From ca2a7259537b6de385e47a7cae003386ac42ac7c Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Fri, 24 Apr 2026 21:24:42 +0200 Subject: [PATCH] ci(deploy): merge build+deploy into one job, manual trigger only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two changes: 1. Merge build and deploy jobs into a single 'deploy' job. This eliminates the actions/upload-artifact@v3 round-trip, which was silently stripping dotfiles (.htaccess) from the artifact and leaving the deployed origin without security headers. The built dist/ (including .htaccess) now flows directly into rsync in the same workspace. 2. Remove the 'push: branches: [main]' trigger so deploy runs only on workflow_dispatch (manual click in Gitea Actions UI). Merges to main no longer auto-deploy — production promotion is an explicit user action. The concurrency group at workflow level still prevents overlapping deploys. All secrets remain unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/deploy.yml | 41 +++++++++---------------------------- 1 file changed, 10 insertions(+), 31 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index d449192..c3c70b1 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -1,10 +1,14 @@ # ----------------------------------------------------------------------------- # cameleer-website — Deploy to Hetzner Webhosting L # -# Runs ONLY on pushes to `main` and on manual dispatch from the Gitea UI. -# Does NOT run Lighthouse CI (that's in ci.yml — assume any commit that reached -# main already passed the full gate). Rebuilds fresh, runs the TBD guard, and -# rsyncs `dist/` to the origin over SSH with host-key pinning. +# MANUAL TRIGGER ONLY. Runs exclusively on workflow_dispatch from the Gitea UI +# (Actions → deploy → Run workflow). Does NOT auto-deploy on push to main — +# merges to main must be explicitly promoted to production. +# +# Build and deploy run in a single job so the built dist/ (including +# dotfiles like .htaccess) flows directly into rsync. An earlier split-job +# design was abandoned because actions/upload-artifact@v3 excludes dotfiles +# by default and the v4 client does not work on Gitea Actions / GHES. # # Runner: self-hosted arm64 Gitea runner. Adjust `runs-on` if your runner's # labels differ. Deploy target is Hetzner amd64 — arch mismatch is a non-issue @@ -12,15 +16,12 @@ # # Required secrets (repo settings → Actions → Secrets): # SFTP_HOST, SFTP_USER, SFTP_PATH, SFTP_KEY, SFTP_KNOWN_HOSTS -# Required variables (repo settings → Actions → Variables): # PUBLIC_AUTH_SIGNIN_URL, PUBLIC_AUTH_SIGNUP_URL, PUBLIC_SALES_EMAIL # ----------------------------------------------------------------------------- name: deploy on: - push: - branches: [main] workflow_dispatch: concurrency: @@ -28,9 +29,9 @@ concurrency: cancel-in-progress: false jobs: - build: + deploy: runs-on: ubuntu-latest - timeout-minutes: 15 + timeout-minutes: 25 env: PUBLIC_AUTH_SIGNIN_URL: ${{ secrets.PUBLIC_AUTH_SIGNIN_URL }} PUBLIC_AUTH_SIGNUP_URL: ${{ secrets.PUBLIC_AUTH_SIGNUP_URL }} @@ -70,28 +71,6 @@ jobs: exit 1 fi - # Pin to v3 — Gitea Actions implements the v3 artifact protocol. - # upload/download-artifact@v4 talk to a github.com-only backend and - # fail with GHESNotSupportedError on Gitea / Forgejo / GHES. - - name: Upload dist artifact - uses: actions/upload-artifact@v3 - with: - name: dist - path: dist/ - retention-days: 7 - - deploy: - needs: build - runs-on: ubuntu-latest - timeout-minutes: 10 - - steps: - - name: Download dist artifact - uses: actions/download-artifact@v3 - with: - name: dist - path: dist/ - - name: Configure SSH env: SFTP_KEY: ${{ secrets.SFTP_KEY }}