jwright/bztmon-site
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

M5: publish seam + CI/CD pipeline
build-and-deploy / build (push) Failing after 15m10s
Details

Browse Source 
scripts/new-post.mjs writes schema-valid posts from flags or a JSON event
(the IaC publish seam). Gitea Actions workflow: ci check, audit-ci gate,
build, dist scan, CycloneDX SBOM, buildah build+push, and a least-privilege
digest-bump PR to home-ops (never auto-merged). Renovate + audit allowlist.
This commit is contained in:
Jonathon Wright
2026-06-17 17:20:54 +10:00
parent c1db5cec86
commit 83edaf5975
10 changed files with 2503 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/bump-digest.sh
Executable
+55
View File
@@ -0,0 +1,55 @@
#!/usr/bin/env bash
# Open a digest-bump PR against the PRIVATE home-ops repo after an image is pushed.
# Called by CI (.gitea/workflows/deploy.yml) after scripts/build-image.sh push.
#
# Least-privilege: uses a deploy key scoped to ONLY home-ops, and a token that can
# open a PR. It NEVER pushes to main — main is branch-protected, human-merged.
#
# Required env (CI secrets):
# HOME_OPS_SSH_KEY - private deploy key with write to home-ops only
# GITEA_API - e.g. https://gitea.bztmon.org/api/v1 (PRIVATE instance)
# GITEA_TOKEN - token that can create a PR on home-ops
# Optional:
# HOME_OPS_REPO_SSH - default ssh://git@10.0.11.241:22/jwrong96/home-ops.git
# MANIFEST - path within home-ops to patch
set -euo pipefail
REGISTRY="${REGISTRY:-git.bztmon.com}"
IMAGE="${IMAGE:-jwright/bztmon-site}"
HOME_OPS_REPO_SSH="${HOME_OPS_REPO_SSH:-ssh://git@10.0.11.241:22/jwrong96/home-ops.git}"
MANIFEST="${MANIFEST:-kubernetes/apps/bztmon-site/bztmon-site.yaml}"
GITEA_API="${GITEA_API:-https://gitea.bztmon.org/api/v1}"
TAG="$(git rev-parse --short HEAD)"
DIGEST="$(cat /tmp/bztmon-site.digest)"
REF="${REGISTRY}/${IMAGE}:${TAG}@${DIGEST}"
echo ">> new image ref: ${REF}"
# --- SSH for the home-ops deploy key --------------------------------------
export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new"
KEYFILE="$(mktemp)"; trap 'rm -f "$KEYFILE"' EXIT
printf '%s\n' "${HOME_OPS_SSH_KEY}" > "$KEYFILE"; chmod 600 "$KEYFILE"
export GIT_SSH_COMMAND="ssh -i ${KEYFILE} -o StrictHostKeyChecking=accept-new"
WORK="$(mktemp -d)"
git clone --depth 1 "${HOME_OPS_REPO_SSH}" "${WORK}/home-ops"
cd "${WORK}/home-ops"
BRANCH="deploy/bztmon-site-${TAG}"
git switch -c "${BRANCH}"
# Replace the image: line for our image (matches any current tag@digest).
sed -i -E "s#(^\s*image:\s*)${REGISTRY}/${IMAGE}.*#\1${REF}#" "${MANIFEST}"
git --no-pager diff -- "${MANIFEST}"
git config user.name "bztmon-site CI"
git config user.email "ci@bztmon.com"
git commit -am "bztmon-site: deploy ${TAG}"
git push origin "${BRANCH}"
# --- Open the PR (never auto-merge) ----------------------------------------
curl -fsSL -X POST "${GITEA_API}/repos/jwrong96/home-ops/pulls" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"head\":\"${BRANCH}\",\"base\":\"main\",\"title\":\"bztmon-site: deploy ${TAG}\",\"body\":\"Automated digest bump.\\n\\nImage: \`${REF}\`\\n\\nMerge to roll out via ArgoCD.\"}"
echo ">> PR opened for ${BRANCH}"