From 8fc4dc09c99df1d8758895c00172c34d73d29f9f Mon Sep 17 00:00:00 2001
From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com>
Date: Wed, 10 Jun 2026 12:12:44 +0200
Subject: [PATCH] ci(portal): retarget image build to registry.meghsakha.com +
 orca webhook
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous CI pushed to registry.breakpilot.com (the future prod
registry that doesn't exist yet) and tried to call `orca apply`, a
CLI shape this orca version doesn't ship. Repointing to the live
infrastructure:

- registry: registry.meghsakha.com
- image path: breakpilot/portal (sibling of breakpilot/compliance-*)
- tags: :latest (for the webhook-driven deploy) + :sha-<sha> (traceability)
- redeploy: POST github-style payload to the orca webhook on the master,
  matching the pattern documented in orca-infra/WEBHOOKS.md

The webhook must be registered once on the master:
  orca webhooks add --repo platform/portal \
                    --service breakpilot-portal --branch main

CI also needs REGISTRY_USER + REGISTRY_PASS set on this Gitea repo's
Actions secrets — same htpasswd-backed creds the master uses today.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yaml | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 8272d40..21a2034 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -108,6 +108,15 @@ jobs:
           PLAYWRIGHT_TEST_PASS: ${{ secrets.STAGE_TEST_PASS }}
 
   image:
+    # Builds the portal image and ships it through the same path every
+    # other service in orca-infra uses: push :latest + :sha-<sha> to
+    # registry.meghsakha.com, then POST a github-style payload to the
+    # orca webhook so the master pulls and redeploys breakpilot-portal.
+    #
+    # Webhook target (registered once on the master via
+    #   orca webhooks add --repo platform/portal \
+    #                     --service breakpilot-portal --branch main
+    # ) accepts unsigned payloads — orca matches on repo + branch.
     needs: [shared, test]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main' && hashFiles('Dockerfile') != ''
     runs-on: docker
@@ -115,18 +124,19 @@ jobs:
       - uses: actions/checkout@v4
       - uses: docker/login-action@v3
         with:
-          registry: registry.breakpilot.com
+          registry: registry.meghsakha.com
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASS }}
       - uses: docker/build-push-action@v6
         with:
           push: true
           tags: |
-            registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
-            registry.breakpilot.com/${{ github.event.repository.name }}:env-stage
-      - uses: anchore/sbom-action@v0
-        with:
-          image: registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
-      - run: orca apply --env=stage --image-tag=sha-${{ github.sha }}
-        env:
-          ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}
+            registry.meghsakha.com/breakpilot/portal:latest
+            registry.meghsakha.com/breakpilot/portal:sha-${{ github.sha }}
+      - name: trigger orca redeploy
+        run: |
+          curl -ksSf -X POST \
+            -H "Content-Type: application/json" \
+            -H "X-GitHub-Event: push" \
+            -d '{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}' \
+            https://46.225.100.82:6880/api/v1/webhooks/github