grenade/moments
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba96cddebc60eed5496c9f6b7253ea7083af3d25
moments/.gitea/workflows/refresh.yml
rob thijssen ba96cddebc
All checks were successful
deploy / Build prerendered web (push) Successful in 2m53s
Details
deploy / Deploy web to oolon (push) Successful in 58s
Details
deploy / Build api + worker (static musl) (push) Successful in 6m10s
Details
deploy / Deploy moments-api to nikola (push) Successful in 55s
Details
deploy / Deploy moments-worker to frootmig (push) Successful in 55s
Details
ci: install web deps with --ignore-scripts + explicit rebuild 
CI's pnpm did not honor the build-script allowlist from package.json (removed
in pnpm 10) nor from pnpm-workspace.yaml under `pnpm --dir ui`, so build-web
kept failing with ERR_PNPM_IGNORED_BUILDS. Make it version- and discovery-
independent: run in ui/ via working-directory, install with --ignore-scripts
(no approval gate), then `pnpm rebuild @swc/core esbuild` to place the native
binaries vite needs. Verified locally: cold install + rebuild + vite build all
succeed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01X7zF7Kf4JqDwa6M8Qgge9M
2026-06-25 14:00:47 +03:00

101 lines
3.8 KiB
YAML
Raw Blame History

name: refresh
# Daily re-bake of the prerendered site. The crawler-visible HTML is a static
# snapshot taken at build time; this job rebuilds it from the current gist (CV)
# and activity API and redeploys *only* the web tier — so edits propagate to
# what crawlers and AI screeners see without a code push and without bouncing
# the api/worker. Humans already get live data via post-hydration refetch.
#
# Uses the same gitea_ci + scoped-sudo path as deploy.yml's deploy-web job;
# see asset/sudoers.d/web-host.conf and script/infra-setup.sh.
on:
schedule:
# 04:17 UTC daily — off-peak, arbitrary minute to avoid the top-of-hour herd.
- cron: '17 4 * * *'
workflow_dispatch:
concurrency:
group: deploy # share the deploy lock so a refresh never races a push deploy
cancel-in-progress: false
env:
WEB_HOST: oolon.kosherinata.internal
SERVER_NAME: rob.tn
WEB_ROOT: /var/www/rob.tn
API_PORT: "42424"
API_UPSTREAM_SCHEME: http
API_UPSTREAM_ADDR: nikola.kosherinata.internal:42424
VITE_API_BASE: https://rob.tn/api/v1
DEPLOY_KEY: |
${{ secrets.RSYNC_SSH_KEY }}
jobs:
build-web:
name: Rebuild prerendered web
runs-on: fedora-44 # image bakes in node + pnpm; that's all we need here
steps:
- uses: actions/checkout@v4
# Install without the pnpm 10 build-script gate, then rebuild the native
# deps vite needs (see deploy.yml build-web for the rationale).
- name: Build web (vite client + prerender)
working-directory: ui
run: |
pnpm install --frozen-lockfile --ignore-scripts
pnpm rebuild @swc/core esbuild
pnpm run build
- uses: actions/upload-artifact@v3
with: { name: web-dist, path: ui/dist, retention-days: 1 }
deploy-web:
name: Deploy refreshed web to oolon
needs: build-web
runs-on: fedora-44
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v3
with: { name: web-dist, path: dist }
- name: SSH init
run: |
mkdir -p ~/.ssh
echo "${DEPLOY_KEY}" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=accept-new \
gitea_ci@"${WEB_HOST}" 'hostname -f'
- name: Render nginx vhost
run: |
mkdir -p rendered
python3 - <<'PY'
import os
t = open("asset/nginx/site.conf.tmpl").read()
for k in ("SERVER_NAME", "API_UPSTREAM_SCHEME", "API_UPSTREAM_ADDR"):
t = t.replace("{{%s}}" % k, os.environ[k])
t = t.replace("{{DOCROOT}}", os.environ["WEB_ROOT"])
open("rendered/site.conf", "w").write(t)
PY
- name: Sync static site (prerendered)
run: |
ssh gitea_ci@"${WEB_HOST}" 'sudo /usr/bin/install -d -m 0755 '"${WEB_ROOT}"
rsync -az --delete --mkpath --rsync-path='sudo rsync' \
--chown=root:root --chmod=D755,F644 \
dist/ gitea_ci@"${WEB_HOST}":"${WEB_ROOT}/"
ssh gitea_ci@"${WEB_HOST}" 'sudo /usr/sbin/restorecon -R '"${WEB_ROOT}"
- name: Sync nginx vhost + reload
run: |
rsync -az --mkpath --rsync-path='sudo rsync' --chown=root:root --chmod=0644 \
rendered/site.conf \
gitea_ci@"${WEB_HOST}":/etc/nginx/conf.d/"${SERVER_NAME}".conf
ssh gitea_ci@"${WEB_HOST}" '
set -euo pipefail
sudo /usr/sbin/setsebool -P httpd_can_network_connect on
if ! sudo /usr/sbin/semanage port -l | grep -E "^http_port_t" | grep -qw '"${API_PORT}"'; then
sudo /usr/sbin/semanage port -a -t http_port_t -p tcp '"${API_PORT}"'
fi
sudo /usr/sbin/restorecon -R /etc/nginx/conf.d/'"${SERVER_NAME}"'.conf
sudo /usr/sbin/nginx -t
sudo /usr/bin/systemctl reload nginx'
Reference in New Issue View Git Blame Copy Permalink