From 764c585af9dc13bc383d16fab43ffc80d7da5cec Mon Sep 17 00:00:00 2001
From: compass-admin <admin@compass.local>
Date: Thu, 23 Apr 2026 14:21:25 +0000
Subject: [PATCH] seed: .gitea/workflows/deploy.yml

---
 .gitea/workflows/deploy.yml | 69 +++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 .gitea/workflows/deploy.yml

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
new file mode 100644
index 0000000..f410de7
--- /dev/null
+++ b/.gitea/workflows/deploy.yml
@@ -0,0 +1,69 @@
+name: deploy
+
+# Fires on any `deploy-<layer>-<YYYY-MM-DD>` tag pushed to main. The
+# runner pulls the compass-mcp image from ECR and invokes
+# `compass-mcp-deploy run --tag $GITHUB_REF_NAME` inside that container.
+
+on:
+  push:
+    tags:
+      - "deploy-*-*"
+
+jobs:
+  apply-migrations:
+    runs-on: ubuntu-latest
+    # The runner config allow-lists this network + volumes; both have
+    # to match what bootstrap-gitea.sh wrote into runner-config.yaml.
+    container:
+      image: ${{ vars.COMPASS_MCP_IMAGE }}
+      # Join the compose network so `neo4j:7687` resolves. Override
+      # `compass_default` via the COMPASS_NETWORK repo variable if the
+      # compose project name differs.
+      network: ${{ vars.COMPASS_NETWORK || 'graph-db_default' }}
+      volumes:
+        - ${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }}:${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }}
+    env:
+      # Structured graph (7687). These are the ONLY credentials with
+      # write access — kept in Gitea repo secrets and never read by
+      # the read-side services.
+      NEO4J_URI: ${{ secrets.NEO4J_URI }}
+      NEO4J_USER: ${{ secrets.NEO4J_DEPLOY_USER }}
+      NEO4J_PASSWORD: ${{ secrets.NEO4J_DEPLOY_PASSWORD }}
+      POSTGRES_RAG_DSN: ${{ secrets.POSTGRES_RAG_DSN }}
+      COMPASS_SNAPSHOT_DIR: ${{ vars.COMPASS_SNAPSHOT_DIR || '/var/lib/compass/snapshots' }}
+
+    steps:
+      - name: Check out migrations repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Ensure snapshot directory exists
+        run: mkdir -p "$COMPASS_SNAPSHOT_DIR"
+
+      - name: Apply migrations
+        id: deploy
+        run: |
+          set -euo pipefail
+          compass-mcp-deploy run \
+            --tag "$GITHUB_REF_NAME" \
+            --repo "$GITHUB_WORKSPACE" \
+            --snapshot-dir "$COMPASS_SNAPSHOT_DIR" \
+            --reviewer "$GITHUB_ACTOR" \
+            | tee "deploy-result-$GITHUB_REF_NAME.json"
+
+      - name: Record resolved image digest
+        if: always()
+        run: |
+          echo "image=${{ vars.COMPASS_MCP_IMAGE }}" >> deploy-meta.txt
+          echo "digest=$(cat /proc/self/cgroup 2>/dev/null | head -1 || true)" >> deploy-meta.txt
+
+      - name: Upload deploy result
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: deploy-result-${{ github.ref_name }}
+          path: |
+            deploy-result-*.json
+            deploy-meta.txt