fix(ci): fix deploy-staging registry and buildx driver issues
Some checks failed
CI / Lint, Typecheck & Test (push) Successful in 2m6s
Deploy — Staging / Lint, Typecheck & Test (push) Successful in 2m56s
Deploy — Staging / Build & push — admin (push) Failing after 3m7s
Deploy — Staging / Build & push — storefront (push) Failing after 2m30s
Deploy — Staging / Deploy to staging VPS (push) Has been skipped
Some checks failed
CI / Lint, Typecheck & Test (push) Successful in 2m6s
Deploy — Staging / Lint, Typecheck & Test (push) Successful in 2m56s
Deploy — Staging / Build & push — admin (push) Failing after 3m7s
Deploy — Staging / Build & push — storefront (push) Failing after 2m30s
Deploy — Staging / Deploy to staging VPS (push) Has been skipped
- Remove top-level env.REGISTRY — Gitea does not expand secrets in workflow-level env blocks; reference secrets.STAGING_REGISTRY directly - Add docker/setup-buildx-action with driver: docker to avoid the docker-container driver which requires --privileged on rootless Podman - Update secret names comment to clarify STAGING_ prefix convention (Gitea has no environment-level secrets, so prefixes distinguish staging/prod) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -5,28 +5,26 @@ on:
|
|||||||
branches:
|
branches:
|
||||||
- staging
|
- staging
|
||||||
|
|
||||||
# STAGING_REGISTRY must include the owner segment, e.g. git.yourdomain.com:3000/myorg
|
# Gitea Actions has no environment-level secrets (unlike GitHub Actions).
|
||||||
# so images are correctly tagged as git.yourdomain.com:3000/myorg/storefront:staging
|
# Staging and production secrets live at repo level, distinguished by prefix.
|
||||||
# (see: troubleshooting #8 — missing /owner causes a 500 from Gitea registry)
|
# Production workflow uses the same names with PROD_ prefix.
|
||||||
|
# (see: troubleshooting #8 — REGISTRY must include the owner segment)
|
||||||
#
|
#
|
||||||
# Required secrets:
|
# Required secrets (repo → Settings → Secrets and Variables → Actions):
|
||||||
# STAGING_REGISTRY — host:port/owner (e.g. git.yourdomain.com:3000/myorg)
|
# STAGING_REGISTRY — host:port/owner (e.g. git.yourdomain.com:3000/myorg)
|
||||||
# STAGING_REGISTRY_USER — Gitea username
|
# STAGING_REGISTRY_USER — Gitea username
|
||||||
# STAGING_REGISTRY_TOKEN — Gitea personal access token (package:write scope)
|
# STAGING_REGISTRY_TOKEN — Gitea personal access token (package:write scope)
|
||||||
# STAGING_SSH_HOST — use host.containers.internal, not the external IP
|
# STAGING_SSH_HOST — use host.containers.internal, not the external IP
|
||||||
# (see: troubleshooting #13 — VPS firewall blocks ext IP)
|
# (see: troubleshooting #13 — VPS firewall blocks ext IP)
|
||||||
# STAGING_SSH_USER — SSH user on the VPS
|
# STAGING_SSH_USER — SSH user on the VPS
|
||||||
# STAGING_SSH_KEY — SSH private key (full PEM)
|
# STAGING_SSH_KEY — SSH private key (full PEM)
|
||||||
# STAGING_SSH_PORT — (optional) defaults to 22
|
# STAGING_SSH_PORT — (optional) defaults to 22
|
||||||
#
|
#
|
||||||
# The Dockerfiles are expected at:
|
# The Dockerfiles are expected at:
|
||||||
# apps/storefront/Dockerfile
|
# apps/storefront/Dockerfile
|
||||||
# apps/admin/Dockerfile
|
# apps/admin/Dockerfile
|
||||||
# Both receive ./out as build context (turbo prune output).
|
# Both receive ./out as build context (turbo prune output).
|
||||||
|
|
||||||
env:
|
|
||||||
REGISTRY: ${{ secrets.STAGING_REGISTRY }}
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
# ── 1. CI ───────────────────────────────────────────────────────────────────
|
# ── 1. CI ───────────────────────────────────────────────────────────────────
|
||||||
|
|
||||||
@@ -81,6 +79,14 @@ jobs:
|
|||||||
- name: Prune workspace for ${{ matrix.app }}
|
- name: Prune workspace for ${{ matrix.app }}
|
||||||
run: npx turbo prune ${{ matrix.app }} --docker
|
run: npx turbo prune ${{ matrix.app }} --docker
|
||||||
|
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v3
|
||||||
|
with:
|
||||||
|
# docker-container driver spawns a privileged builder container which
|
||||||
|
# fails on rootless Podman. "docker" driver reuses the daemon directly.
|
||||||
|
# (see: troubleshooting #5)
|
||||||
|
driver: docker
|
||||||
|
|
||||||
- name: Authenticate with registry
|
- name: Authenticate with registry
|
||||||
# docker login sends HTTPS even for HTTP-only (insecure) registries, so it
|
# docker login sends HTTPS even for HTTP-only (insecure) registries, so it
|
||||||
# fails before the daemon can handle it. Pre-populating config.json bypasses
|
# fails before the daemon can handle it. Pre-populating config.json bypasses
|
||||||
@@ -89,7 +95,7 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
mkdir -p ~/.docker
|
mkdir -p ~/.docker
|
||||||
AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
|
AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
|
||||||
REGISTRY_HOST=$(echo "${{ env.REGISTRY }}" | cut -d'/' -f1)
|
REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1)
|
||||||
echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
|
echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
|
||||||
|
|
||||||
- name: Build & push ${{ matrix.app }}
|
- name: Build & push ${{ matrix.app }}
|
||||||
@@ -98,7 +104,7 @@ jobs:
|
|||||||
# which fails on rootless Podman without --privileged. (see: troubleshooting #5)
|
# which fails on rootless Podman without --privileged. (see: troubleshooting #5)
|
||||||
run: |
|
run: |
|
||||||
SHORT_SHA="${GITHUB_SHA::7}"
|
SHORT_SHA="${GITHUB_SHA::7}"
|
||||||
IMAGE="${{ env.REGISTRY }}/${{ matrix.app }}"
|
IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}"
|
||||||
|
|
||||||
docker build \
|
docker build \
|
||||||
-f apps/${{ matrix.app }}/Dockerfile \
|
-f apps/${{ matrix.app }}/Dockerfile \
|
||||||
|
|||||||
Reference in New Issue
Block a user