Thomas SharedInboxandClaude Sonnet 4.6
839a3c63f9
Store all production secrets encrypted in secrets.age (committed to the repo) using age. Only one secret needs to be in CI: SECRETS_AGE_KEY. When a secret changes locally, update secrets.env and re-run scripts/secrets-encrypt.sh to commit a new secrets.age. CI picks up the updated secrets automatically on the next push — no manual CI variable updates required. Changes: - scripts/secrets-encrypt.sh: encrypt secrets.env → secrets.age - scripts/secrets-decrypt.sh: decrypt secrets.age → GITHUB_ENV (CI) or eval-safe export block (local) - scripts/test_secrets.sh: encrypt/decrypt round-trip tests - secrets.env.example: template documenting all production secret keys - ci/main.go: add CheckSecrets function (runs test_secrets.sh via Dagger), wire into Check(), update Graph(); add age to toolchain apt packages - .forgejo/Dockerfile: add age package - .forgejo/workflows/deploy.yml: replace per-secret CI references with a single "Decrypt production secrets" step using SECRETS_AGE_KEY - flake.nix: add age to dev shell - Taskfile.yml: add check-secrets task, include in check-fast - .gitignore: ignore plaintext secrets.env - DAGGER.md: document Option 5 (encrypted secrets file) as active approach Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
336 lines
14 KiB
YAML
336 lines
14 KiB
YAML
name: Deploy
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 * * * *' # every hour on the hour
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
check-changes:
|
|
name: Detect Changed Files
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
outputs:
|
|
android: ${{ steps.diff.outputs.android }}
|
|
linux: ${{ steps.diff.outputs.linux }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 2
|
|
|
|
- name: Detect Android and Linux changes
|
|
id: diff
|
|
shell: bash
|
|
run: |
|
|
# On workflow_dispatch always build everything
|
|
if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
|
|
echo "android=true" >> "$GITHUB_OUTPUT"
|
|
echo "linux=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
# Diff the HEAD commit against its parent; fall back to listing HEAD's files
|
|
# when the parent is unavailable (initial commit, shallow clone).
|
|
CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null \
|
|
|| git show --name-only --format= HEAD)
|
|
|
|
echo "Changed files:"
|
|
echo "$CHANGED"
|
|
|
|
android_re='^(android/|integration_test/|lib/|pubspec\.yaml|pubspec\.lock|drift_schemas/)'
|
|
linux_re='^(linux/|lib/|pubspec\.yaml|pubspec\.lock)'
|
|
|
|
echo "$CHANGED" | grep -qE "$android_re" \
|
|
&& echo "android=true" >> "$GITHUB_OUTPUT" \
|
|
|| echo "android=false" >> "$GITHUB_OUTPUT"
|
|
|
|
echo "$CHANGED" | grep -qE "$linux_re" \
|
|
&& echo "linux=true" >> "$GITHUB_OUTPUT" \
|
|
|| echo "linux=false" >> "$GITHUB_OUTPUT"
|
|
|
|
test-android-firebase:
|
|
name: Android Instrumented Tests (Firebase Test Lab)
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 60
|
|
needs: [check-changes]
|
|
if: needs.check-changes.outputs.android == 'true'
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Check runner tools
|
|
run: |
|
|
command -v dagger >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v task >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v age >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
|
|
|
|
- name: Setup Dagger Remote Engine (via stunnel)
|
|
env:
|
|
DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
|
|
DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
|
|
DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
|
|
DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
|
|
run: scripts/setup_dagger_remote.sh
|
|
|
|
- name: Decrypt production secrets
|
|
if: ${{ secrets.SECRETS_AGE_KEY != '' }}
|
|
env:
|
|
SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
|
|
run: scripts/secrets-decrypt.sh
|
|
|
|
- name: Run Android Tests on Firebase Test Lab
|
|
if: env.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY != ''
|
|
env:
|
|
DAGGER_NO_NAG: "1"
|
|
run: task test-android-firebase
|
|
|
|
- name: Cleanup TLS credentials
|
|
if: always()
|
|
run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
|
|
|
|
deploy-playstore:
|
|
name: Build & Deploy to Play Store
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 60
|
|
needs: [check-changes]
|
|
if: needs.check-changes.outputs.android == 'true'
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Check runner tools
|
|
run: |
|
|
command -v dagger >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v task >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v age >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
|
|
|
|
- name: Setup Dagger Remote Engine (via stunnel)
|
|
env:
|
|
DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
|
|
DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
|
|
DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
|
|
DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
|
|
run: scripts/setup_dagger_remote.sh
|
|
|
|
- name: Decrypt production secrets
|
|
if: ${{ secrets.SECRETS_AGE_KEY != '' }}
|
|
env:
|
|
SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
|
|
run: scripts/secrets-decrypt.sh
|
|
|
|
- name: Publish Android to Play Store
|
|
if: env.PLAY_STORE_CONFIG_JSON != ''
|
|
env:
|
|
DAGGER_NO_NAG: "1"
|
|
run: task publish-android
|
|
|
|
- name: Cleanup TLS credentials
|
|
if: always()
|
|
run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
|
|
|
|
deploy-apk:
|
|
name: Build & Deploy APK to Server
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 60
|
|
needs: [check-changes]
|
|
if: needs.check-changes.outputs.android == 'true'
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Check runner tools
|
|
run: |
|
|
command -v dagger >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v task >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v age >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
|
|
|
|
- name: Setup Dagger Remote Engine (via stunnel)
|
|
env:
|
|
DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
|
|
DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
|
|
DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
|
|
DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
|
|
run: scripts/setup_dagger_remote.sh
|
|
|
|
- name: Decrypt production secrets
|
|
if: ${{ secrets.SECRETS_AGE_KEY != '' }}
|
|
env:
|
|
SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
|
|
run: scripts/secrets-decrypt.sh
|
|
|
|
- name: Build & Deploy APK to server
|
|
if: env.SSH_PRIVATE_KEY != ''
|
|
env:
|
|
DAGGER_NO_NAG: "1"
|
|
run: task deploy-apk
|
|
|
|
- name: Cleanup TLS credentials
|
|
if: always()
|
|
run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
|
|
|
|
build-linux:
|
|
name: Build Linux Release
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 60
|
|
needs: [check-changes]
|
|
if: needs.check-changes.outputs.linux == 'true'
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Check runner tools
|
|
run: |
|
|
command -v dagger >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v task >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v age >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
|
|
|
|
- name: Setup Dagger Remote Engine (via stunnel)
|
|
env:
|
|
DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
|
|
DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
|
|
DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
|
|
DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
|
|
run: scripts/setup_dagger_remote.sh
|
|
|
|
- name: Decrypt production secrets
|
|
if: ${{ secrets.SECRETS_AGE_KEY != '' }}
|
|
env:
|
|
SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
|
|
run: scripts/secrets-decrypt.sh
|
|
|
|
- name: Build & Deploy Linux to server
|
|
if: env.SSH_PRIVATE_KEY != ''
|
|
env:
|
|
DAGGER_NO_NAG: "1"
|
|
run: task deploy-linux
|
|
|
|
- name: Cleanup TLS credentials
|
|
if: always()
|
|
run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
|
|
|
|
publish-website:
|
|
name: Publish Website Build History
|
|
runs-on: ubuntu-latest
|
|
needs: [build-linux, deploy-playstore, deploy-apk]
|
|
if: |
|
|
always() &&
|
|
(needs.build-linux.result == 'success' || needs.deploy-playstore.result == 'success' || needs.deploy-apk.result == 'success')
|
|
timeout-minutes: 60
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Check runner tools
|
|
run: |
|
|
command -v dagger >/dev/null 2>&1 || { echo "ERROR: dagger is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v task >/dev/null 2>&1 || { echo "ERROR: task is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
command -v age >/dev/null 2>&1 || { echo "ERROR: age is not installed in the runner image. Add it to .forgejo/Dockerfile."; exit 1; }
|
|
dpkg -s stunnel4 netcat-openbsd >/dev/null 2>&1 || { echo "ERROR: stunnel4/netcat-openbsd are not installed in the runner image. Add them to .forgejo/Dockerfile."; exit 1; }
|
|
|
|
- name: Setup Dagger Remote Engine (via stunnel)
|
|
env:
|
|
DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
|
|
DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
|
|
DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
|
|
DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
|
|
run: scripts/setup_dagger_remote.sh
|
|
|
|
- name: Decrypt production secrets
|
|
if: ${{ secrets.SECRETS_AGE_KEY != '' }}
|
|
env:
|
|
SECRETS_AGE_KEY: ${{ secrets.SECRETS_AGE_KEY }}
|
|
run: scripts/secrets-decrypt.sh
|
|
|
|
- name: Generate build history and deploy website
|
|
if: env.SSH_PRIVATE_KEY != ''
|
|
env:
|
|
DAGGER_NO_NAG: "1"
|
|
run: task publish-website
|
|
|
|
- name: Cleanup TLS credentials
|
|
if: always()
|
|
run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
|
|
|
|
label-deploy-health:
|
|
name: Update Deploy Health Label
|
|
runs-on: ubuntu-latest
|
|
needs: [test-android-firebase, deploy-playstore, deploy-apk, build-linux]
|
|
if: |
|
|
always() && vars.DEPLOY_HEALTH_ISSUE != '' && (
|
|
needs.test-android-firebase.result == 'success' || needs.test-android-firebase.result == 'failure' ||
|
|
needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'failure' ||
|
|
needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'failure' ||
|
|
needs.build-linux.result == 'success' || needs.build-linux.result == 'failure'
|
|
)
|
|
timeout-minutes: 5
|
|
|
|
steps:
|
|
- name: Set CI/Full-Pass or CI/Full-Fail label on tracking issue
|
|
env:
|
|
FORGEJO_TOKEN: ${{ github.token }}
|
|
FORGEJO_URL: ${{ github.server_url }}
|
|
DEPLOY_HEALTH_ISSUE: ${{ vars.DEPLOY_HEALTH_ISSUE }}
|
|
ALL_SUCCEEDED: ${{ (needs.test-android-firebase.result == 'success' || needs.test-android-firebase.result == 'skipped') && (needs.deploy-playstore.result == 'success' || needs.deploy-playstore.result == 'skipped') && (needs.deploy-apk.result == 'success' || needs.deploy-apk.result == 'skipped') && (needs.build-linux.result == 'success' || needs.build-linux.result == 'skipped') }}
|
|
run: |
|
|
python3 - << 'PYEOF'
|
|
import os, json, urllib.request, urllib.error
|
|
|
|
issue = os.environ.get("DEPLOY_HEALTH_ISSUE", "").strip()
|
|
if not issue:
|
|
print("DEPLOY_HEALTH_ISSUE not set; skipping")
|
|
raise SystemExit(0)
|
|
|
|
token = os.environ["FORGEJO_TOKEN"]
|
|
url_base = os.environ["FORGEJO_URL"].rstrip("/")
|
|
succeeded = os.environ.get("ALL_SUCCEEDED", "false").lower() == "true"
|
|
add_label = "CI/Full-Pass" if succeeded else "CI/Full-Fail"
|
|
remove_label = "CI/Full-Fail" if succeeded else "CI/Full-Pass"
|
|
|
|
headers = {"Authorization": f"token {token}", "Content-Type": "application/json"}
|
|
api = f"{url_base}/api/v1/repos/guettli/sharedinbox"
|
|
|
|
def api_get(path):
|
|
req = urllib.request.Request(f"{api}{path}", headers=headers)
|
|
with urllib.request.urlopen(req) as r:
|
|
return json.loads(r.read())
|
|
|
|
def api_put(path, body):
|
|
data = json.dumps(body).encode()
|
|
req = urllib.request.Request(f"{api}{path}", data=data, headers=headers, method="PUT")
|
|
try:
|
|
with urllib.request.urlopen(req) as r:
|
|
return json.loads(r.read())
|
|
except urllib.error.HTTPError as e:
|
|
print(f"PUT {path} failed: {e.read().decode()}")
|
|
raise
|
|
|
|
repo_labels = api_get("/labels")
|
|
label_map = {l["name"]: l["id"] for l in repo_labels}
|
|
|
|
if add_label not in label_map:
|
|
print(f"Label '{add_label}' not found in repo — create it first")
|
|
raise SystemExit(1)
|
|
|
|
current = api_get(f"/issues/{issue}/labels")
|
|
keep_ids = [l["id"] for l in current if l["name"] not in ("CI/Full-Pass", "CI/Full-Fail")]
|
|
keep_ids.append(label_map[add_label])
|
|
|
|
api_put(f"/issues/{issue}/labels", {"labels": keep_ids})
|
|
print(f"Set '{add_label}' on issue #{issue}")
|
|
PYEOF
|