ci: add pocketbase image build + automated prod deploy step

release.yaml: - Build and push kalekber/libnovel-pocketbase image on every release tag - Add deploy job (runs after docker): copies docker-compose.yml from the tagged commit to /opt/libnovel on prod, pulls new images, restarts changed services with --remove-orphans (cleans up removed pb-init) ci.yaml: - Validate cmd/pocketbase builds on every branch push Required new Gitea secrets: PROD_HOST, PROD_USER, PROD_SSH_KEY, PROD_SSH_KNOWN_HOSTS (see deploy job comments for instructions). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 11:06:27 +05:00
parent 38cf1c82a1
commit 812028e50d
2 changed files with 66 additions and 0 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -41,6 +41,9 @@ jobs:
      - name: Build healthcheck
        run: go build -o /dev/null ./cmd/healthcheck

+      - name: Build pocketbase
+        run: go build -o /dev/null ./cmd/pocketbase
+
      - name: Run tests
        run: go test -short -race -count=1 -timeout=60s ./...

--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -276,6 +276,69 @@ jobs:
          cache-from: type=registry,ref=${{ secrets.DOCKER_USER }}/libnovel-caddy:latest
          cache-to: type=inline

+      # ── pocketbase ───────────────────────────────────────────────────────────
+      - name: Docker meta / pocketbase
+        id: meta-pocketbase
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKER_USER }}/libnovel-pocketbase
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
+
+      - name: Build and push / pocketbase
+        uses: docker/build-push-action@v6
+        with:
+          context: backend
+          target: pocketbase
+          push: true
+          tags: ${{ steps.meta-pocketbase.outputs.tags }}
+          labels: ${{ steps.meta-pocketbase.outputs.labels }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_USER }}/libnovel-pocketbase:latest
+          cache-to: type=inline
+
+  # ── deploy: sync docker-compose.yml + restart prod ───────────────────────────
+  # Runs after all images are pushed to Docker Hub.
+  # Copies the compose file from the tagged commit to the server, pulls the new
+  # images, and restarts only the services whose image or config changed.
+  # --remove-orphans cleans up containers no longer defined in the compose file
+  # (e.g. the now-removed pb-init container).
+  #
+  # Required Gitea secrets:
+  #   PROD_HOST             — prod server IP or hostname
+  #   PROD_USER             — SSH login user (typically root)
+  #   PROD_SSH_KEY          — private key whose public half is in authorized_keys
+  #   PROD_SSH_KNOWN_HOSTS  — output of: ssh-keyscan -H <PROD_HOST>
+  deploy:
+    name: Deploy to prod
+    runs-on: ubuntu-latest
+    needs: [docker]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install SSH key
+        run: |
+          mkdir -p ~/.ssh
+          printf '%s\n' "${{ secrets.PROD_SSH_KEY }}" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          printf '%s\n' "${{ secrets.PROD_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
+
+      - name: Copy docker-compose.yml to prod
+        run: |
+          scp -i ~/.ssh/deploy_key \
+            docker-compose.yml \
+            "${{ secrets.PROD_USER }}@${{ secrets.PROD_HOST }}:/opt/libnovel/docker-compose.yml"
+
+      - name: Pull new images and restart changed services
+        run: |
+          ssh -i ~/.ssh/deploy_key \
+            "${{ secrets.PROD_USER }}@${{ secrets.PROD_HOST }}" \
+            'set -euo pipefail
+             cd /opt/libnovel
+             doppler run -- docker compose pull
+             doppler run -- docker compose up -d --remove-orphans'
+
  # ── Gitea release ─────────────────────────────────────────────────────────────
  release:
    name: Gitea Release