Valia keeps asking Viktor to host 1-page sites from her Drive folders;
this makes it one map entry. New stacks/valia-sites: per site a CF Pages
project + custom domain + proxied CNAME (bridge adopted via import{}),
a ConfigMap feed (valia-sites-dns) the technitium ingress-dns-sync
script now reconciles internal CNAMEs from (add/update/REMOVE — fixes
the add-only stale-record gotcha), and one shared 10-min CronJob that
mirrors each Content folder (rclone, drive.readonly, stem95su's guards)
and wrangler-deploys ONLY on manifest change (free-tier deploy cap).
Scoped CF Pages token + shared rclone conf in secret/valia-sites; the
Global API Key never enters a pod. cloudflared forgets bridge's record
via removed{} (no destroy). stem95su is in the map dns-parked
(manage_dns=false) until its cutover commit.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
name: Build valia-sites-sync
|
|
|
|
# ADR-0002 + ADR-0018: infra-owned image built off-infra on GHA → ghcr (public).
|
|
# Rclone + wrangler runner for the Valia-sites Content-folder mirror CronJob.
|
|
# Rebuilds are rare (tool pins only change deliberately) → dispatch + path.
|
|
# Security note: no untrusted event inputs are interpolated anywhere (only
|
|
# github.actor / github.sha / GITHUB_TOKEN — same shape as the other
|
|
# build-*.yml workflows in this repo).
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
paths:
|
|
- 'stacks/valia-sites/sync-image/**'
|
|
workflow_dispatch: {}
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- uses: docker/build-push-action@v6
|
|
with:
|
|
context: stacks/valia-sites/sync-image
|
|
platforms: linux/amd64
|
|
provenance: false
|
|
push: true
|
|
tags: |
|
|
ghcr.io/viktorbarzin/valia-sites-sync:latest
|
|
ghcr.io/viktorbarzin/valia-sites-sync:${{ github.sha }}
|