valknar/sexy.pivoine.art
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: remove GitHub workflows in favor of Gitea Actions
Some checks failed
Build and Push Docker Image to Gitea / build-and-push (push) Failing after 1m54s
Details

Browse Source 
Remove .github directory as we're now using .gitea/workflows for Gitea Actions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Sebastian Krüger
2025-11-15 17:19:28 +01:00
parent da474f9a61
commit 105efc9a47
5 changed files with 0 additions and 834 deletions
Download Patch File Download Diff File Expand all files Collapse all files

261
.github/DOCKER_SETUP.md vendored
View File

@@ -1,261 +0,0 @@
# Docker & CI/CD Setup Summary
This document summarizes all Docker and CI/CD files created for sexy.pivoine.art.
## Files Created
### Docker Files
1. **`Dockerfile`** (root)
- Multi-stage build (base → builder → runner)
- Rust toolchain installation for WASM builds
- Optimized layer caching
- Non-root user for security
- Health checks included
2. **`.dockerignore`** (root)
- Excludes unnecessary files from build context
- Optimizes build performance
3. **`docker-compose.production.yml`** (root)
- Production orchestration
- Pre-configured to use GHCR images
- Resource limits and health checks
- Environment variable management
4. **`.env.production.example`** (root)
- Template for all environment variables
- Documented with examples
### Build Scripts
5. **`build.sh`** (root)
- Convenience script for building images
- Supports tags, platforms, and pushing
- Executable (`chmod +x`)
### Documentation
6. **`DOCKER.md`** (root)
- Comprehensive Docker deployment guide
- Building, running, troubleshooting
- Production best practices
- Updated with GHCR information
7. **`QUICKSTART.md`** (root)
- 5-minute quick start guide
- Docker Run and Docker Compose examples
- Common commands reference
8. **`README.md`** (root) - **UPDATED**
- Added Docker quick start
- Added CI/CD badges
- Added documentation links
9. **`CLAUDE.md`** (root) - **UPDATED**
- Added Docker deployment section
- Referenced DOCKER.md
### GitHub Actions Workflows
10. **`.github/workflows/docker-build-push.yml`**
- Builds and pushes to `ghcr.io/valknarxxx/sexy`
- Multi-platform (AMD64 + ARM64)
- Smart tagging (latest, semver, branch, SHA)
- Triggers: push to main/develop, tags, PRs, manual
- BuildKit cache for faster builds
11. **`.github/workflows/docker-scan.yml`**
- Daily security scans with Trivy
- Reports to GitHub Security tab
- Scans CRITICAL and HIGH vulnerabilities
- Triggers: schedule, push to main, tags, manual
12. **`.github/workflows/cleanup-images.yml`**
- Weekly cleanup of old images
- Keeps last 10 versions (configurable)
- Deletes untagged images
- Triggers: schedule, manual
13. **`.github/workflows/README.md`**
- Comprehensive workflow documentation
- Setup requirements
- Usage examples
- Troubleshooting guide
14. **`.github/DOCKER_SETUP.md`** (this file)
- Summary of all Docker/CI files
- Quick reference
## Quick Reference
### Image Registry
- **Registry:** GitHub Container Registry (GHCR)
- **Image Name:** `ghcr.io/valknarxxx/sexy`
- **Tags:**
- `latest` - Latest from main branch
- `v1.0.0` - Semantic versions
- `develop` - Latest from develop branch
- `main-abc123` - Commit-specific
### Pull & Run
```bash
# Pull latest
docker pull ghcr.io/valknarxxx/sexy:latest
# Run
docker run -d -p 3000:3000 --env-file .env.production ghcr.io/valknarxxx/sexy:latest
# Or use docker-compose
docker-compose -f docker-compose.production.yml up -d
```
### Build Locally
```bash
# Using script
./build.sh
# Manual
docker build -t sexy.pivoine.art:latest .
# Multi-platform
docker buildx build --platform linux/amd64,linux/arm64 -t sexy.pivoine.art:latest .
```
### Trigger CI/CD
```bash
# Build and push 'latest'
git push origin main
# Build and push version tags
git tag v1.0.0
git push origin v1.0.0
# PR builds (test only, doesn't push)
git push origin feature/branch
# Create PR on GitHub
```
## Key Features
### Security
- ✅ Non-root user in container
- ✅ Minimal base image (node:20.19.1-slim)
- ✅ Daily vulnerability scans
- ✅ Security reports in GitHub Security tab
### Performance
- ✅ Multi-stage builds for smaller images
- ✅ BuildKit cache for faster builds
- ✅ Production-only dependencies
- ✅ Optimized layer caching
### Reliability
- ✅ Health checks built-in
- ✅ dumb-init for proper signal handling
- ✅ Resource limits configurable
- ✅ Auto-restart on failure
### Automation
- ✅ Automatic builds on push/tag
- ✅ Multi-platform support
- ✅ Smart semantic versioning
- ✅ Weekly image cleanup
## Workflow Triggers Summary
| Workflow | Push Main | Push Develop | Tags | PR | Schedule | Manual |
|----------|-----------|--------------|------|----|----------|--------|
| Build & Push | ✅ | ✅ | ✅ | ✅ (no push) | ❌ | ✅ |
| Security Scan | ✅ | ❌ | ✅ | ❌ | Daily 2AM | ✅ |
| Cleanup | ❌ | ❌ | ❌ | ❌ | Weekly Sun 3AM | ✅ |
## Environment Variables
### Required
- `PUBLIC_API_URL` - Directus API endpoint
- `PUBLIC_URL` - Frontend URL
### Optional
- `PUBLIC_UMAMI_ID` - Analytics
- `LETTERSPACE_API_URL` - Newsletter API
- `LETTERSPACE_API_KEY` - Newsletter key
- `LETTERSPACE_LIST_ID` - Mailing list ID
See `.env.production.example` for full reference.
## Next Steps
1. **Test Local Build**
```bash
./build.sh
docker run -d -p 3000:3000 --env-file .env.production sexy.pivoine.art:latest
```
2. **Push to GitHub**
```bash
git add .
git commit -m "Add Docker and CI/CD setup"
git push origin main
```
3. **Monitor First Build**
- Go to GitHub Actions tab
- Watch "Build and Push Docker Image" workflow
- Wait ~30-45 minutes for multi-platform build
4. **Test GHCR Image**
```bash
docker pull ghcr.io/valknarxxx/sexy:latest
docker run -d -p 3000:3000 --env-file .env.production ghcr.io/valknarxxx/sexy:latest
```
5. **Create First Release**
```bash
git tag v1.0.0
git push origin v1.0.0
```
6. **Check Security**
- Wait for daily scan or trigger manually
- Check GitHub → Security → Code scanning alerts
## Support Resources
- **Docker Guide:** [DOCKER.md](../DOCKER.md)
- **Quick Start:** [QUICKSTART.md](../QUICKSTART.md)
- **Development:** [CLAUDE.md](../CLAUDE.md)
- **Workflows:** [.github/workflows/README.md](workflows/README.md)
## Troubleshooting
### Common Issues
1. **Build takes too long**
- Multi-platform builds take 30-45 minutes (normal)
- Consider using self-hosted runners
2. **Permission denied on push**
- Check Settings → Actions → General → Workflow permissions
- Enable "Read and write permissions"
3. **Image not found**
- For private repos, login to GHCR first
- Check package exists at github.com/valknarxxx?tab=packages
4. **Container exits immediately**
- Check logs: `docker logs <container>`
- Verify environment variables
- Ensure port 3000 is not in use
See [DOCKER.md](../DOCKER.md) for detailed troubleshooting.
---
**Created:** 2025-10-25
**Last Updated:** 2025-10-25
**Status:** ✅ Ready for production

344
.github/workflows/README.md vendored
View File

@@ -1,344 +0,0 @@
# GitHub Actions Workflows
This directory contains automated workflows for building, scanning, and managing Docker images for sexy.pivoine.art.
## Workflows
### 1. Build and Push Docker Image (`docker-build-push.yml`)
**Triggers:**
- Push to `main` or `develop` branches
- New version tags (e.g., `v1.0.0`)
- Pull requests to `main`
- Manual trigger via workflow_dispatch
**What it does:**
- Builds multi-platform Docker images (AMD64 + ARM64)
- Pushes to GitHub Container Registry as `ghcr.io/valknarxxx/sexy`
- Creates tags based on branch, version, and commit SHA
- Uses build cache for faster builds
- Only builds (doesn't push) for PRs
**Image Tags:**
- `latest` - Latest build from main branch
- `main`, `develop` - Branch-based tags
- `v1.0.0`, `v1.0`, `v1` - Semantic version tags
- `main-abc123` - Branch + commit SHA
- `pr-123` - Pull request builds
- Custom tags via manual trigger
**Usage:**
```bash
# Automatically triggered on push to main
git push origin main
# Create a release tag
git tag v1.0.0
git push origin v1.0.0
# Manual trigger from GitHub UI
# Actions → Build and Push Docker Image → Run workflow
```
**Pulling images:**
```bash
# Latest version
docker pull ghcr.io/valknarxxx/sexy:latest
# Specific version
docker pull ghcr.io/valknarxxx/sexy:v1.0.0
# Specific branch
docker pull ghcr.io/valknarxxx/sexy:develop
```
### 2. Docker Image Security Scan (`docker-scan.yml`)
**Triggers:**
- Daily at 2 AM UTC (scheduled)
- Push to `main` branch
- New version tags
- Manual trigger
**What it does:**
- Scans the latest image for vulnerabilities using Trivy
- Reports CRITICAL and HIGH severity issues
- Uploads results to GitHub Security tab
- Runs on a schedule to detect new vulnerabilities
**Viewing results:**
- Go to repository → Security → Code scanning alerts
- Check workflow run summary for table output
**Manual scan:**
```bash
# From GitHub UI
# Actions → Docker Image Security Scan → Run workflow
```
### 3. Cleanup Old Docker Images (`cleanup-images.yml`)
**Triggers:**
- Weekly on Sunday at 3 AM UTC
- Manual trigger
**What it does:**
- Removes old untagged image versions
- Keeps the 10 most recent versions by default
- Frees up GitHub Container Registry storage
**Manual cleanup:**
```bash
# From GitHub UI with custom retention
# Actions → Cleanup Old Docker Images → Run workflow
# Set "keep_count" parameter (default: 10)
```
## Setup Requirements
### 1. Enable GitHub Container Registry
The workflows automatically use GitHub's Container Registry (ghcr.io). No additional setup needed - the `GITHUB_TOKEN` is automatically provided to workflows.
### 2. Repository Settings
Ensure the following permissions are enabled:
1. **Settings → Actions → General**
- Allow GitHub Actions: ✅ Enabled
- Workflow permissions: "Read and write permissions"
2. **Settings → Packages**
- Package visibility will inherit from repository visibility
- Can be changed to public/private as needed
### 3. Branch Protection (Optional)
For production use, consider:
1. **Settings → Branches → Branch protection rules**
- Protect `main` branch
- Require PR reviews
- Require status checks (Docker build) to pass
## Secrets and Environment Variables
### Required Secrets
None! The workflows use the built-in `GITHUB_TOKEN` which is automatically provided.
### Optional Secrets
If you need to deploy to production automatically, you can add:
- `PRODUCTION_SSH_KEY` - For SSH deployment
- `PRODUCTION_HOST` - Production server hostname
- `PRODUCTION_USER` - Production server user
## Image Visibility
By default, GitHub Container Registry packages inherit repository visibility:
- **Public repository** → Public images
- **Private repository** → Private images
To change package visibility:
1. Go to https://github.com/users/valknarxxx/packages/container/sexy/settings
2. Change visibility under "Danger Zone"
## Pulling Images
### Public Images
```bash
docker pull ghcr.io/valknarxxx/sexy:latest
```
### Private Images
```bash
# 1. Create a GitHub Personal Access Token with read:packages scope
# Settings → Developer settings → Personal access tokens → Tokens (classic)
# Scopes: read:packages
# 2. Login to GitHub Container Registry
echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
# 3. Pull the image
docker pull ghcr.io/valknarxxx/sexy:latest
```
## Best Practices
### Version Tagging
Use semantic versioning for releases:
```bash
# Major release (breaking changes)
git tag v2.0.0
# Minor release (new features)
git tag v1.1.0
# Patch release (bug fixes)
git tag v1.0.1
# Always push tags
git push origin --tags
```
### Development Workflow
```bash
# 1. Create feature branch
git checkout -b feature/new-feature
# 2. Make changes and commit
git add .
git commit -m "Add new feature"
# 3. Push and create PR
git push origin feature/new-feature
# Create PR on GitHub - this triggers a test build
# 4. Merge to develop for staging
# Merging to develop triggers a build with 'develop' tag
# 5. Merge to main for production
# Merging to main triggers a build with 'latest' tag
# 6. Tag releases
git checkout main
git pull
git tag v1.0.0
git push origin v1.0.0
# This triggers a build with version tags
```
## Monitoring
### Build Status
Check workflow status:
- Repository → Actions → Select workflow
- View logs, artifacts, and summaries
### Image Registry
View published images:
- https://github.com/valknarxxx?tab=packages
- Or repository → Packages
### Security Alerts
View vulnerability scans:
- Repository → Security → Code scanning alerts
- Filter by "Trivy" tool
## Troubleshooting
### Build Failures
**Problem:** Build fails at Rust installation
**Solution:**
- Check GitHub Actions runner status
- Verify Dockerfile Rust installation steps
- Check build logs for network issues
**Problem:** Permission denied when pushing
**Solution:**
- Verify repository Settings → Actions → General → Workflow permissions
- Ensure "Read and write permissions" is enabled
**Problem:** Multi-platform build timeout
**Solution:**
- Builds can take 30-45 minutes for multi-platform
- This is normal for Rust/WASM compilation
- Consider splitting platforms or using self-hosted runners
### Pull Failures
**Problem:** Cannot pull private image
**Solution:**
```bash
# Ensure you're logged in
echo $GITHUB_TOKEN | docker login ghcr.io -u valknarxxx --password-stdin
# Verify token has read:packages scope
```
**Problem:** Image not found
**Solution:**
- Check image exists: https://github.com/valknarxxx?tab=packages
- Verify tag name is correct
- Ensure you have access to private packages
## Advanced Configuration
### Self-Hosted Runners
For faster builds, use self-hosted runners:
```yaml
jobs:
build-and-push:
runs-on: self-hosted # Change from ubuntu-latest
# ... rest of job
```
### Build-time Variables
Pass build arguments:
```yaml
build-args: |
NODE_ENV=production
CUSTOM_VAR=value
```
### Deploy on Push
Add a deployment job:
```yaml
jobs:
deploy:
needs: build-and-push
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- name: Deploy to production
# Add deployment steps
```
## Cost Optimization
### Storage Limits
GitHub provides:
- **Public repos:** Unlimited storage and bandwidth
- **Private repos:** 500MB storage, 1GB bandwidth (free tier)
### Optimization Tips
1. **Regular cleanup:** Run cleanup workflow weekly
2. **Limit platforms:** Build only needed architectures
3. **Use cache:** BuildKit cache reduces rebuild time
4. **Minimize layers:** Optimize Dockerfile
### Monitoring Usage
Check package storage:
- Settings → Billing → Packages
- View storage usage per package

42
.github/workflows/cleanup-images.yml vendored
View File

@@ -1,42 +0,0 @@
name: Cleanup Old Docker Images
on:
schedule:
# Run weekly on Sunday at 3 AM UTC
- cron: '0 3 * * 0'
workflow_dispatch:
inputs:
keep_count:
description: 'Number of recent images to keep (per tag pattern)'
required: false
default: '10'
env:
REGISTRY: ghcr.io
IMAGE_NAME: valknarxxx/sexy
jobs:
cleanup:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Delete old container images
uses: actions/delete-package-versions@v5
with:
package-name: 'sexy'
package-type: 'container'
min-versions-to-keep: ${{ github.event.inputs.keep_count || 10 }}
delete-only-untagged-versions: 'true'
- name: Generate cleanup summary
run: |
echo "### Docker Image Cleanup :broom:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Registry:** \`${{ env.REGISTRY }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Image:** \`${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Kept versions:** ${{ github.event.inputs.keep_count || 10 }}" >> $GITHUB_STEP_SUMMARY
echo "**Cleanup Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Old untagged images have been removed to free up storage." >> $GITHUB_STEP_SUMMARY

116
.github/workflows/docker-build-push.yml vendored
View File

@@ -1,116 +0,0 @@
name: Build and Push Docker Image
on:
push:
branches:
- main
- develop
tags:
- 'v*.*.*'
pull_request:
branches:
- main
workflow_dispatch:
inputs:
tag:
description: 'Custom tag for the image'
required: false
default: 'manual'
env:
REGISTRY: ghcr.io
IMAGE_NAME: valknarxxx/sexy
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels)
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
# Tag as 'latest' for main branch
type=raw,value=latest,enable={{is_default_branch}}
# Tag with branch name
type=ref,event=branch
# Tag with PR number
type=ref,event=pr
# Tag with git tag (semver)
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
# Tag with commit SHA
type=sha,prefix={{branch}}-
# Custom tag from workflow_dispatch
type=raw,value=${{ github.event.inputs.tag }},enable=${{ github.event_name == 'workflow_dispatch' }}
labels: |
org.opencontainers.image.title=sexy.pivoine.art
org.opencontainers.image.description=Adult content platform with SvelteKit, Directus, and hardware integration
org.opencontainers.image.vendor=valknarxxx
org.opencontainers.image.source=https://github.com/${{ github.repository }}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
NODE_ENV=production
CI=true
- name: Generate image digest
if: github.event_name != 'pull_request'
run: |
echo "### Docker Image Published :rocket:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Registry:** \`${{ env.REGISTRY }}\`" >> $GITHUB_STEP_SUMMARY
echo "**Image:** \`${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Tags:**" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Pull command:**" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
echo "docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
- name: PR Comment - Image built but not pushed
if: github.event_name == 'pull_request'
run: |
echo "### Docker Image Built Successfully :white_check_mark:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Image was built successfully but **not pushed** (PR builds are not published)." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Would be tagged as:**" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

71
.github/workflows/docker-scan.yml vendored
View File

@@ -1,71 +0,0 @@
name: Docker Image Security Scan
on:
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
push:
branches:
- main
tags:
- 'v*.*.*'
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: valknarxxx/sexy
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Pull latest image
run: |
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest || echo "Image not found, will skip scan"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Run Trivy vulnerability scanner (table output)
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'table'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Generate scan summary
if: always()
run: |
echo "### Security Scan Results :shield:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Image:** \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Scan Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Check the Security tab for detailed vulnerability reports." >> $GITHUB_STEP_SUMMARY