fix(ci): use full gitea.com URL for gitea-release-action

Bare `actions/` references resolve to github.com by default in act_runner. gitea-release-action lives on gitea.com so must use the full https:// URL. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(homelab): switch Fider SMTP to port 587 + STARTTLS
2026-03-29 22:38:36 +05:00 · 2026-03-29 22:16:01 +05:00 · 2026-03-29 22:05:33 +05:00 · 2026-03-29 21:52:32 +05:00
3 changed files with 16 additions and 8 deletions
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -279,7 +279,7 @@ jobs:
          fetch-depth: 0

      - name: Create release
-        uses: actions/gitea-release-action@v1
+        uses: https://gitea.com/actions/gitea-release-action@v1
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          generate_release_notes: true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -401,15 +401,19 @@ services:
  # ─── Watchtower (auto-redeploy custom services on new images) ────────────────
  # Only watches services labelled com.centurylinklabs.watchtower.enable=true.
  # Third-party infra images (minio, pocketbase, meilisearch, etc.) are excluded.
+  # doppler binary is mounted from the host so watchtower fetches fresh secrets
+  # on every start (notification URL, credentials) without baking them in.
  watchtower:
    image: containrrr/watchtower:latest
    restart: unless-stopped
+    entrypoint: ["/usr/bin/doppler", "run", "--project", "libnovel", "--config", "prd", "--"]
+    command: ["/watchtower", "--label-enable", "--interval", "300", "--cleanup"]
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-    command: --label-enable --interval 300 --cleanup
+      - /usr/bin/doppler:/usr/bin/doppler:ro
+      - /root/.doppler:/root/.doppler:ro
    environment:
-      WATCHTOWER_NOTIFICATIONS: "${WATCHTOWER_NOTIFICATIONS}"
-      WATCHTOWER_NOTIFICATION_URL: "${WATCHTOWER_NOTIFICATION_URL}"
+      HOME: "/root"
      DOCKER_API_VERSION: "1.44"

 volumes:
--- a/homelab/docker-compose.yml
+++ b/homelab/docker-compose.yml
@@ -221,7 +221,7 @@ services:
      EMAIL_SMTP_PORT: "${FIDER_SMTP_PORT}"
      EMAIL_SMTP_USERNAME: "${FIDER_SMTP_USER}"
      EMAIL_SMTP_PASSWORD: "${FIDER_SMTP_PASSWORD}"
-      EMAIL_SMTP_ENABLE_STARTTLS: "false"
+      EMAIL_SMTP_ENABLE_STARTTLS: "${FIDER_SMTP_ENABLE_STARTTLS}"
      OAUTH_GOOGLE_CLIENTID: "${OAUTH_GOOGLE_CLIENTID}"
      OAUTH_GOOGLE_SECRET: "${OAUTH_GOOGLE_SECRET}"
      OAUTH_GITHUB_CLIENTID: "${OAUTH_GITHUB_CLIENTID}"
@@ -443,15 +443,19 @@ services:
  # ── Watchtower ──────────────────────────────────────────────────────────────
  # Auto-updates runner image when CI pushes a new tag.
  # Only watches services with the watchtower label.
+  # doppler binary is mounted from the host so watchtower fetches fresh secrets
+  # on every start (notification URL, credentials) without baking them in.
  watchtower:
    image: containrrr/watchtower:latest
    restart: unless-stopped
+    entrypoint: ["/usr/bin/doppler", "run", "--project", "libnovel", "--config", "prd_homelab", "--"]
+    command: ["/watchtower", "--label-enable", "--interval", "300", "--cleanup"]
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-    command: --label-enable --interval 300 --cleanup
+      - /usr/bin/doppler:/usr/bin/doppler:ro
+      - /root/.doppler:/root/.doppler:ro
    environment:
-      WATCHTOWER_NOTIFICATIONS: "${WATCHTOWER_NOTIFICATIONS}"
-      WATCHTOWER_NOTIFICATION_URL: "${WATCHTOWER_NOTIFICATION_URL}"
+      HOME: "/root"
      DOCKER_API_VERSION: "1.44"

 volumes:
Author	SHA1	Message	Date
Admin	c9478a67fb	fix(ci): use full gitea.com URL for gitea-release-action All checks were successful CI / UI (push) Successful in 41s Details CI / Backend (push) Successful in 50s Details Release / Test backend (push) Successful in 56s Details Release / Check ui (push) Successful in 34s Details CI / Backend (pull_request) Successful in 46s Details CI / UI (pull_request) Successful in 34s Details Release / Docker / runner (push) Successful in 3m15s Details Release / Docker / backend (push) Successful in 3m29s Details Release / Docker / ui (push) Successful in 2m30s Details Release / Docker / caddy (push) Successful in 1m17s Details Release / Gitea Release (push) Successful in 17s Details Bare `actions/` references resolve to github.com by default in act_runner. gitea-release-action lives on gitea.com so must use the full https:// URL. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-29 22:38:36 +05:00
Admin	1b4835daeb	fix(homelab): switch Fider SMTP to port 587 + STARTTLS All checks were successful CI / Backend (pull_request) Successful in 50s Details CI / UI (pull_request) Successful in 1m10s Details Port 465 (SMTPS) is blocked on the homelab server. Port 587 with STARTTLS works. Updated FIDER_SMTP_PORT=587 and FIDER_SMTP_ENABLE_STARTTLS=true in Doppler prd_homelab, and made EMAIL_SMTP_ENABLE_STARTTLS dynamic so it reads from Doppler instead of being hardcoded. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-29 22:16:01 +05:00
Admin	c9c12fc4a8	fix(infra): correct doppler entrypoint for watchtower container All checks were successful CI / UI (pull_request) Successful in 39s Details CI / Backend (pull_request) Successful in 45s Details - Fix binary path: /usr/bin/doppler (not /usr/local/bin) - Mount /root/.doppler config so the container can auth without DOPPLER_TOKEN env - Set HOME=/root so doppler locates the mounted config directory - Add explicit --project/--config flags to override directory-scope lookup - Production: --project libnovel --config prd - Homelab: --project libnovel --config prd_homelab Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-29 22:05:33 +05:00
Admin	dd35024d02	chore(infra): run watchtower via doppler for fresh secrets on restart All checks were successful CI / UI (pull_request) Successful in 39s Details CI / Backend (pull_request) Successful in 47s Details Mount the host doppler binary into the watchtower container and use it as the entrypoint so WATCHTOWER_NOTIFICATION_URL and other secrets are fetched from Doppler each time the container starts, rather than being baked in at compose-up time. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-29 21:52:32 +05:00