VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ci: connect verify step to caddy via container name + tag trigger

Browse source 
Runner now runs in a quadlet container on caddy-net, so 127.0.0.1
is the runner's own loopback. Reach the Caddy container by name
('caddy') with --connect-to keeping SNI/Host as the public hostname
so the right vhost matches.

Also adds the tag trigger: push of zddc-server-v[0-9]+.[0-9]+.[0-9]+
auto-cuts a stable release. The lockstep set pushes six tags at once;
filtering on zddc-server-v* gives exactly one workflow run per cut.
Re-cutting at the tagged commit is safe — _promote_stable in
shared/build-lib.sh is idempotent re: tag creation.
This commit is contained in:
ZDDC 2026-05-02 11:35:20 -05:00
parent 49fab7b5ba
commit c099676024
1 changed files with 39 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
.forgejo/workflows/deploy-release.yml
View file

@ -5,12 +5,16 @@ name: Build + deploy releases
# this host directly (label: host) — same shell environment the operator # this host directly (label: host) — same shell environment the operator
# uses for manual cuts, so behavior is identical between the two paths. # uses for manual cuts, so behavior is identical between the two paths.
# #
# Triggers (current): # Triggers:
# - workflow_dispatch — pick channel + optional version from the UI. # - workflow_dispatch — pick channel + optional version from the UI.
# Triggers (planned, once dispatch path is proven): # - push to a tag matching zddc-server-v[0-9]+.[0-9]+.[0-9]+ —
# - tag push matching zddc-server-v[0-9]+.[0-9]+.[0-9]+ (the canonical # the canonical "stable cut" tag in our six-tag lockstep set
# stable cut tag in our six-tag lockstep set) → re-cuts from the # (one per tool: archive-vX.Y.Z, transmittal-vX.Y.Z, ..., zddc-server-vX.Y.Z).
# tagged source for reproducibility. # Filtering on zddc-server-v* ensures exactly one workflow run per cut
# even though six tags push together. Runner re-cuts from the tagged
# commit for reproducibility — _promote_stable in shared/build-lib.sh
# is idempotent re: tag creation, so rerunning at the same HEAD is a
# no-op for the tags.
on: on:
workflow_dispatch: workflow_dispatch:
@ -28,6 +32,9 @@ on:
description: 'Stable version (e.g. 0.1.0). Leave blank for coordinated next-stable. Ignored for alpha/beta.' description: 'Stable version (e.g. 0.1.0). Leave blank for coordinated next-stable. Ignored for alpha/beta.'
required: false required: false
default: '' default: ''
push:
tags:
- 'zddc-server-v[0-9]+.[0-9]+.[0-9]+'
jobs: jobs:
build-and-deploy: build-and-deploy:
@ -40,13 +47,29 @@ jobs:
# tools; full history + tags are required. # tools; full history + tags are required.
fetch-depth: 0 fetch-depth: 0
- name: Resolve channel + version
id: meta
run: |
set -eu
if [ "$GITHUB_EVENT_NAME" = "push" ]; then
# Tag push: refs/tags/zddc-server-vX.Y.Z → channel=release, version=X.Y.Z
VERSION="${GITHUB_REF#refs/tags/zddc-server-v}"
echo "channel=release" >> "$GITHUB_OUTPUT"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
else
echo "channel=${{ inputs.channel }}" >> "$GITHUB_OUTPUT"
echo "version=${{ inputs.version }}" >> "$GITHUB_OUTPUT"
fi
- name: Build - name: Build
run: | run: |
set -eu set -eu
if [ "${{ inputs.channel }}" = "release" ] && [ -n "${{ inputs.version }}" ]; then CH="${{ steps.meta.outputs.channel }}"
./build release "${{ inputs.version }}" VER="${{ steps.meta.outputs.version }}"
if [ "$CH" = "release" ] && [ -n "$VER" ]; then
./build release "$VER"
else else
./build "${{ inputs.channel }}" ./build "$CH"
fi fi
- name: Deploy releases - name: Deploy releases
@ -55,6 +78,12 @@ jobs:
- name: Verify channel mirror resolves - name: Verify channel mirror resolves
run: | run: |
set -eu set -eu
curl -ksI --resolve zddc.varasys.io:8443:127.0.0.1 \ CH="${{ steps.meta.outputs.channel }}"
"https://zddc.varasys.io:8443/releases/archive_${{ inputs.channel == 'release' && 'stable' || inputs.channel }}.html" \ MIRROR=$([ "$CH" = "release" ] && echo stable || echo "$CH")
# Runner is in a container on caddy-net; reach Caddy by container
# name (`caddy`). --connect-to keeps the SNI / Host as the real
# public hostname so the right vhost matches; -k skips cert
# verify (Caddy uses a self-signed `tls internal` cert).
curl -ksI --connect-to "zddc.varasys.io:8443:caddy:8443" \
"https://zddc.varasys.io:8443/releases/archive_${MIRROR}.html" \
| head -3 | head -3