feat(portal): allow PORTAL_APEX_HOSTS env to extend APEX_HOSTS (#15 )

ci(portal): retarget image build to registry.meghsakha.com + orca webhook (#14 )
2026-06-10 12:05:51 +00:00 · 2026-06-10 12:05:37 +00:00
1 changed files with 27 additions and 8 deletions
@@ -108,6 +108,15 @@ jobs:
          PLAYWRIGHT_TEST_PASS: ${{ secrets.STAGE_TEST_PASS }}

  image:
+    # Builds the portal image and ships it through the same path every
+    # other service in orca-infra uses: push :latest + :sha-<sha> to
+    # registry.meghsakha.com, then POST a github-style payload to the
+    # orca webhook so the master pulls and redeploys breakpilot-portal.
+    #
+    # Webhook target (registered once on the master via
+    #   orca webhooks add --repo platform/portal \
+    #                     --service breakpilot-portal --branch main
+    # ) accepts unsigned payloads — orca matches on repo + branch.
    needs: [shared, test]
    if: github.event_name == 'push' && github.ref == 'refs/heads/main' && hashFiles('Dockerfile') != ''
    runs-on: docker
@@ -115,18 +124,28 @@ jobs:
      - uses: actions/checkout@v4
      - uses: docker/login-action@v3
        with:
-          registry: registry.breakpilot.com
+          registry: registry.meghsakha.com
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_PASS }}
      - uses: docker/build-push-action@v6
        with:
          push: true
          tags: |
-            registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
-            registry.breakpilot.com/${{ github.event.repository.name }}:env-stage
-      - uses: anchore/sbom-action@v0
-        with:
-          image: registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
-      - run: orca apply --env=stage --image-tag=sha-${{ github.sha }}
+            registry.meghsakha.com/breakpilot/portal:latest
+            registry.meghsakha.com/breakpilot/portal:sha-${{ github.sha }}
+      - name: trigger orca redeploy
+        # Signs the POST with HMAC-SHA256 over the JSON body using the
+        # secret orca generated when the webhook was registered. Orca's
+        # endpoint is publicly reachable on the master, so the signature
+        # gates who can fire a deploy.
        env:
-          ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
+        run: |
+          BODY='{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}'
+          SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')"
+          curl -ksSf -X POST \
+            -H "Content-Type: application/json" \
+            -H "X-GitHub-Event: push" \
+            -H "X-Hub-Signature-256: $SIG" \
+            -d "$BODY" \
+            https://46.225.100.82:6880/api/v1/webhooks/github
Author	SHA1	Message	Date
sharang	5856c1c732	feat(portal): allow PORTAL_APEX_HOSTS env to extend APEX_HOSTS (#15 ) ci / shared (push) Successful in 12s Details ci / test (push) Successful in 10m17s Details ci / e2e (push) Has been skipped Details ci / image (push) Has been skipped Details	2026-06-10 12:05:51 +00:00
sharang	0862420e7c	ci(portal): retarget image build to registry.meghsakha.com + orca webhook (#14 ) ci / shared (push) Successful in 14s Details ci / test (push) Successful in 10m18s Details ci / e2e (push) Has been skipped Details ci / image (push) Has been skipped Details	2026-06-10 12:05:37 +00:00