ci: migrate workflows from Forgejo to Gitea Actions

.gitea/workflows/ci.yaml

@@ -0,0 +1,72 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  PIP_CACHE_DIR: ${{ github.workspace }}/.cache/pip
+  PYTHONUNBUFFERED: "1"
+
+jobs:
+  lint:
+    runs-on: [linux, docker]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements-dev.txt
+      - name: Run ruff
+        run: ruff check app tests scripts
+      - name: Run black
+        run: black --check app tests scripts
+
+  type-check:
+    runs-on: [linux, docker]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Install dependencies
+        run: |
+          set -x
+          python -m pip install --upgrade pip
+          pip install -r requirements-dev.txt
+          pip list
+      - name: Run mypy
+        run: |
+          echo "Running mypy on core modules..."
+          mypy app/core app/models app/strategies app/services app/domain --show-error-codes --show-traceback
+          echo "Type check completed successfully"
+
+  test:
+    runs-on: [linux, docker]
+    container:
+      image: mcr.microsoft.com/playwright:v1.58.0-jammy
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Install dependencies
+        run: |
+          set -x
+          python -m pip install --upgrade pip
+          pip install -r requirements-dev.txt
+          pip list
+      - name: Run tests
+        run: pytest -v --tb=short

.gitea/workflows/deploy.yaml

@@ -0,0 +1,103 @@
+name: Build and Deploy
+
+on:
+  workflow_run:
+    workflows: [CI]
+    types: [completed]
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ${{ vars.REGISTRY || '10.100.0.2:3000' }}
+  IMAGE_NAME: ${{ github.repository }}
+  RESOLVED_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
+  RESOLVED_REF: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name }}
+
+jobs:
+  build:
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
+    runs-on: [linux, docker]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.RESOLVED_SHA }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker
+      - name: Login to Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RESOLVED_SHA }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          provenance: false
+
+  deploy:
+    runs-on: [linux, docker]
+    needs: build
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main')
+    container:
+      image: catthehacker/ubuntu:act-latest
+      env:
+        DEPLOY_HOST: ${{ vars.DEPLOY_HOST }}
+        DEPLOY_USER: ${{ vars.DEPLOY_USER || 'deploy' }}
+        DEPLOY_PORT: ${{ vars.DEPLOY_PORT || '22' }}
+        DEPLOY_PATH: ${{ vars.DEPLOY_PATH || '/opt/vault-dash' }}
+        DEPLOY_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
+        APP_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RESOLVED_SHA }}
+        APP_ENV: production
+        APP_NAME: Vault Dashboard
+        APP_PORT: "8000"
+        TURNSTILE_SITE_KEY: ${{ vars.TURNSTILE_SITE_KEY }}
+        TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
+        DATABENTO_API_KEY: ${{ secrets.DATABENTO_API_KEY }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ env.RESOLVED_SHA }}
+
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install -y bash openssh-client curl
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+
+      - name: Setup SSH key
+        run: |
+          # Handle base64-encoded key (recommended) or raw key
+          mkdir -p ~/.ssh && chmod 700 ~/.ssh
+          if echo "$DEPLOY_SSH_PRIVATE_KEY" | base64 -d > ~/.ssh/id_ed25519 2>/dev/null; then
+            echo "Decoded base64 key"
+          else
+            printf '%s\n' "$DEPLOY_SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+          fi
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -p "${DEPLOY_PORT:-22}" "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true
+
+      - name: Deploy
+        run: |
+          test -n "$DEPLOY_HOST" || (echo "DEPLOY_HOST must be set" && exit 1)
+          test -n "$DEPLOY_SSH_PRIVATE_KEY" || (echo "DEPLOY_SSH_PRIVATE_KEY must be set" && exit 1)
+          bash scripts/deploy-actions.sh