vault-dash/.forgejo/workflows/deploy.yaml

name: Build and Deploy

on:
  push:
    branches: [main]
  workflow_dispatch:

env:
  REGISTRY: ${{ vars.REGISTRY || '10.100.0.2:3000' }}
  IMAGE_NAME: ${{ github.repository }}

jobs:
  lint:
    runs-on: [linux, docker]
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install ruff black
      - name: Run ruff
        run: ruff check app tests scripts
      - name: Run black
        run: black --check app tests scripts

  test:
    runs-on: [linux, docker]
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install dependencies
        run: |
          set -x
          python -m pip install --upgrade pip
          pip install pytest pytest-asyncio httpx
          pip install nicegui fastapi uvicorn yfinance polars pandas pydantic pyyaml
          pip list
      - name: Run tests
        run: pytest tests/test_pricing.py tests/test_strategies.py tests/test_portfolio.py -v --tb=short

  type-check:
    runs-on: [linux, docker]
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install dependencies
        run: |
          set -x
          python -m pip install --upgrade pip
          pip install mypy
          pip install nicegui fastapi uvicorn yfinance polars pandas pydantic pyyaml
          pip list
      - name: Show working directory
        run: pwd && ls -la
      - name: Run mypy
        run: |
          echo "Running mypy on core modules..."
          mypy app/core app/models app/strategies app/services --ignore-missing-imports --show-error-codes --show-traceback || true
          echo "Type check completed (warnings allowed during development)"

  build:
    runs-on: [linux, docker]
    needs: [lint, test, type-check]
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          registry: docker.io
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Create buildkit config
        run: |
          mkdir -p /tmp/buildkit
          cat > /tmp/buildkit/buildkitd.toml << 'EOF'
          [registry."10.100.0.2:3000"]
            http = true
            insecure = true
          [registry."git.uncloud.vpn"]
            http = true
            insecure = true
          EOF
          # Add hosts entry for Forgejo's token endpoint
          echo "10.100.0.2 git.uncloud.vpn" >> /etc/hosts

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver-opts: |
            network=host
          config: /tmp/buildkit/buildkitd.toml

      - name: Login to Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}

      - name: Login to Forgejo token endpoint
        uses: docker/login-action@v3
        with:
          registry: git.uncloud.vpn
          username: ${{ github.actor }}
          password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
          provenance: false

  deploy:
    runs-on: [linux, docker]
    needs: build
    if: github.ref == 'refs/heads/main'
    container:
      image: catthehacker/ubuntu:act-latest
    env:
      DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
      DEPLOY_USER: ${{ secrets.DEPLOY_USER || 'deploy' }}
      DEPLOY_PORT: ${{ secrets.DEPLOY_PORT || '22' }}
      DEPLOY_PATH: ${{ secrets.DEPLOY_PATH || '/opt/vault-dash' }}
      DEPLOY_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
      APP_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
      APP_ENV: production
      APP_NAME: Vault Dashboard
      APP_PORT: "8000"
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        run: |
          apt-get update && apt-get install -y bash openssh-client curl docker.io docker-compose-plugin
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh

      - name: Setup SSH key
        run: |
          printf '%s' "$DEPLOY_SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -p "${DEPLOY_PORT:-22}" "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true

      - name: Deploy
        run: |
          test -n "$DEPLOY_HOST" || (echo "DEPLOY_HOST must be set" && exit 1)
          test -n "$DEPLOY_SSH_PRIVATE_KEY" || (echo "DEPLOY_SSH_PRIVATE_KEY must be set" && exit 1)
          bash scripts/deploy-forgejo.sh