Robot-U/robot-u-site
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Restrict deployment workflow to main
All checks were successful
CI / check (push) Successful in 17s
Details
CI / deploy (push) Successful in 21s
Details

Browse source
This commit is contained in:
kacper 2026-04-15 06:39:26 -04:00
parent 56077a22b7
commit ce32eb067c
3 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.forgejo/workflows/ci.yml
View file

@ -5,6 +5,8 @@ on:
branches: branches:
- main - main
pull_request: pull_request:
branches:
- main
jobs: jobs:
check: check:
@ -57,7 +59,7 @@ jobs:
runs-on: docker runs-on: docker
needs: needs:
- check - check
if: ${{ github.event_name == 'push' }} if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
steps: steps:
- name: Install deploy tooling - name: Install deploy tooling

4
AGENTS.md
View file

@ -227,8 +227,10 @@ Current production env notes:
CI state: CI state:
- `.forgejo/workflows/ci.yml` runs on `docker`. - `.forgejo/workflows/ci.yml` runs on `docker`.
- The workflow checks PRs targeting `main` and pushes to `main`; deployment is explicitly gated to `push` events where `github.ref == refs/heads/main`.
- The `check` job manually installs `CI_REPO_SSH_KEY`, clones `git@aksal.cloud:Robot-U/robot-u-site.git`, installs `uv` and Bun, then runs Python and frontend checks. - The `check` job manually installs `CI_REPO_SSH_KEY`, clones `git@aksal.cloud:Robot-U/robot-u-site.git`, installs `uv` and Bun, then runs Python and frontend checks.
- The `deploy` job runs after `check` on `push` events, installs `DEPLOY_SSH_KEY`, clones the repo, rsyncs it to `root@192.168.1.220:/opt/robot-u-site/`, rebuilds Docker Compose, and checks `/health`. - The `deploy` job runs after `check` on pushes to `main`, installs `DEPLOY_SSH_KEY`, clones the repo, rsyncs it to `root@192.168.1.220:/opt/robot-u-site/`, rebuilds Docker Compose, and checks `/health`.
- Forgejo branch protection on `main` should block direct pushes and require the `CI / check (pull_request)` status check before PR merge.
- The repo has a read-only deploy key and matching Forgejo Actions secret for CI clone. - The repo has a read-only deploy key and matching Forgejo Actions secret for CI clone.
- The app LXC has a CI deploy public key in `root`'s `authorized_keys`, and the matching private key is stored in the Forgejo Actions secret `DEPLOY_SSH_KEY`. - The app LXC has a CI deploy public key in `root`'s `authorized_keys`, and the matching private key is stored in the Forgejo Actions secret `DEPLOY_SSH_KEY`.
- `scripts/bootstrap_lxc_deploy_key.py` recreates or rotates the LXC deploy key. It uses `FORGEJO_API_TOKEN`, appends the generated public key to the LXC user's `authorized_keys`, verifies SSH, and stores the generated private key in `DEPLOY_SSH_KEY`. - `scripts/bootstrap_lxc_deploy_key.py` recreates or rotates the LXC deploy key. It uses `FORGEJO_API_TOKEN`, appends the generated public key to the LXC user's `authorized_keys`, verifies SSH, and stores the generated private key in `DEPLOY_SSH_KEY`.

2
README.md
View file

@ -142,7 +142,7 @@ LXC_DEPLOY_SECRET_NAME=DEPLOY_SSH_KEY
The script generates a temporary Ed25519 keypair, appends the public key to the LXC user's `authorized_keys`, verifies SSH login with the generated key, and stores the private key in the repo Actions secret `DEPLOY_SSH_KEY`. The script generates a temporary Ed25519 keypair, appends the public key to the LXC user's `authorized_keys`, verifies SSH login with the generated key, and stores the private key in the repo Actions secret `DEPLOY_SSH_KEY`.
The deploy job rsyncs the repository into `/opt/robot-u-site`, preserves production `.env` files, runs `./scripts/check_deploy_config.py`, rebuilds Docker Compose, and verifies `http://127.0.0.1:8800/health`. The deploy job only runs for pushes to `main`. It rsyncs the repository into `/opt/robot-u-site`, preserves production `.env` files, runs `./scripts/check_deploy_config.py`, rebuilds Docker Compose, and verifies `http://127.0.0.1:8800/health`.
### Required Production Settings ### Required Production Settings