From 12bdcab180d1e2067f207b06b50293baddd2b033 Mon Sep 17 00:00:00 2001 From: "Billy D." Date: Wed, 18 Feb 2026 18:30:14 -0500 Subject: [PATCH] feat: add Gitea CI/CD with Vault-backed kubeconfig deploy - Create CI workflow: lint, release, docker build+push, kustomize deploy - Switch image registry from GHCR to internal Gitea registry - Deploy job uses kubeconfig mounted from Vault via ESO - Add ntfy notifications for success, deploy, and failure --- .gitea/workflows/ci.yml | 246 ++++++++++++++++++++++++++++++++++++++++ embeddings.yaml | 2 +- llm.yaml | 4 +- stt.yaml | 2 +- tts.yaml | 2 +- 5 files changed, 251 insertions(+), 5 deletions(-) create mode 100644 .gitea/workflows/ci.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml new file mode 100644 index 0000000..90e4188 --- /dev/null +++ b/.gitea/workflows/ci.yml @@ -0,0 +1,246 @@ +name: CI + +on: + push: + branches: [main] + pull_request: + branches: [main] + +env: + NTFY_URL: http://ntfy.observability.svc.cluster.local:80 + REGISTRY: gitea-http.gitea.svc.cluster.local:3000/daviestechlabs + REGISTRY_HOST: gitea-http.gitea.svc.cluster.local:3000 + IMAGE_NAME: gradio-ui + KUSTOMIZE_NAMESPACE: ai-ml + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up uv + run: curl -LsSf https://astral.sh/uv/install.sh | sh && echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Set up Python + run: uv python install 3.13 + + - name: Install dependencies + run: uv pip install --system -r requirements.txt ruff + + - name: Run ruff check + run: uvx ruff check . + + - name: Run ruff format check + run: uvx ruff format --check . + + release: + name: Release + runs-on: ubuntu-latest + needs: [lint] + if: gitea.ref == 'refs/heads/main' && gitea.event_name == 'push' + outputs: + version: ${{ steps.version.outputs.version }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Determine version bump + id: version + run: | + LATEST=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") + VERSION=${LATEST#v} + IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION" + + MSG="${{ gitea.event.head_commit.message }}" + if echo "$MSG" | grep -qiE "^major:|BREAKING CHANGE"; then + MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0 + BUMP="major" + elif echo "$MSG" | grep -qiE "^(minor:|feat:)"; then + MINOR=$((MINOR + 1)); PATCH=0 + BUMP="minor" + else + PATCH=$((PATCH + 1)) + BUMP="patch" + fi + + NEW_VERSION="v${MAJOR}.${MINOR}.${PATCH}" + echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT + echo "bump=$BUMP" >> $GITHUB_OUTPUT + echo "Bumping $LATEST → $NEW_VERSION ($BUMP)" + + - name: Create and push tag + run: | + git config user.name "gitea-actions[bot]" + git config user.email "actions@git.daviestechlabs.io" + git tag -a ${{ steps.version.outputs.version }} -m "Release ${{ steps.version.outputs.version }}" + git push origin ${{ steps.version.outputs.version }} + + docker: + name: Docker Build & Push + runs-on: ubuntu-latest + needs: [lint, release] + if: gitea.ref == 'refs/heads/main' && gitea.event_name == 'push' + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + buildkitd-config-inline: | + [registry."gitea-http.gitea.svc.cluster.local:3000"] + http = true + insecure = true + + - name: Login to Docker Hub + if: vars.DOCKERHUB_USERNAME != '' + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Configure Docker for insecure registry + run: | + sudo mkdir -p /etc/docker + echo '{"insecure-registries": ["${{ env.REGISTRY_HOST }}"]}' | sudo tee /etc/docker/daemon.json + sudo systemctl restart docker || sudo service docker restart || true + sleep 2 + + - name: Login to Gitea Registry + run: | + AUTH=$(echo -n "${{ secrets.REGISTRY_USER }}:${{ secrets.REGISTRY_TOKEN }}" | base64 -w0) + mkdir -p ~/.docker + cat > ~/.docker/config.json << EOF + { + "auths": { + "${{ env.REGISTRY_HOST }}": { + "auth": "$AUTH" + } + } + } + EOF + echo "Auth configured for ${{ env.REGISTRY_HOST }}" + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=semver,pattern={{version}},value=${{ needs.release.outputs.version }} + type=semver,pattern={{major}}.{{minor}},value=${{ needs.release.outputs.version }} + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + deploy: + name: Deploy to Kubernetes + runs-on: ubuntu-latest + needs: [docker, release] + if: gitea.ref == 'refs/heads/main' && gitea.event_name == 'push' + container: + image: catthehacker/ubuntu:act-latest + volumes: + - /secrets/kubeconfig:/secrets/kubeconfig + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install kubectl + run: | + curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + chmod +x kubectl && sudo mv kubectl /usr/local/bin/ + + - name: Update image tag in manifests + env: + KUBECONFIG: /secrets/kubeconfig/config + run: | + VERSION="${{ needs.release.outputs.version }}" + VERSION="${VERSION#v}" + for DEPLOY in llm embeddings stt tts; do + sed -i "s|image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:.*|image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}|" "${DEPLOY}.yaml" + done + + - name: Apply kustomization + env: + KUBECONFIG: /secrets/kubeconfig/config + run: | + kubectl apply -k . --namespace ${{ env.KUSTOMIZE_NAMESPACE }} + + - name: Rollout restart deployments + env: + KUBECONFIG: /secrets/kubeconfig/config + run: | + for DEPLOY in llm-ui embeddings-ui stt-ui tts-ui; do + kubectl rollout restart deployment/${DEPLOY} -n ${{ env.KUSTOMIZE_NAMESPACE }} 2>/dev/null || true + done + + - name: Wait for rollout + env: + KUBECONFIG: /secrets/kubeconfig/config + run: | + for DEPLOY in llm-ui embeddings-ui stt-ui tts-ui; do + kubectl rollout status deployment/${DEPLOY} -n ${{ env.KUSTOMIZE_NAMESPACE }} --timeout=120s 2>/dev/null || true + done + + notify: + name: Notify + runs-on: ubuntu-latest + needs: [lint, release, docker, deploy] + if: always() + steps: + - name: Notify on success + if: needs.lint.result == 'success' && needs.docker.result == 'success' + run: | + curl -s \ + -H "Title: ✅ CI Passed: ${{ gitea.repository }}" \ + -H "Priority: default" \ + -H "Tags: white_check_mark,github" \ + -H "Click: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \ + -d "Branch: ${{ gitea.ref_name }} + Commit: ${{ gitea.event.head_commit.message || gitea.sha }} + Release: ${{ needs.release.result == 'success' && needs.release.outputs.version || 'skipped' }} + Docker: ${{ needs.docker.result }} + Deploy: ${{ needs.deploy.result }}" \ + ${{ env.NTFY_URL }}/gitea-ci + + - name: Notify on deploy success + if: needs.deploy.result == 'success' + run: | + curl -s \ + -H "Title: 🚀 Deployed: ${{ gitea.repository }}" \ + -H "Priority: default" \ + -H "Tags: rocket,kubernetes" \ + -H "Click: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \ + -d "Version: ${{ needs.release.outputs.version }} + Namespace: ${{ env.KUSTOMIZE_NAMESPACE }} + Apps: llm-ui, embeddings-ui, stt-ui, tts-ui" \ + ${{ env.NTFY_URL }}/gitea-ci + + - name: Notify on failure + if: needs.lint.result == 'failure' || needs.docker.result == 'failure' || needs.deploy.result == 'failure' + run: | + curl -s \ + -H "Title: ❌ CI Failed: ${{ gitea.repository }}" \ + -H "Priority: high" \ + -H "Tags: x,github" \ + -H "Click: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \ + -d "Branch: ${{ gitea.ref_name }} + Commit: ${{ gitea.event.head_commit.message || gitea.sha }} + Lint: ${{ needs.lint.result }} + Docker: ${{ needs.docker.result }} + Deploy: ${{ needs.deploy.result }}" \ + ${{ env.NTFY_URL }}/gitea-ci diff --git a/embeddings.yaml b/embeddings.yaml index 16c4b77..ce0e7f5 100644 --- a/embeddings.yaml +++ b/embeddings.yaml @@ -20,7 +20,7 @@ spec: spec: containers: - name: gradio - image: ghcr.io/billy-davies-2/llm-apps:v2-202602130804 + image: gitea-http.gitea.svc.cluster.local:3000/daviestechlabs/gradio-ui:latest imagePullPolicy: Always command: ["python", "embeddings.py"] ports: diff --git a/llm.yaml b/llm.yaml index 7acfd79..f6469b8 100644 --- a/llm.yaml +++ b/llm.yaml @@ -20,7 +20,7 @@ spec: spec: containers: - name: gradio - image: ghcr.io/billy-davies-2/llm-apps:v2-202602130804 + image: gitea-http.gitea.svc.cluster.local:3000/daviestechlabs/gradio-ui:latest imagePullPolicy: Always command: ["python", "llm.py"] ports: @@ -53,7 +53,7 @@ spec: initialDelaySeconds: 5 periodSeconds: 10 imagePullSecrets: - - name: ghcr-registry + - name: gitea-registry --- apiVersion: v1 kind: Service diff --git a/stt.yaml b/stt.yaml index e433891..3e650a6 100644 --- a/stt.yaml +++ b/stt.yaml @@ -20,7 +20,7 @@ spec: spec: containers: - name: gradio - image: ghcr.io/billy-davies-2/llm-apps:v2-202602130804 + image: gitea-http.gitea.svc.cluster.local:3000/daviestechlabs/gradio-ui:latest imagePullPolicy: Always command: ["python", "stt.py"] ports: diff --git a/tts.yaml b/tts.yaml index 69eafb0..53582af 100644 --- a/tts.yaml +++ b/tts.yaml @@ -20,7 +20,7 @@ spec: spec: containers: - name: gradio - image: ghcr.io/billy-davies-2/llm-apps:v2-202602130804 + image: gitea-http.gitea.svc.cluster.local:3000/daviestechlabs/gradio-ui:latest imagePullPolicy: Always command: ["python", "tts.py"] ports: