bf61790465
- Dockerfile: multi-stage build, non-root user, src/static tracked with .gitkeep - Nomad job: force_pull=true, Traefik router fixed to tink-demo.i80.dk, loadbalancer.server.port=8000, job renamed from moneycapp-tink-demo - CI/CD: git SHA image tags (deterministic deploys), removed .env.production baking — secrets injected at runtime via Consul KV template stanza - Session security: asyncio lock prevents duplicate code exchange on callback, guard for already-stored token, api_log moved server-side (cookie overflow fix) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
47 lines
1.2 KiB
YAML
47 lines
1.2 KiB
YAML
name: Build and Deploy
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
SERVICE_NAME: moneycapp-tink-demo
|
|
IMAGE: registry.i80.dk/gitea/tink-demo
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: debian-host
|
|
|
|
env:
|
|
PATH: /usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/bin:/snap/bin
|
|
NOMAD_ADDR: "https://nomad.i80.dk:4646"
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to Docker Registry
|
|
run: |
|
|
echo "${{ secrets.HARBOR_ROBOT_TOKEN }}" | docker login registry.i80.dk -u "robot\$gitserver" --password-stdin
|
|
|
|
- name: Build and push image
|
|
run: |
|
|
SHA=$(echo "$GITHUB_SHA" | cut -c1-8)
|
|
docker build -t ${IMAGE}:${SHA} -t ${IMAGE}:latest .
|
|
docker push ${IMAGE}:${SHA}
|
|
docker push ${IMAGE}:latest
|
|
echo "IMAGE_TAG=${SHA}" >> $GITHUB_ENV
|
|
|
|
- name: Validate Nomad job
|
|
run: sed "s|:latest|:${IMAGE_TAG}|g" ${SERVICE_NAME}.nomad | nomad job validate -
|
|
|
|
- name: Deploy to Nomad
|
|
run: sed "s|:latest|:${IMAGE_TAG}|g" ${SERVICE_NAME}.nomad | nomad job run -
|
|
|
|
- name: Health check
|
|
run: |
|
|
sleep 15
|
|
curl -sf https://tink-demo.i80.dk/ || echo "Not yet reachable via Traefik"
|
|
|