rob thijssen
a7750def17
The build job failed with `corepack: command not found`: Fedora's nodejs package (gongfoo runner-rust image) ships node + npm but not corepack. The job runs as root, so install pnpm globally via npm instead. Longer term, bake pnpm into the runner image to drop this step. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01X7zF7Kf4JqDwa6M8Qgge9M
99 lines
3.7 KiB
YAML
99 lines
3.7 KiB
YAML
name: refresh
|
|
|
|
# Daily re-bake of the prerendered site. The crawler-visible HTML is a static
|
|
# snapshot taken at build time; this job rebuilds it from the current gist (CV)
|
|
# and activity API and redeploys *only* the web tier — so edits propagate to
|
|
# what crawlers and AI screeners see without a code push and without bouncing
|
|
# the api/worker. Humans already get live data via post-hydration refetch.
|
|
#
|
|
# Uses the same gitea_ci + scoped-sudo path as deploy.yml's deploy-web job;
|
|
# see asset/sudoers.d/web-host.conf and script/infra-setup.sh.
|
|
|
|
on:
|
|
schedule:
|
|
# 04:17 UTC daily — off-peak, arbitrary minute to avoid the top-of-hour herd.
|
|
- cron: '17 4 * * *'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: deploy # share the deploy lock so a refresh never races a push deploy
|
|
cancel-in-progress: false
|
|
|
|
env:
|
|
WEB_HOST: oolon.kosherinata.internal
|
|
SERVER_NAME: rob.tn
|
|
WEB_ROOT: /var/www/rob.tn
|
|
API_PORT: "42424"
|
|
API_UPSTREAM_SCHEME: http
|
|
API_UPSTREAM_ADDR: nikola.kosherinata.internal:42424
|
|
VITE_API_BASE: https://rob.tn/api/v1
|
|
DEPLOY_KEY: |
|
|
${{ secrets.RSYNC_SSH_KEY }}
|
|
|
|
jobs:
|
|
build-web:
|
|
name: Rebuild prerendered web
|
|
runs-on: rust # image has node; we only need the web toolchain here
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Build web (vite client + prerender)
|
|
run: |
|
|
# gongfoo rust image has node + npm but not corepack; job runs as root.
|
|
npm install -g pnpm@10
|
|
pnpm --dir ui install --frozen-lockfile
|
|
pnpm --dir ui run build
|
|
- uses: actions/upload-artifact@v3
|
|
with: { name: web-dist, path: ui/dist, retention-days: 1 }
|
|
|
|
deploy-web:
|
|
name: Deploy refreshed web to oolon
|
|
needs: build-web
|
|
runs-on: fedora-43
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/download-artifact@v3
|
|
with: { name: web-dist, path: dist }
|
|
|
|
- name: SSH init
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${DEPLOY_KEY}" > ~/.ssh/id_ed25519
|
|
chmod 600 ~/.ssh/id_ed25519
|
|
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=accept-new \
|
|
gitea_ci@"${WEB_HOST}" 'hostname -f'
|
|
|
|
- name: Render nginx vhost
|
|
run: |
|
|
mkdir -p rendered
|
|
python3 - <<'PY'
|
|
import os
|
|
t = open("asset/nginx/site.conf.tmpl").read()
|
|
for k in ("SERVER_NAME", "API_UPSTREAM_SCHEME", "API_UPSTREAM_ADDR"):
|
|
t = t.replace("{{%s}}" % k, os.environ[k])
|
|
t = t.replace("{{DOCROOT}}", os.environ["WEB_ROOT"])
|
|
open("rendered/site.conf", "w").write(t)
|
|
PY
|
|
|
|
- name: Sync static site (prerendered)
|
|
run: |
|
|
ssh gitea_ci@"${WEB_HOST}" 'sudo /usr/bin/install -d -m 0755 '"${WEB_ROOT}"
|
|
rsync -az --delete --mkpath --rsync-path='sudo rsync' \
|
|
--chown=root:root --chmod=D755,F644 \
|
|
dist/ gitea_ci@"${WEB_HOST}":"${WEB_ROOT}/"
|
|
ssh gitea_ci@"${WEB_HOST}" 'sudo /usr/sbin/restorecon -R '"${WEB_ROOT}"
|
|
|
|
- name: Sync nginx vhost + reload
|
|
run: |
|
|
rsync -az --mkpath --rsync-path='sudo rsync' --chown=root:root --chmod=0644 \
|
|
rendered/site.conf \
|
|
gitea_ci@"${WEB_HOST}":/etc/nginx/conf.d/"${SERVER_NAME}".conf
|
|
ssh gitea_ci@"${WEB_HOST}" '
|
|
set -euo pipefail
|
|
sudo /usr/sbin/setsebool -P httpd_can_network_connect on
|
|
if ! sudo /usr/sbin/semanage port -l | grep -E "^http_port_t" | grep -qw '"${API_PORT}"'; then
|
|
sudo /usr/sbin/semanage port -a -t http_port_t -p tcp '"${API_PORT}"'
|
|
fi
|
|
sudo /usr/sbin/restorecon -R /etc/nginx/conf.d/'"${SERVER_NAME}"'.conf
|
|
sudo /usr/sbin/nginx -t
|
|
sudo /usr/bin/systemctl reload nginx'
|