220 lines
8.4 KiB
YAML
220 lines
8.4 KiB
YAML
name: deploy-cloudflare
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
workflow_dispatch: {}
|
|
|
|
concurrency:
|
|
group: cloudflare-deploy-${{ forgejo.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: codeberg-medium
|
|
steps:
|
|
- name: Fetch Source (no git required)
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
if [[ -z "${GITHUB_TOKEN:-}" ]]; then
|
|
echo "error: missing github.token"
|
|
exit 2
|
|
fi
|
|
if ! command -v curl >/dev/null 2>&1; then
|
|
echo "error: curl is required"
|
|
exit 2
|
|
fi
|
|
if ! command -v tar >/dev/null 2>&1; then
|
|
echo "error: tar is required"
|
|
exit 2
|
|
fi
|
|
if [[ -z "${GITHUB_SHA:-}" ]]; then
|
|
echo "error: missing GITHUB_SHA"
|
|
exit 2
|
|
fi
|
|
|
|
rm -rf .repo
|
|
mkdir -p .repo
|
|
|
|
# Use the authenticated API archive endpoint (works for private repos).
|
|
curl -fsSL -H "Authorization: token ${GITHUB_TOKEN}" \
|
|
"https://codeberg.org/api/v1/repos/every-channel/every.channel/archive/${GITHUB_SHA}.tar.gz?rev=${GITHUB_SHA}" \
|
|
-o .repo/src.tgz
|
|
tar -xzf .repo/src.tgz -C .repo --strip-components=1
|
|
rm -f .repo/src.tgz
|
|
|
|
- name: Bootstrap runner deps
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cd .repo
|
|
install -d -m 755 "$HOME/.local/bin"
|
|
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
|
|
export PATH="$HOME/.local/bin:$PATH"
|
|
|
|
if ! command -v curl >/dev/null 2>&1; then
|
|
echo "error: curl is required"
|
|
exit 2
|
|
fi
|
|
|
|
if ! command -v age >/dev/null 2>&1; then
|
|
age_version="1.2.1"
|
|
arch="$(uname -m)"
|
|
case "${arch}" in
|
|
x86_64|amd64) age_arch="amd64" ;;
|
|
aarch64|arm64) age_arch="arm64" ;;
|
|
*)
|
|
echo "error: unsupported runner arch for age prebuilt binary: ${arch}"
|
|
exit 2
|
|
;;
|
|
esac
|
|
curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${age_version}/age-v${age_version}-linux-${age_arch}.tar.gz" \
|
|
| tar -xz -C "$HOME/.local/bin" --strip-components=1 age/age age/age-keygen
|
|
fi
|
|
|
|
required_node_major=20
|
|
node_major=0
|
|
if command -v node >/dev/null 2>&1; then
|
|
node_major="$(node -p 'parseInt(process.versions.node.split(\".\")[0], 10)' || echo 0)"
|
|
fi
|
|
if [[ "${node_major}" -lt "${required_node_major}" ]]; then
|
|
node_version="22.16.0"
|
|
arch="$(uname -m)"
|
|
case "${arch}" in
|
|
x86_64|amd64) node_arch="x64" ;;
|
|
aarch64|arm64) node_arch="arm64" ;;
|
|
*)
|
|
echo "error: unsupported runner arch for node prebuilt binary: ${arch}"
|
|
exit 2
|
|
;;
|
|
esac
|
|
node_dist="node-v${node_version}-linux-${node_arch}"
|
|
curl -fsSL "https://nodejs.org/dist/v${node_version}/${node_dist}.tar.gz" | tar -xz -C "$HOME/.local"
|
|
ln -sf "$HOME/.local/${node_dist}/bin/node" "$HOME/.local/bin/node"
|
|
ln -sf "$HOME/.local/${node_dist}/bin/npm" "$HOME/.local/bin/npm"
|
|
ln -sf "$HOME/.local/${node_dist}/bin/npx" "$HOME/.local/bin/npx"
|
|
ln -sf "$HOME/.local/${node_dist}/bin/corepack" "$HOME/.local/bin/corepack" || true
|
|
fi
|
|
node --version
|
|
npm --version
|
|
|
|
- name: CI Breadcrumb (bootstrap ok)
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cd .repo
|
|
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
|
-H "content-type: application/json" \
|
|
"https://codeberg.org/api/v1/repos/every-channel/every.channel/statuses/${GITHUB_SHA}" \
|
|
-d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"bootstrap ok"}' >/dev/null
|
|
|
|
- name: Configure CI Age identity
|
|
env:
|
|
AGE_FORGE_SSH_KEY: ${{ secrets.AGE_FORGE_SSH_KEY }}
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cd .repo
|
|
if [[ -z "${AGE_FORGE_SSH_KEY:-}" ]]; then
|
|
echo "error: missing Actions secret AGE_FORGE_SSH_KEY"
|
|
exit 2
|
|
fi
|
|
install -d -m 700 "$HOME/.ssh"
|
|
if [[ "${AGE_FORGE_SSH_KEY}" == "-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then
|
|
printf '%s\n' "${AGE_FORGE_SSH_KEY}" > "$HOME/.ssh/age_forge_ed25519"
|
|
else
|
|
printf '%s' "${AGE_FORGE_SSH_KEY}" | base64 -d > "$HOME/.ssh/age_forge_ed25519"
|
|
fi
|
|
chmod 600 "$HOME/.ssh/age_forge_ed25519"
|
|
|
|
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
|
-H "content-type: application/json" \
|
|
"https://codeberg.org/api/v1/repos/every-channel/every.channel/statuses/${GITHUB_SHA}" \
|
|
-d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"age key ok"}' >/dev/null
|
|
|
|
- name: Decrypt CI secrets from repo
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cd .repo
|
|
key_file="$HOME/.ssh/age_forge_ed25519"
|
|
secret_file="secrets/cloudflare-api-token.age"
|
|
if [[ ! -f "$secret_file" ]]; then
|
|
echo "error: missing ${secret_file}"
|
|
exit 2
|
|
fi
|
|
CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")"
|
|
if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
|
|
echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
|
|
exit 2
|
|
fi
|
|
echo "::add-mask::${CLOUDFLARE_API_TOKEN}"
|
|
echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> "$GITHUB_ENV"
|
|
|
|
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
|
-H "content-type: application/json" \
|
|
"https://codeberg.org/api/v1/repos/every-channel/every.channel/statuses/${GITHUB_SHA}" \
|
|
-d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"decrypt ok"}' >/dev/null
|
|
|
|
- name: Build site (Dioxus web)
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cd .repo
|
|
install -d -m 755 "$HOME/.local/bin"
|
|
export PATH="$HOME/.local/bin:$PATH"
|
|
if ! command -v cargo >/dev/null 2>&1; then
|
|
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
|
|
. "$HOME/.cargo/env"
|
|
elif [[ -f "$HOME/.cargo/env" ]]; then
|
|
. "$HOME/.cargo/env"
|
|
fi
|
|
rustup target add wasm32-unknown-unknown
|
|
if ! command -v trunk >/dev/null 2>&1; then
|
|
trunk_version="0.21.14"
|
|
arch="$(uname -m)"
|
|
case "${arch}" in
|
|
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
|
|
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
|
|
*)
|
|
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
|
|
exit 2
|
|
;;
|
|
esac
|
|
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
|
|
| tar -xz -C "$HOME/.local/bin" trunk
|
|
fi
|
|
|
|
cd apps/tauri/ui
|
|
trunk build --release --public-url /
|
|
|
|
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
|
-H "content-type: application/json" \
|
|
"https://codeberg.org/api/v1/repos/every-channel/every.channel/statuses/${GITHUB_SHA}" \
|
|
-d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"build ok"}' >/dev/null
|
|
|
|
- name: Deploy worker
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cd .repo
|
|
cd deploy/cloudflare-worker
|
|
npm ci
|
|
npx wrangler deploy
|
|
|
|
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
|
-H "content-type: application/json" \
|
|
"https://codeberg.org/api/v1/repos/every-channel/every.channel/statuses/${GITHUB_SHA}" \
|
|
-d '{"context":"deploy-cloudflare/breadcrumb","state":"success","description":"deploy ok"}' >/dev/null
|