-cli
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
apk add --no-cache git openssl curl
|
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
|
|
|
- name: Build image
|
|
run: |
|
|
cd pitch-deck
|
|
SHORT_SHA=$(git rev-parse --short HEAD)
|
|
docker build \
|
|
-t registry.meghsakha.com/breakpilot/pitch-deck:latest \
|
|
-t registry.meghsakha.com/breakpilot/pitch-deck:${SHORT_SHA} \
|
|
.
|
|
|
|
- name: Push to registry
|
|
run: |
|
|
SHORT_SHA=$(git rev-parse --short HEAD)
|
|
docker push registry.meghsakha.com/breakpilot/pitch-deck:latest
|
|
docker push registry.meghsakha.com/breakpilot/pitch-deck:${SHORT_SHA}
|
|
echo "Pushed :latest + :${SHORT_SHA}"
|
|
|
|
- name: Trigger orca redeploy
|
|
env:
|
|
ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET_PITCH_DECK }}
|
|
ORCA_WEBHOOK_URL: https://46.225.100.82:6880/api/v1/webhooks/github
|
|
run: |
|
|
# Post a github-style push event to orca's webhook endpoint,
|
|
# signed with HMAC-SHA256 using the per-webhook secret.
|
|
PAYLOAD="{\"ref\":\"refs/heads/main\",\"repository\":{\"full_name\":\"${GITHUB_REPOSITORY}\"},\"after\":\"$(git rev-parse HEAD)\"}"
|
|
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -r | awk '{print $1}')
|
|
curl -sSf -k \
|
|
-X POST \
|
|
-H "Content-Type: application/json" \
|
|
-H "X-GitHub-Event: push" \
|
|
-H "X-Hub-Signature-256: sha256=$SIG" \
|
|
-d "$PAYLOAD" \
|
|
"$ORCA_WEBHOOK_URL" \
|
|
|| { echo "Orca redeploy failed"; exit 1; }
|
|
echo "Orca redeploy triggered"
|