# Build + push the dockerized pieces to the Gitea container registry: # punktfunk-web — management console (web/Dockerfile, repo-root context) # punktfunk-docs — documentation site (docs-site/Dockerfile) # punktfunk-rust-ci — Rust CI builder image consumed by ci.yml # punktfunk-fedora-rpm — Fedora 43 builder image consumed by rpm.yml (Bazzite RPM) # Host and clients are intentionally NOT containerized (see CLAUDE.md "What's left"). # # REGISTRY_TOKEN: repo Actions secret, a PAT with write:package scope. # # Bootstrap note: ci.yml's rust job pulls punktfunk-rust-ci:latest from the registry, so # this workflow (or a manual push) must have succeeded once before that job can run; on # the same push, ci.yml builds against the PREVIOUS image. All three were seeded manually # on 2026-06-12. name: docker on: push: branches: [main] tags: ['v*'] workflow_dispatch: env: REGISTRY: git.unom.io OWNER: unom jobs: build-push: runs-on: ubuntu-24.04 timeout-minutes: 45 strategy: matrix: include: - image: punktfunk-web dockerfile: web/Dockerfile context: . - image: punktfunk-docs dockerfile: docs-site/Dockerfile context: docs-site - image: punktfunk-rust-ci dockerfile: ci/rust-ci.Dockerfile context: ci - image: punktfunk-fedora-rpm dockerfile: ci/fedora-rpm.Dockerfile context: ci # Fedora 44 builder (Fedora KDE spin): same Dockerfile, newer base → libavcodec.so.62. - image: punktfunk-fedora44-rpm dockerfile: ci/fedora-rpm.Dockerfile context: ci buildargs: --build-arg FEDORA_VERSION=44 steps: - uses: actions/checkout@v4 - name: Login to registry # Username must be the owner of the REGISTRY_TOKEN PAT, not the push actor. run: | echo "${{ secrets.REGISTRY_TOKEN }}" \ | docker login "$REGISTRY" -u enricobuehler --password-stdin - name: Build run: | # On a release tag, also tag the image vX.Y.Z so a release pins reproducible web/docs images. EXTRA="" case "$GITHUB_REF" in refs/tags/v*) EXTRA="-t $REGISTRY/$OWNER/${{ matrix.image }}:${GITHUB_REF_NAME}" ;; esac docker build --pull ${{ matrix.buildargs }} \ -f "${{ matrix.dockerfile }}" \ -t "$REGISTRY/$OWNER/${{ matrix.image }}:latest" \ -t "$REGISTRY/$OWNER/${{ matrix.image }}:sha-${GITHUB_SHA::8}" \ $EXTRA \ "${{ matrix.context }}" - name: Push run: | docker push "$REGISTRY/$OWNER/${{ matrix.image }}:sha-${GITHUB_SHA::8}" docker push "$REGISTRY/$OWNER/${{ matrix.image }}:latest" case "$GITHUB_REF" in refs/tags/v*) docker push "$REGISTRY/$OWNER/${{ matrix.image }}:${GITHUB_REF_NAME}" ;; esac # Deploy the docs site to unom-1, the DMZ services VM website/cms also deploy to # (docs.punktfunk.unom.io via Caddy on home-reverse-proxy-1 -> :3220). Same secret set # as unom/website's deploy: DEPLOY_HOST/DEPLOY_USER/DEPLOY_PORT/DEPLOY_SSH_KEY (the # unom-ci-deploy key). deploy-docs: runs-on: ubuntu-24.04 needs: build-push timeout-minutes: 10 steps: - uses: actions/checkout@v4 - name: Sync compose file uses: appleboy/scp-action@v0.1.7 with: host: ${{ secrets.DEPLOY_HOST }} username: ${{ secrets.DEPLOY_USER }} port: ${{ secrets.DEPLOY_PORT }} key: ${{ secrets.DEPLOY_SSH_KEY }} source: "compose.production.yml" target: "~/punktfunk-docs" overwrite: true - name: Pull and start docs uses: appleboy/ssh-action@v1.2.5 env: REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} with: host: ${{ secrets.DEPLOY_HOST }} username: ${{ secrets.DEPLOY_USER }} port: ${{ secrets.DEPLOY_PORT }} key: ${{ secrets.DEPLOY_SSH_KEY }} # Token enters via env, never the script text (keeps it out of run logs). envs: REGISTRY_TOKEN script: | set -euo pipefail printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u enricobuehler --password-stdin cd ~/punktfunk-docs docker compose -f compose.production.yml pull docs docker compose -f compose.production.yml up -d --no-build docs