From ce32eb067c714dff7c30c12b5e86bc49acca6979 Mon Sep 17 00:00:00 2001 From: kacper Date: Wed, 15 Apr 2026 06:39:26 -0400 Subject: [PATCH] Restrict deployment workflow to main --- .forgejo/workflows/ci.yml | 4 +++- AGENTS.md | 4 +++- README.md | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index 038a60e..3535cdd 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -5,6 +5,8 @@ on: branches: - main pull_request: + branches: + - main jobs: check: @@ -57,7 +59,7 @@ jobs: runs-on: docker needs: - check - if: ${{ github.event_name == 'push' }} + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} steps: - name: Install deploy tooling diff --git a/AGENTS.md b/AGENTS.md index 824bf70..ee044a8 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -227,8 +227,10 @@ Current production env notes: CI state: - `.forgejo/workflows/ci.yml` runs on `docker`. +- The workflow checks PRs targeting `main` and pushes to `main`; deployment is explicitly gated to `push` events where `github.ref == refs/heads/main`. - The `check` job manually installs `CI_REPO_SSH_KEY`, clones `git@aksal.cloud:Robot-U/robot-u-site.git`, installs `uv` and Bun, then runs Python and frontend checks. -- The `deploy` job runs after `check` on `push` events, installs `DEPLOY_SSH_KEY`, clones the repo, rsyncs it to `root@192.168.1.220:/opt/robot-u-site/`, rebuilds Docker Compose, and checks `/health`. +- The `deploy` job runs after `check` on pushes to `main`, installs `DEPLOY_SSH_KEY`, clones the repo, rsyncs it to `root@192.168.1.220:/opt/robot-u-site/`, rebuilds Docker Compose, and checks `/health`. +- Forgejo branch protection on `main` should block direct pushes and require the `CI / check (pull_request)` status check before PR merge. - The repo has a read-only deploy key and matching Forgejo Actions secret for CI clone. - The app LXC has a CI deploy public key in `root`'s `authorized_keys`, and the matching private key is stored in the Forgejo Actions secret `DEPLOY_SSH_KEY`. - `scripts/bootstrap_lxc_deploy_key.py` recreates or rotates the LXC deploy key. It uses `FORGEJO_API_TOKEN`, appends the generated public key to the LXC user's `authorized_keys`, verifies SSH, and stores the generated private key in `DEPLOY_SSH_KEY`. diff --git a/README.md b/README.md index cf04cc1..bf0de02 100644 --- a/README.md +++ b/README.md @@ -142,7 +142,7 @@ LXC_DEPLOY_SECRET_NAME=DEPLOY_SSH_KEY The script generates a temporary Ed25519 keypair, appends the public key to the LXC user's `authorized_keys`, verifies SSH login with the generated key, and stores the private key in the repo Actions secret `DEPLOY_SSH_KEY`. -The deploy job rsyncs the repository into `/opt/robot-u-site`, preserves production `.env` files, runs `./scripts/check_deploy_config.py`, rebuilds Docker Compose, and verifies `http://127.0.0.1:8800/health`. +The deploy job only runs for pushes to `main`. It rsyncs the repository into `/opt/robot-u-site`, preserves production `.env` files, runs `./scripts/check_deploy_config.py`, rebuilds Docker Compose, and verifies `http://127.0.0.1:8800/health`. ### Required Production Settings