name: Build and Deploy Container env: TARGET_HOST: host.containers.internal #TARGET_HOST: www.valtrix.systems TARGET_USER: traefik APP_DIR: /home/traefik/valtrix-website CONTAINER_NAME: valtrix-website QUADLET_FILE: ./deploy/valtrix-website.container SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }} on: push: branches: - main - develop jobs: build_and_deploy: runs-on: ubuntu-latest steps: - name: Pre-clean Git global config (avoid https→ssh rewrite) shell: bash run: | set -euo pipefail git --version || true echo "Global git config before:" || true git config --global --list || true # Remove any url.*.insteadof rules that force SSH for gitea.smb-corp.de for key in $(git config --global --get-regexp '^url\\..*\\.insteadof$' 2>/dev/null | awk '{print $1}'); do if echo "$key" | grep -qi 'gitea\\.smb-corp\\.de'; then echo "Removing global mapping: $key" git config --global --unset-all "$key" || true fi done # Ensure no global sshCommand forces SSH git config --global --unset-all core.sshCommand || true echo "Global git config after:" || true git config --global --list || true - name: Setup SSH for git/scp shell: bash run: | install -m 700 -d ~/.ssh printf "%s\n" "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 printf "%s\n" "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts || true chmod 644 ~/.ssh/known_hosts # Ensure host keys are present to avoid interactive prompts (ssh-keygen -F "$TARGET_HOST" >/dev/null || ssh-keyscan -H "$TARGET_HOST" >> ~/.ssh/known_hosts) || true (ssh-keygen -F gitea.smb-corp.de >/dev/null || ssh-keyscan -H gitea.smb-corp.de >> ~/.ssh/known_hosts) || true - name: Checkout Repository uses: actions/checkout@v4 - name: Copy entire repository to target host (scp -> atomic replace) shell: bash run: | set -euo pipefail # Work in a temp directory to avoid partial updates and handle ownership issues more clearly TMP_DIR="$APP_DIR.tmp.$(date +%s)" echo "Creating remote temp dir $TMP_DIR" ssh -o BatchMode=yes -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "mkdir -p '$TMP_DIR'" echo "Copying repository files to $TARGET_HOST:$TMP_DIR via scp (includes hidden files)" # Enable dotglob so hidden files are included in the glob shopt -s dotglob || true # Copy all files and directories in the repo root to the remote temp dir scp -r -o BatchMode=yes -i ~/.ssh/id_ed25519 ./* $TARGET_USER@$TARGET_HOST:$TMP_DIR/ echo "Attempting atomic replacement of $APP_DIR with $TMP_DIR" # Try to remove existing dir and move temp into place. If removal fails due to permissions, leave temp and error. ssh -o BatchMode=yes -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "set -euo pipefail; if [ -d '$APP_DIR' ]; then rm -rf '$APP_DIR' || { echo 'ERROR: cannot remove existing $APP_DIR (permissions)'; exit 2; } fi; mv '$TMP_DIR' '$APP_DIR'" echo "Copy and replace finished" - name: Build container on target host run: | # Expand $APP_DIR locally so the remote shell receives the concrete path ssh $TARGET_USER@$TARGET_HOST "set -euo pipefail; cd '$APP_DIR' && echo 'PWD:' \$(pwd) && ls -la . && podman build -t $CONTAINER_NAME:latest ." - name: Backup Quadlet file run: | ssh $TARGET_USER@$TARGET_HOST ' test -f ~/.config/containers/systemd/$CONTAINER_NAME.container && \ cp ~/.config/containers/systemd/$CONTAINER_NAME.container ~/.config/containers/systemd/$CONTAINER_NAME.container.bak || true ' - name: Replace Quadlet file run: | scp ./$QUADLET_FILE $TARGET_USER@$TARGET_HOST:~/.config/containers/systemd/ ssh $TARGET_USER@$TARGET_HOST ' systemctl --user daemon-reload && echo "Reloaded user systemd daemon" && \ systemctl --user restart $CONTAINER_NAME ' - name: Verify deployment run: | ssh $TARGET_USER@$TARGET_HOST ' podman ps --filter "name=$CONTAINER_NAME" --format "table {{.Names}}\t{{.Image}}\t{{.Status}}" echo "Container logs:" podman logs $CONTAINER_NAME --tail 20 '