ci: switch to K3s deploy via Forgejo registry + kubectl

- Build ARM64 image via QEMU/buildx on x86 runner - Push to Forgejo container registry (uses built-in GITHUB_TOKEN) - Deploy via kubectl with scoped deployer SA (docfast namespace only) - No SSH, no secrets on infra, no Docker on k3s-mgr
2026-02-18 11:41:19 +00:00 · 2026-02-18 11:41:19 +00:00 · 7a49541128
commit 7a49541128
parent 87946a1762
1 changed files with 44 additions and 84 deletions
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -1,93 +1,53 @@
-name: Deploy to Production
+name: Build & Deploy to K3s
 on:
  push:
    branches: [ main ]
 jobs:
-  deploy:
+  build-and-deploy:
-    name: Deploy to Server
+    name: Build & Deploy
    runs-on: ubuntu-latest
    steps:
-    - name: Write secrets and deploy
+    - name: Checkout
-      uses: appleboy/ssh-action@v1.1.0
+      uses: actions/checkout@v4
    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
    - name: Login to Forgejo Registry
      uses: docker/login-action@v3
      with:
-        host: ${{ secrets.SERVER_HOST }}
+        registry: git.cloonar.com
-        username: ${{ secrets.SERVER_USER }}
+        username: ${{ github.repository_owner }}
-        key: ${{ secrets.SSH_PRIVATE_KEY }}
+        password: ${{ secrets.GITHUB_TOKEN }}
        envs: STRIPE_SECRET_KEY,STRIPE_WEBHOOK_SECRET,DATABASE_PASSWORD
        script: |
          set -e
-          echo "🚀 Starting deployment..."
+    - name: Build and Push
-          cd /root/docfast
+      uses: docker/build-push-action@v5
      with:
        context: .
        push: true
        tags: |
          git.cloonar.com/openclawd/docfast:latest
          git.cloonar.com/openclawd/docfast:${{ github.sha }}
        platforms: linux/arm64
-          # Write .env from CI secrets
+    - name: Deploy to K3s
-          echo "📝 Writing .env from CI secrets..."
+      run: |
-          printf "STRIPE_SECRET_KEY=%s\nSTRIPE_WEBHOOK_SECRET=%s\nDATABASE_PASSWORD=%s\n" "$STRIPE_SECRET_KEY" "$STRIPE_WEBHOOK_SECRET" "$DATABASE_PASSWORD" > .env
+        curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
        chmod +x kubectl
-          # Verify .env has non-empty values
+        echo "${{ secrets.KUBECONFIG }}" | base64 -d > /tmp/kubeconfig.yaml
          if grep -q '=$' .env; then
            echo "❌ ERROR: .env has empty values - secrets not configured in Forgejo!"
            echo "Add STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, DATABASE_PASSWORD in Forgejo repo settings."
            exit 1
          fi
          echo "✅ .env written with $(wc -l < .env) vars"
-          git status --short || true
+        ./kubectl set image deployment/docfast \
          docfast=git.cloonar.com/openclawd/docfast:${{ github.sha }} \
          -n docfast --kubeconfig=/tmp/kubeconfig.yaml
-          echo "📥 Pulling latest changes..."
+        ./kubectl rollout status deployment/docfast \
-          git fetch origin
+          -n docfast --kubeconfig=/tmp/kubeconfig.yaml --timeout=180s
          git pull origin main
-          TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+        echo "✅ Deploy complete!"
          docker tag docfast-docfast:latest docfast-docfast:rollback-$TIMESTAMP || echo "No existing image to tag"
          echo "🔨 Building new Docker image..."
          docker compose build --no-cache
          echo "⏹️ Stopping services..."
          docker compose down --timeout 30
          echo "▶️ Starting services..."
          docker compose up -d
          echo "⏱️ Waiting for service to be ready..."
          for i in $(seq 1 30); do
            if curl -f -s http://127.0.0.1:3100/health > /dev/null; then
              echo "✅ Service is healthy!"
              break
            fi
            if [ $i -eq 30 ]; then
              echo "❌ Service failed to start - initiating rollback..."
              docker compose down
              ROLLBACK_IMAGE=$(docker images --format "table {{.Repository}}:{{.Tag}}" | grep "docfast-docfast:rollback-" | head -n1 | tr -s ' ' | cut -d' ' -f1)
              if [ ! -z "$ROLLBACK_IMAGE" ]; then
                echo "🔄 Rolling back to $ROLLBACK_IMAGE"
                docker tag $ROLLBACK_IMAGE docfast-docfast:latest
                docker compose up -d
                sleep 10
                if curl -f -s http://127.0.0.1:3100/health > /dev/null; then
                  echo "✅ Rollback successful"
                else
                  echo "❌ Rollback failed - manual intervention required"
                fi
              fi
              exit 1
            fi
            echo "⏳ Attempt $i/30 - waiting 5 seconds..."
            sleep 5
          done
          echo "🔍 Running post-deploy verification..."
          bash scripts/verify-deploy.sh
          echo "🧹 Cleaning up old rollback images..."
          docker images --format "table {{.Repository}}:{{.Tag}}" | grep "docfast-docfast:rollback-" | tail -n +6 | awk '{print $1}' | xargs -r docker rmi || true
          echo "🎉 Deployment completed successfully!"
      env:
        STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
        STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
        DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}