From c099676024343a4844dfff133904613cea0b2934 Mon Sep 17 00:00:00 2001 From: ZDDC Date: Sat, 2 May 2026 11:35:20 -0500 Subject: [PATCH] ci: connect verify step to caddy via container name + tag trigger MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Runner now runs in a quadlet container on caddy-net, so 127.0.0.1 is the runner's own loopback. Reach the Caddy container by name ('caddy') with --connect-to keeping SNI/Host as the public hostname so the right vhost matches. Also adds the tag trigger: push of zddc-server-v[0-9]+.[0-9]+.[0-9]+ auto-cuts a stable release. The lockstep set pushes six tags at once; filtering on zddc-server-v* gives exactly one workflow run per cut. Re-cutting at the tagged commit is safe — _promote_stable in shared/build-lib.sh is idempotent re: tag creation. --- .forgejo/workflows/deploy-release.yml | 49 +++++++++++++++++++++------ 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/.forgejo/workflows/deploy-release.yml b/.forgejo/workflows/deploy-release.yml index 3439c49..b88155f 100644 --- a/.forgejo/workflows/deploy-release.yml +++ b/.forgejo/workflows/deploy-release.yml @@ -5,12 +5,16 @@ name: Build + deploy releases # this host directly (label: host) — same shell environment the operator # uses for manual cuts, so behavior is identical between the two paths. # -# Triggers (current): +# Triggers: # - workflow_dispatch — pick channel + optional version from the UI. -# Triggers (planned, once dispatch path is proven): -# - tag push matching zddc-server-v[0-9]+.[0-9]+.[0-9]+ (the canonical -# stable cut tag in our six-tag lockstep set) → re-cuts from the -# tagged source for reproducibility. +# - push to a tag matching zddc-server-v[0-9]+.[0-9]+.[0-9]+ — +# the canonical "stable cut" tag in our six-tag lockstep set +# (one per tool: archive-vX.Y.Z, transmittal-vX.Y.Z, ..., zddc-server-vX.Y.Z). +# Filtering on zddc-server-v* ensures exactly one workflow run per cut +# even though six tags push together. Runner re-cuts from the tagged +# commit for reproducibility — _promote_stable in shared/build-lib.sh +# is idempotent re: tag creation, so rerunning at the same HEAD is a +# no-op for the tags. on: workflow_dispatch: @@ -28,6 +32,9 @@ on: description: 'Stable version (e.g. 0.1.0). Leave blank for coordinated next-stable. Ignored for alpha/beta.' required: false default: '' + push: + tags: + - 'zddc-server-v[0-9]+.[0-9]+.[0-9]+' jobs: build-and-deploy: @@ -40,13 +47,29 @@ jobs: # tools; full history + tags are required. fetch-depth: 0 + - name: Resolve channel + version + id: meta + run: | + set -eu + if [ "$GITHUB_EVENT_NAME" = "push" ]; then + # Tag push: refs/tags/zddc-server-vX.Y.Z → channel=release, version=X.Y.Z + VERSION="${GITHUB_REF#refs/tags/zddc-server-v}" + echo "channel=release" >> "$GITHUB_OUTPUT" + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + else + echo "channel=${{ inputs.channel }}" >> "$GITHUB_OUTPUT" + echo "version=${{ inputs.version }}" >> "$GITHUB_OUTPUT" + fi + - name: Build run: | set -eu - if [ "${{ inputs.channel }}" = "release" ] && [ -n "${{ inputs.version }}" ]; then - ./build release "${{ inputs.version }}" + CH="${{ steps.meta.outputs.channel }}" + VER="${{ steps.meta.outputs.version }}" + if [ "$CH" = "release" ] && [ -n "$VER" ]; then + ./build release "$VER" else - ./build "${{ inputs.channel }}" + ./build "$CH" fi - name: Deploy releases @@ -55,6 +78,12 @@ jobs: - name: Verify channel mirror resolves run: | set -eu - curl -ksI --resolve zddc.varasys.io:8443:127.0.0.1 \ - "https://zddc.varasys.io:8443/releases/archive_${{ inputs.channel == 'release' && 'stable' || inputs.channel }}.html" \ + CH="${{ steps.meta.outputs.channel }}" + MIRROR=$([ "$CH" = "release" ] && echo stable || echo "$CH") + # Runner is in a container on caddy-net; reach Caddy by container + # name (`caddy`). --connect-to keeps the SNI / Host as the real + # public hostname so the right vhost matches; -k skips cert + # verify (Caddy uses a self-signed `tls internal` cert). + curl -ksI --connect-to "zddc.varasys.io:8443:caddy:8443" \ + "https://zddc.varasys.io:8443/releases/archive_${MIRROR}.html" \ | head -3