coilyco-flight-deck/galaxy-gen
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions

Migrate deploy off GitHub Actions to Forgejo + in-cluster registry #17

New issue
Closed
opened 2026-05-28 12:41:20 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-28 12:41:20 +00:00
Owner
Copy link

Gated on coilysiren/backend#25. Do not start until backend's migration PR has merged - it establishes the pattern (Forgejo workflow shape + deployer SA/RBAC + kubeconfig secret + registry image ref). Use backend's merged PR as the byte-level template, adjusting for this repo's namespace and app names.

Context

GitHub no longer joins the tailnet (TS_* secrets already stripped from this repo). The in-cluster registry 192.168.0.194:30500 is live and verified (coilysiren/infrastructure#168). Deploys move to the in-cluster Forgejo runner pushing to that registry.

Work (replicate backend#25 for this repo)

  1. deployer ServiceAccount + Role/RoleBinding + token Secret in this repo's namespace; kubeconfig as a Forgejo Actions secret DEPLOY_KUBECONFIG (server https://192.168.0.194:6443).
  2. .forgejo/workflows/build-publish-deploy.yml - test, then build -> push 192.168.0.194:30500/<name>:<sha> -> kubectl set image -> rollout status. Preserve any existing CI-status report step.
  3. Update the deploy manifest image ref + imagePullPolicy.
  4. Remove the dead .github/workflows/build-and-publish.yml.
  5. Verify a real deploy lands a pod pulling the registry image.

No tailnet join, no GHCR. The DEPLOY_KUBECONFIG secret is the only stored credential.

Blocked by: coilysiren/backend#25.

**Gated on coilysiren/backend#25.** Do not start until backend's migration PR has merged - it establishes the pattern (Forgejo workflow shape + deployer SA/RBAC + kubeconfig secret + registry image ref). Use backend's merged PR as the byte-level template, adjusting for this repo's namespace and app names. ## Context GitHub no longer joins the tailnet (`TS_*` secrets already stripped from this repo). The in-cluster registry `192.168.0.194:30500` is live and verified (coilysiren/infrastructure#168). Deploys move to the in-cluster Forgejo runner pushing to that registry. ## Work (replicate backend#25 for this repo) 1. deployer ServiceAccount + Role/RoleBinding + token Secret in this repo's namespace; kubeconfig as a Forgejo Actions secret `DEPLOY_KUBECONFIG` (server `https://192.168.0.194:6443`). 2. `.forgejo/workflows/build-publish-deploy.yml` - test, then build -> push `192.168.0.194:30500/<name>:<sha>` -> `kubectl set image` -> `rollout status`. Preserve any existing CI-status report step. 3. Update the deploy manifest image ref + `imagePullPolicy`. 4. Remove the dead `.github/workflows/build-and-publish.yml`. 5. Verify a real deploy lands a pod pulling the registry image. No tailnet join, no GHCR. The `DEPLOY_KUBECONFIG` secret is the only stored credential. Blocked by: coilysiren/backend#25.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-76
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/galaxy-gen#17
No description provided.