infra/.github/workflows/build-valia-sites-sync.yml
Viktor Barzin 8b80b4cc41
Some checks failed
ci/woodpecker/push/default Pipeline failed
Build valia-sites-sync / build (push) Has been cancelled
valia-sites: registry stack for Valia's Pages sites + declarative internal DNS (ADR-0018)
Valia keeps asking Viktor to host 1-page sites from her Drive folders;
this makes it one map entry. New stacks/valia-sites: per site a CF Pages
project + custom domain + proxied CNAME (bridge adopted via import{}),
a ConfigMap feed (valia-sites-dns) the technitium ingress-dns-sync
script now reconciles internal CNAMEs from (add/update/REMOVE — fixes
the add-only stale-record gotcha), and one shared 10-min CronJob that
mirrors each Content folder (rclone, drive.readonly, stem95su's guards)
and wrangler-deploys ONLY on manifest change (free-tier deploy cap).
Scoped CF Pages token + shared rclone conf in secret/valia-sites; the
Global API Key never enters a pod. cloudflared forgets bridge's record
via removed{} (no destroy). stem95su is in the map dns-parked
(manage_dns=false) until its cutover commit.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 12:28:06 +00:00

39 lines
1.2 KiB
YAML

name: Build valia-sites-sync
# ADR-0002 + ADR-0018: infra-owned image built off-infra on GHA → ghcr (public).
# Rclone + wrangler runner for the Valia-sites Content-folder mirror CronJob.
# Rebuilds are rare (tool pins only change deliberately) → dispatch + path.
# Security note: no untrusted event inputs are interpolated anywhere (only
# github.actor / github.sha / GITHUB_TOKEN — same shape as the other
# build-*.yml workflows in this repo).
on:
push:
branches: [master]
paths:
- 'stacks/valia-sites/sync-image/**'
workflow_dispatch: {}
permissions:
contents: read
packages: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/build-push-action@v6
with:
context: stacks/valia-sites/sync-image
platforms: linux/amd64
provenance: false
push: true
tags: |
ghcr.io/viktorbarzin/valia-sites-sync:latest
ghcr.io/viktorbarzin/valia-sites-sync:${{ github.sha }}