# .gitea/workflows/ci.yml — Wisp CI/CD (Gitea Actions, GitHub-Actions syntax) # --------------------------------------------------------------------------- # Runner model: a single self-hosted act_runner ON the briggen.dev server, with # the host Docker socket mounted into job containers (see /root/act_runner/ # config.yaml). Because the runner is co-located with the host Docker daemon + # the Traefik `proxy` network, deploy needs NO ssh keys and NO image registry — # `docker compose` simply builds and (re)creates the `wisp` container on the host. # # Triggers: # push to master -> test, then deploy-web # pull_request -> test only # # Required repo secrets (Settings -> Actions -> Secrets) — used by the APK job # once it is enabled (see TODO at the bottom): ANDROID_KEYSTORE_BASE64, # ANDROID_KEYSTORE_PASSWORD, ANDROID_KEY_ALIAS, ANDROID_KEY_PASSWORD. # --------------------------------------------------------------------------- name: CI on: push: branches: [master] pull_request: concurrency: group: ci-${{ github.ref }} cancel-in-progress: true jobs: # ---- test: typecheck + unit tests ---------------------------------------- # Runs on the default runner image (has Node, which actions/checkout needs); # Bun is installed in a step rather than via a Node-less bun container. test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install Bun run: | curl -fsSL https://bun.sh/install | bash echo "$HOME/.bun/bin" >> "$GITHUB_PATH" - run: bun install --frozen-lockfile - run: bun run typecheck - run: bun run test # ---- deploy-web: build + (re)start the nginx web container on the host ---- # Runs on the server runner; the mounted host Docker socket means `docker # compose` builds the image and recreates the `wisp` service in place, joined # to the existing Traefik `proxy` network. No SSH, no registry. deploy-web: needs: test if: github.event_name == 'push' && github.ref == 'refs/heads/master' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build + (re)start wisp on the host run: docker compose -f deploy/wisp.compose.yml --project-directory . up -d --build --remove-orphans - name: Health check run: | for i in $(seq 1 10); do if docker exec wisp wget -qO- http://localhost:8080/healthz | grep -q ok; then echo "healthy"; exit 0 fi sleep 2 done echo "wisp container did not become healthy" >&2; exit 1 # ========================================================================= # TODO (next iteration, once the runner is validated): build-apk. # The Android build is genuinely risky (whisper.rn C++/NDK on RN 0.85) and # untested locally (no Android SDK on the dev box). It must be socket-safe: # a FULL `docker build` of a build-stage in docker/android.Dockerfile (repo # COPYed in, prebuild + gradlew assembleRelease, signing via BuildKit # --secret using the ANDROID_* secrets), then extract the APK with # `docker create`/`docker cp` (NO host bind-mounts — they don't resolve over # the mounted socket) and `docker cp` it into the running `wisp` container at # /usr/share/nginx/html/wisp.apk (served at https://wisp.briggen.dev/wisp.apk), # plus upload it as a CI artifact. Keystore secrets are already configured. # =========================================================================