seed: .gitea/workflows/deploy.yml

2026-04-23 14:21:25 +00:00 · 2026-04-23 14:21:25 +00:00 · 764c585af9
commit 764c585af9
parent b6963fde33
1 changed files with 69 additions and 0 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@ -0,0 +1,69 @@
+name: deploy
+
+# Fires on any `deploy-<layer>-<YYYY-MM-DD>` tag pushed to main. The
+# runner pulls the compass-mcp image from ECR and invokes
+# `compass-mcp-deploy run --tag $GITHUB_REF_NAME` inside that container.
+
+on:
+  push:
+    tags:
+      - "deploy-*-*"
+
+jobs:
+  apply-migrations:
+    runs-on: ubuntu-latest
+    # The runner config allow-lists this network + volumes; both have
+    # to match what bootstrap-gitea.sh wrote into runner-config.yaml.
+    container:
+      image: ${{ vars.COMPASS_MCP_IMAGE }}
+      # Join the compose network so `neo4j:7687` resolves. Override
+      # `compass_default` via the COMPASS_NETWORK repo variable if the
+      # compose project name differs.
+      network: ${{ vars.COMPASS_NETWORK || 'graph-db_default' }}
+      volumes:
+        - ${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }}:${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }}
+    env:
+      # Structured graph (7687). These are the ONLY credentials with
+      # write access — kept in Gitea repo secrets and never read by
+      # the read-side services.
+      NEO4J_URI: ${{ secrets.NEO4J_URI }}
+      NEO4J_USER: ${{ secrets.NEO4J_DEPLOY_USER }}
+      NEO4J_PASSWORD: ${{ secrets.NEO4J_DEPLOY_PASSWORD }}
+      POSTGRES_RAG_DSN: ${{ secrets.POSTGRES_RAG_DSN }}
+      COMPASS_SNAPSHOT_DIR: ${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }}
+
+    steps:
+      - name: Check out migrations repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Ensure snapshot directory exists
+        run: mkdir -p "$COMPASS_SNAPSHOT_DIR"
+
+      - name: Apply migrations
+        id: deploy
+        run: |
+          set -euo pipefail
+          compass-mcp-deploy run \
+            --tag "$GITHUB_REF_NAME" \
+            --repo "$GITHUB_WORKSPACE" \
+            --snapshot-dir "$COMPASS_SNAPSHOT_DIR" \
+            --reviewer "$GITHUB_ACTOR" \
+            | tee "deploy-result-$GITHUB_REF_NAME.json"
+
+      - name: Record resolved image digest
+        if: always()
+        run: |
+          echo "image=${{ vars.COMPASS_MCP_IMAGE }}" >> deploy-meta.txt
+          echo "digest=$(cat /proc/self/cgroup 2>/dev/null | head -1 || true)" >> deploy-meta.txt
+
+      - name: Upload deploy result
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: deploy-result-${{ github.ref_name }}
+          path: |
+            deploy-result-*.json
+            deploy-meta.txt