Make CI arm64-runner-aware for Gitea self-hosted act_runner
Runner: self-hosted arm64. Deploy target: amd64 (Hetzner). Cross-arch is safe because Astro output is plain static HTML/CSS/JS — nothing in the bundle is arch-specific. Changes: - runs-on: ubuntu-latest (most portable act_runner label — override per your runner's registered labels if needed). - Install Chromium from apt at workflow time (Google Chrome has no Linux/arm64 stable build; Chromium does). Handles both chromium and chromium-browser package names, sudo-less runners, and idempotently skips if already present. - Export CHROME_PATH so LHCI picks the right binary. - Add chromeFlags to lighthouserc.cjs: --no-sandbox --headless=new --disable-gpu --disable-dev-shm-usage (required in containerized/root Chromium on CI runners). - timeout-minutes on both jobs. - Defense-in-depth install of rsync + openssh in deploy job if the runner image doesn't ship them. - Null-guard SFTP_KEY and SFTP_KNOWN_HOSTS secrets. - Switch echo to printf for deterministic newline handling when writing key material to ~/.ssh files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
@@ -1,3 +1,25 @@
|
|||||||
|
# -----------------------------------------------------------------------------
|
||||||
|
# cameleer-website — Gitea Actions build + deploy
|
||||||
|
#
|
||||||
|
# Runner: self-hosted arm64 (Gitea Runner / act_runner).
|
||||||
|
# Deploy target: Hetzner Webhosting L (amd64).
|
||||||
|
#
|
||||||
|
# Architecture mismatch does NOT matter: Astro's output is static HTML/CSS/JS
|
||||||
|
# plus hashed assets. Nothing arch-specific ships in the bundle. Everything in
|
||||||
|
# this workflow — Node 20, rsync, ssh, curl, chromium — has native arm64.
|
||||||
|
#
|
||||||
|
# The only non-trivial arm64 gotcha is Lighthouse CI: Google Chrome has no
|
||||||
|
# stable Linux/arm64 build, so we install the distro-packaged Chromium and
|
||||||
|
# hand its path to LHCI via CHROME_PATH. On amd64 runners this still works;
|
||||||
|
# the step is idempotent if Chromium is already present.
|
||||||
|
#
|
||||||
|
# `runs-on` labels:
|
||||||
|
# This file uses `ubuntu-latest`, which the default act_runner config maps
|
||||||
|
# to `catthehacker/ubuntu:act-latest` (multi-arch, has apt + sudo). If your
|
||||||
|
# runner is registered with different labels (e.g. `[self-hosted, arm64]`),
|
||||||
|
# update `runs-on` below accordingly.
|
||||||
|
# -----------------------------------------------------------------------------
|
||||||
|
|
||||||
name: build-test-deploy
|
name: build-test-deploy
|
||||||
|
|
||||||
on:
|
on:
|
||||||
@@ -8,7 +30,8 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-latest
|
||||||
|
timeout-minutes: 20
|
||||||
env:
|
env:
|
||||||
PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }}
|
PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }}
|
||||||
PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }}
|
PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }}
|
||||||
@@ -22,6 +45,41 @@ jobs:
|
|||||||
node-version: '20'
|
node-version: '20'
|
||||||
cache: 'npm'
|
cache: 'npm'
|
||||||
|
|
||||||
|
# Lighthouse CI needs a Chrome/Chromium binary at runtime. Google Chrome
|
||||||
|
# has no Linux/arm64 build, so install distro Chromium and export its
|
||||||
|
# path. Handles both `chromium` (Debian) and `chromium-browser` (older
|
||||||
|
# Ubuntu) package names, and works whether sudo is present or absent
|
||||||
|
# (e.g. runner running as root).
|
||||||
|
- name: Install Chromium for Lighthouse CI
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
set -e
|
||||||
|
if command -v sudo >/dev/null 2>&1; then SUDO=sudo; else SUDO=; fi
|
||||||
|
|
||||||
|
resolve_chromium() {
|
||||||
|
command -v chromium 2>/dev/null \
|
||||||
|
|| command -v chromium-browser 2>/dev/null \
|
||||||
|
|| true
|
||||||
|
}
|
||||||
|
|
||||||
|
CHROME_BIN="$(resolve_chromium)"
|
||||||
|
if [ -z "$CHROME_BIN" ]; then
|
||||||
|
$SUDO apt-get update -qq
|
||||||
|
$SUDO apt-get install -y --no-install-recommends \
|
||||||
|
chromium chromium-driver \
|
||||||
|
|| $SUDO apt-get install -y --no-install-recommends \
|
||||||
|
chromium-browser chromium-chromedriver
|
||||||
|
CHROME_BIN="$(resolve_chromium)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$CHROME_BIN" ]; then
|
||||||
|
echo "Failed to install a Chromium binary — Lighthouse CI cannot run."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "CHROME_PATH=$CHROME_BIN" >> "$GITHUB_ENV"
|
||||||
|
"$CHROME_BIN" --version || true
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: npm ci
|
run: npm ci
|
||||||
|
|
||||||
@@ -46,6 +104,8 @@ jobs:
|
|||||||
run: npm run lint:links
|
run: npm run lint:links
|
||||||
|
|
||||||
- name: Lighthouse CI
|
- name: Lighthouse CI
|
||||||
|
env:
|
||||||
|
CHROME_PATH: ${{ env.CHROME_PATH }}
|
||||||
run: npx lhci autorun
|
run: npx lhci autorun
|
||||||
|
|
||||||
- name: Upload dist artifact
|
- name: Upload dist artifact
|
||||||
@@ -59,7 +119,8 @@ jobs:
|
|||||||
deploy:
|
deploy:
|
||||||
if: github.ref == 'refs/heads/main'
|
if: github.ref == 'refs/heads/main'
|
||||||
needs: build
|
needs: build
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-latest
|
||||||
|
timeout-minutes: 10
|
||||||
concurrency:
|
concurrency:
|
||||||
group: deploy-production
|
group: deploy-production
|
||||||
cancel-in-progress: false
|
cancel-in-progress: false
|
||||||
@@ -76,11 +137,20 @@ jobs:
|
|||||||
SFTP_KEY: ${{ secrets.SFTP_KEY }}
|
SFTP_KEY: ${{ secrets.SFTP_KEY }}
|
||||||
SFTP_KNOWN_HOSTS: ${{ secrets.SFTP_KNOWN_HOSTS }}
|
SFTP_KNOWN_HOSTS: ${{ secrets.SFTP_KNOWN_HOSTS }}
|
||||||
run: |
|
run: |
|
||||||
|
set -e
|
||||||
|
: "${SFTP_KEY:?SFTP_KEY secret must be set}"
|
||||||
|
: "${SFTP_KNOWN_HOSTS:?SFTP_KNOWN_HOSTS secret must be set}"
|
||||||
mkdir -p ~/.ssh
|
mkdir -p ~/.ssh
|
||||||
echo "$SFTP_KEY" > ~/.ssh/id_ed25519
|
printf '%s\n' "$SFTP_KEY" > ~/.ssh/id_ed25519
|
||||||
chmod 600 ~/.ssh/id_ed25519
|
chmod 600 ~/.ssh/id_ed25519
|
||||||
echo "$SFTP_KNOWN_HOSTS" > ~/.ssh/known_hosts
|
printf '%s\n' "$SFTP_KNOWN_HOSTS" > ~/.ssh/known_hosts
|
||||||
chmod 644 ~/.ssh/known_hosts
|
chmod 644 ~/.ssh/known_hosts
|
||||||
|
# Ensure rsync + openssh are present even on a minimal runner image.
|
||||||
|
if ! command -v rsync >/dev/null 2>&1 || ! command -v ssh >/dev/null 2>&1; then
|
||||||
|
if command -v sudo >/dev/null 2>&1; then SUDO=sudo; else SUDO=; fi
|
||||||
|
$SUDO apt-get update -qq
|
||||||
|
$SUDO apt-get install -y --no-install-recommends rsync openssh-client
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Deploy via rsync
|
- name: Deploy via rsync
|
||||||
env:
|
env:
|
||||||
|
|||||||
@@ -11,6 +11,10 @@ module.exports = {
|
|||||||
numberOfRuns: 3,
|
numberOfRuns: 3,
|
||||||
settings: {
|
settings: {
|
||||||
preset: 'desktop',
|
preset: 'desktop',
|
||||||
|
// Flags required when Chromium runs inside a CI container or as root
|
||||||
|
// (Gitea act_runner on arm64 uses containers). --headless=new is the
|
||||||
|
// modern Chromium headless mode. CHROME_PATH is set by the workflow.
|
||||||
|
chromeFlags: '--no-sandbox --headless=new --disable-gpu --disable-dev-shm-usage',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
assert: {
|
assert: {
|
||||||
|
|||||||
Reference in New Issue
Block a user