Prepare deployment and Forgejo CI

2026-04-14 20:17:29 -04:00 · 2026-04-14 20:17:29 -04:00 · 853e99ca5f
commit 853e99ca5f
parent 51706d2d11
21 changed files with 1402 additions and 77 deletions
--- a/README.md
+++ b/README.md
@ -40,6 +40,8 @@ Optional live Forgejo configuration:
 ```bash
 export APP_BASE_URL="http://kacper-dev-pod:8800"
 export AUTH_SECRET_KEY="$(openssl rand -hex 32)"
+export AUTH_COOKIE_SECURE="false"
+export CORS_ALLOW_ORIGINS="http://kacper-dev-pod:8800"
 export FORGEJO_BASE_URL="https://aksal.cloud"
 export FORGEJO_OAUTH_CLIENT_ID="your-forgejo-oauth-client-id"
 export FORGEJO_OAUTH_CLIENT_SECRET="your-forgejo-oauth-client-secret"
@ -58,6 +60,8 @@ http://kacper-dev-pod:8800/api/auth/forgejo/callback

 `AUTH_SECRET_KEY` is required for Forgejo OAuth sign-in. It encrypts the `HttpOnly` browser session cookie that carries the signed-in user's Forgejo token and identity. Set `AUTH_COOKIE_SECURE=true` when serving over HTTPS.

+`CORS_ALLOW_ORIGINS` defaults to `APP_BASE_URL` when that value is set. Use a comma-separated list if the API must be called from additional browser origins.
+
 `FORGEJO_TOKEN` is optional. When set, it is a read fallback for the public content cache. Browser OAuth requests only identity scopes, then the backend uses the signed-in user's Forgejo identity from the encrypted session cookie for public discussion creation and replies. The backend must verify repositories are public before reading discussion data or writing issues/comments.

 `FORGEJO_CACHE_TTL_SECONDS` controls how long the server reuses the public Forgejo content scan for `/api/prototype`. Set it to `0` to disable caching while debugging discovery behavior.
@ -92,3 +96,83 @@ cd frontend
 ./scripts/check_python_quality.sh
 ./scripts/check_frontend_quality.sh
 ```
+
+## Deployment
+
+### Forgejo Actions SSH Clone Bootstrap
+
+If the Forgejo instance only supports SSH clone in Actions, create a repo deploy key and matching Actions secret:
+
+```bash
+export FORGEJO_API_TOKEN=your-forgejo-api-token
+./scripts/bootstrap_ci_clone_key.py
+```
+
+Defaults:
+
+```text
+FORGEJO_BASE_URL=https://aksal.cloud
+FORGEJO_REPO=Robot-U/robot-u-site
+CI_CLONE_KEY_TITLE=robot-u-site-actions-clone
+CI_CLONE_SECRET_NAME=CI_REPO_SSH_KEY
+```
+
+The script generates a temporary Ed25519 keypair, adds the public key as a read-only deploy key on the repo, and stores the private key in the repo Actions secret `CI_REPO_SSH_KEY`.
+
+### Required Production Settings
+
+Create a production `.env` from `.env.example` and set at least:
+
+```bash
+APP_BASE_URL=https://your-site.example
+AUTH_SECRET_KEY=$(openssl rand -hex 32)
+AUTH_COOKIE_SECURE=true
+CORS_ALLOW_ORIGINS=https://your-site.example
+FORGEJO_BASE_URL=https://aksal.cloud
+FORGEJO_OAUTH_CLIENT_ID=...
+FORGEJO_OAUTH_CLIENT_SECRET=...
+FORGEJO_GENERAL_DISCUSSION_REPO=Robot-U/general_forum
+FORGEJO_WEBHOOK_SECRET=$(openssl rand -hex 32)
+```
+
+Then validate the deployment environment:
+
+```bash
+./scripts/check_deploy_config.py
+```
+
+The Forgejo OAuth app must include this redirect URI:
+
+```text
+https://your-site.example/api/auth/forgejo/callback
+```
+
+### Docker Compose
+
+```bash
+cp .env.example .env
+$EDITOR .env
+./scripts/check_deploy_config.py
+docker compose up --build -d
+curl -fsS http://127.0.0.1:8800/health
+```
+
+The compose file exposes the app on host port `8800` and runs Uvicorn on container port `8000`.
+
+### Non-Container Deployment
+
+```bash
+python3 -m venv .venv
+.venv/bin/pip install -r requirements.txt
+cd frontend
+~/.bun/bin/bun install
+~/.bun/bin/bun run build
+cd ..
+HOST=0.0.0.0 PORT=8000 ./scripts/run_prod.sh
+```
+
+Put a reverse proxy in front of the app for TLS. Preserve long-lived connections for `/api/events/stream`, and configure Forgejo webhooks to POST to:
+
+```text
+https://your-site.example/api/forgejo/webhook
+```