# CI/CD pipeline for MicCheck. Read by both Gitea Actions and GitHub Actions # (both look under .github/workflows/). Every non-checkout step just invokes a # bash script under scripts/ci/, so the entire pipeline is reproducible by # running the same scripts locally - no marketplace build/test/push actions. # # Gitea (origin) is the internal/testing remote and runs the full pipeline: # build, test, docker push, deploy-to-qa, smoke test. GitHub is the public # mirror and only needs to prove the code builds and tests pass - it has no # registry secrets and no [self-hosted, qa] runner, so the docker push and # deploy/smoke jobs are skipped there via the `github.server_url` check # below (identical on both engines: https://github.com on GitHub, the Gitea # instance URL on Gitea). name: CI on: push: paths-ignore: [badges/**] jobs: build-and-push: runs-on: ubuntu-latest permissions: contents: write env: REGISTRY: ${{ secrets.REGISTRY }} REGISTRY_OWNER: ${{ secrets.REGISTRY_OWNER }} REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} steps: - uses: actions/checkout@v4 - name: Build run: ./scripts/ci/build.sh - name: Test run: ./scripts/ci/test.sh - name: Coverage report run: ./scripts/ci/coverage.sh - name: Publish coverage badge env: GITHUB_TOKEN: ${{ github.token }} run: ./scripts/ci/publish-coverage-badge.sh - name: Build Docker images if: github.server_url != 'https://github.com' && github.ref_name == 'main' run: ./scripts/ci/docker-build.sh - name: Push Docker images if: github.server_url != 'https://github.com' && github.ref_name == 'main' run: ./scripts/ci/docker-push.sh deploy-qa: needs: build-and-push if: github.server_url != 'https://github.com' && github.ref_name == 'main' runs-on: [self-hosted, qa] env: REGISTRY: ${{ secrets.REGISTRY }} REGISTRY_OWNER: ${{ secrets.REGISTRY_OWNER }} REGISTRY_USER: ${{ secrets.REGISTRY_USER }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} JWT_SECRET_KEY: ${{ secrets.JWT_SECRET_KEY }} QA_ADMIN_PORT: ${{ vars.QA_ADMIN_PORT }} steps: # actions/checkout@v4 is a Node-based action; this runner has no node # in PATH, so checkout plain git instead of via marketplace action. - name: Checkout run: | git init -q . git remote add origin "${{ github.server_url }}/${{ github.repository }}.git" git -c http.extraheader="AUTHORIZATION: bearer ${{ github.token }}" fetch --depth=1 origin "${{ github.sha }}" git checkout -q FETCH_HEAD - name: Deploy to QA run: ./scripts/ci/deploy-qa.sh smoke-qa: needs: deploy-qa if: github.server_url != 'https://github.com' runs-on: [self-hosted, qa] env: QA_ADMIN_PORT: ${{ vars.QA_ADMIN_PORT }} steps: # actions/checkout@v4 is a Node-based action; this runner has no node # in PATH, so checkout plain git instead of via marketplace action. - name: Checkout run: | git init -q . git remote add origin "${{ github.server_url }}/${{ github.repository }}.git" git -c http.extraheader="AUTHORIZATION: bearer ${{ github.token }}" fetch --depth=1 origin "${{ github.sha }}" git checkout -q FETCH_HEAD - name: Smoke test QA deployment run: ./scripts/ci/smoke-qa.sh