Robot-U/robot-u-site
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Restrict deployment workflow to main
All checks were successful
CI / check (push) Successful in 17s
Details
CI / deploy (push) Successful in 21s
Details

Browse source
This commit is contained in:
kacper 2026-04-15 06:39:26 -04:00
parent 56077a22b7
commit ce32eb067c
3 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
AGENTS.md
View file

@ -227,8 +227,10 @@ Current production env notes:
CI state:
- `.forgejo/workflows/ci.yml` runs on `docker`.
- The workflow checks PRs targeting `main` and pushes to `main`; deployment is explicitly gated to `push` events where `github.ref == refs/heads/main`.
- The `check` job manually installs `CI_REPO_SSH_KEY`, clones `git@aksal.cloud:Robot-U/robot-u-site.git`, installs `uv` and Bun, then runs Python and frontend checks.
- The `deploy` job runs after `check` on `push` events, installs `DEPLOY_SSH_KEY`, clones the repo, rsyncs it to `root@192.168.1.220:/opt/robot-u-site/`, rebuilds Docker Compose, and checks `/health`.
- The `deploy` job runs after `check` on pushes to `main`, installs `DEPLOY_SSH_KEY`, clones the repo, rsyncs it to `root@192.168.1.220:/opt/robot-u-site/`, rebuilds Docker Compose, and checks `/health`.
- Forgejo branch protection on `main` should block direct pushes and require the `CI / check (pull_request)` status check before PR merge.
- The repo has a read-only deploy key and matching Forgejo Actions secret for CI clone.
- The app LXC has a CI deploy public key in `root`'s `authorized_keys`, and the matching private key is stored in the Forgejo Actions secret `DEPLOY_SSH_KEY`.
- `scripts/bootstrap_lxc_deploy_key.py` recreates or rotates the LXC deploy key. It uses `FORGEJO_API_TOKEN`, appends the generated public key to the LXC user's `authorized_keys`, verifies SSH, and stores the generated private key in `DEPLOY_SSH_KEY`.