Make CI arm64-runner-aware for Gitea self-hosted act_runner

Runner: self-hosted arm64. Deploy target: amd64 (Hetzner). Cross-arch is safe because Astro output is plain static HTML/CSS/JS — nothing in the bundle is arch-specific. Changes: - runs-on: ubuntu-latest (most portable act_runner label — override per your runner's registered labels if needed). - Install Chromium from apt at workflow time (Google Chrome has no Linux/arm64 stable build; Chromium does). Handles both chromium and chromium-browser package names, sudo-less runners, and idempotently skips if already present. - Export CHROME_PATH so LHCI picks the right binary. - Add chromeFlags to lighthouserc.cjs: --no-sandbox --headless=new --disable-gpu --disable-dev-shm-usage (required in containerized/root Chromium on CI runners). - timeout-minutes on both jobs. - Defense-in-depth install of rsync + openssh in deploy job if the runner image doesn't ship them. - Null-guard SFTP_KEY and SFTP_KNOWN_HOSTS secrets. - Switch echo to printf for deterministic newline handling when writing key material to ~/.ssh files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 17:39:34 +02:00
parent d98d73b14a
commit ea6267d6f7
2 changed files with 78 additions and 4 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,3 +1,25 @@
+# -----------------------------------------------------------------------------
+# cameleer-website — Gitea Actions build + deploy
+#
+# Runner: self-hosted arm64 (Gitea Runner / act_runner).
+# Deploy target: Hetzner Webhosting L (amd64).
+#
+# Architecture mismatch does NOT matter: Astro's output is static HTML/CSS/JS
+# plus hashed assets. Nothing arch-specific ships in the bundle. Everything in
+# this workflow — Node 20, rsync, ssh, curl, chromium — has native arm64.
+#
+# The only non-trivial arm64 gotcha is Lighthouse CI: Google Chrome has no
+# stable Linux/arm64 build, so we install the distro-packaged Chromium and
+# hand its path to LHCI via CHROME_PATH. On amd64 runners this still works;
+# the step is idempotent if Chromium is already present.
+#
+# `runs-on` labels:
+#   This file uses `ubuntu-latest`, which the default act_runner config maps
+#   to `catthehacker/ubuntu:act-latest` (multi-arch, has apt + sudo). If your
+#   runner is registered with different labels (e.g. `[self-hosted, arm64]`),
+#   update `runs-on` below accordingly.
+# -----------------------------------------------------------------------------
+
 name: build-test-deploy

 on:
@@ -8,7 +30,8 @@ on:

 jobs:
  build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
    env:
      PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }}
      PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }}
@@ -22,6 +45,41 @@ jobs:
          node-version: '20'
          cache: 'npm'

+      # Lighthouse CI needs a Chrome/Chromium binary at runtime. Google Chrome
+      # has no Linux/arm64 build, so install distro Chromium and export its
+      # path. Handles both `chromium` (Debian) and `chromium-browser` (older
+      # Ubuntu) package names, and works whether sudo is present or absent
+      # (e.g. runner running as root).
+      - name: Install Chromium for Lighthouse CI
+        shell: bash
+        run: |
+          set -e
+          if command -v sudo >/dev/null 2>&1; then SUDO=sudo; else SUDO=; fi
+
+          resolve_chromium() {
+            command -v chromium 2>/dev/null \
+              || command -v chromium-browser 2>/dev/null \
+              || true
+          }
+
+          CHROME_BIN="$(resolve_chromium)"
+          if [ -z "$CHROME_BIN" ]; then
+            $SUDO apt-get update -qq
+            $SUDO apt-get install -y --no-install-recommends \
+              chromium chromium-driver \
+              || $SUDO apt-get install -y --no-install-recommends \
+                   chromium-browser chromium-chromedriver
+            CHROME_BIN="$(resolve_chromium)"
+          fi
+
+          if [ -z "$CHROME_BIN" ]; then
+            echo "Failed to install a Chromium binary — Lighthouse CI cannot run."
+            exit 1
+          fi
+
+          echo "CHROME_PATH=$CHROME_BIN" >> "$GITHUB_ENV"
+          "$CHROME_BIN" --version || true
+
      - name: Install dependencies
        run: npm ci

@@ -46,6 +104,8 @@ jobs:
        run: npm run lint:links

      - name: Lighthouse CI
+        env:
+          CHROME_PATH: ${{ env.CHROME_PATH }}
        run: npx lhci autorun

      - name: Upload dist artifact
@@ -59,7 +119,8 @@ jobs:
  deploy:
    if: github.ref == 'refs/heads/main'
    needs: build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
    concurrency:
      group: deploy-production
      cancel-in-progress: false
@@ -76,11 +137,20 @@ jobs:
          SFTP_KEY: ${{ secrets.SFTP_KEY }}
          SFTP_KNOWN_HOSTS: ${{ secrets.SFTP_KNOWN_HOSTS }}
        run: |
+          set -e
+          : "${SFTP_KEY:?SFTP_KEY secret must be set}"
+          : "${SFTP_KNOWN_HOSTS:?SFTP_KNOWN_HOSTS secret must be set}"
          mkdir -p ~/.ssh
-          echo "$SFTP_KEY" > ~/.ssh/id_ed25519
+          printf '%s\n' "$SFTP_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
-          echo "$SFTP_KNOWN_HOSTS" > ~/.ssh/known_hosts
+          printf '%s\n' "$SFTP_KNOWN_HOSTS" > ~/.ssh/known_hosts
          chmod 644 ~/.ssh/known_hosts
+          # Ensure rsync + openssh are present even on a minimal runner image.
+          if ! command -v rsync >/dev/null 2>&1 || ! command -v ssh >/dev/null 2>&1; then
+            if command -v sudo >/dev/null 2>&1; then SUDO=sudo; else SUDO=; fi
+            $SUDO apt-get update -qq
+            $SUDO apt-get install -y --no-install-recommends rsync openssh-client
+          fi

      - name: Deploy via rsync
        env: