cube/.gitea/workflows/deploy-cube.yml

name: deploy cube
# app #0：cube.famzheng.me 入口门户。host shell runner（gnoc 用户）。

on:
  push:
    branches: [master]
    paths:
      - 'apps/cube/**'
      - 'crates/cube-core/**'
      - 'Cargo.toml'
      - 'Cargo.lock'
      - '.gitea/workflows/deploy-cube.yml'
  workflow_dispatch:

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest  # 解析到 host shell executor（gnoc 用户），PATH 需要手动加 ~/.cargo/bin
    env:
      APP: cube
      IMAGE: registry.famzheng.me/mochi/cube
    steps:
      - uses: actions/checkout@v4

      - name: Debug runner identity
        run: |
          echo "whoami=$(whoami)"
          id
          echo "supplementary groups via /proc/self/status:"
          grep -E '^(Uid|Gid|Groups)' /proc/self/status
          echo "docker.sock:"
          ls -l /var/run/docker.sock
          echo "docker ps:"
          docker ps 2>&1 | head -5 || true
          echo "sg docker test:"
          sg docker -c 'docker ps 2>&1 | head -3' || true

      - name: Resolve image tag
        id: tag
        run: |
          echo "sha=$(git rev-parse --short=12 HEAD)" >> "$GITHUB_OUTPUT"

      - name: Build rust (musl static)
        run: |
          export PATH="$HOME/.cargo/bin:$PATH"
          cargo build --release --target x86_64-unknown-linux-musl -p "$APP"

      - name: Build frontend
        run: |
          cd "apps/$APP/frontend"
          npm ci
          npm run build

      - name: Build & push image
        env:
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          echo "$REGISTRY_TOKEN" | docker login registry.famzheng.me -u mochi --password-stdin
          docker build -f "apps/$APP/Dockerfile" -t "$IMAGE:${{ steps.tag.outputs.sha }}" .
          docker push "$IMAGE:${{ steps.tag.outputs.sha }}"

      - name: Roll out to k3s
        # runner 是 gnoc 用户 host shell 模式，直接用 ~/.kube/config（已配好），无需 secret
        run: |
          kubectl -n "cube-$APP" set image "deploy/$APP" "$APP=$IMAGE:${{ steps.tag.outputs.sha }}"
          kubectl -n "cube-$APP" rollout status "deploy/$APP" --timeout=120s