From 3b294e2e82ae2dddf948f00d4762b06d30918ff0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Rodrigues?= <guga@Goncalos-MacBook-Pro.local>
Date: Fri, 26 Jun 2026 23:05:38 +0100
Subject: [PATCH] feat(cicd): add GitHub Actions deploy workflow for
 finance-api

- deploy.yml: on push to main, builds linux/arm64 image, pushes to
  Gitea registry, deploys via SSH kubectl set image
- ci.yml: gate to PRs targeting main only
- finance-api deployment: imagePullPolicy Always so SHA-tagged images
  are always pulled on rollout

Requires GitHub Actions secrets: GITEA_REGISTRY_PASSWORD, VPS_HOST,
VPS_USER, VPS_SSH_KEY.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml                      |  1 +
 .github/workflows/deploy.yml                  | 50 +++++++++++++++++++
 apps/finance/services/api/k8s/deployment.yaml |  2 +-
 3 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/deploy.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 471111c..999ed48 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
+    branches: [main]
 
 jobs:
   test:
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..219d688
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,50 @@
+name: deploy
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy-finance:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Gitea registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.gugagr.xyz
+          username: admin
+          password: ${{ secrets.GITEA_REGISTRY_PASSWORD }}
+
+      - name: Build and push finance-api
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/finance/services/api/Dockerfile
+          platforms: linux/arm64
+          push: true
+          tags: git.gugagr.xyz/admin/homelab_finance-api:${{ github.sha }}
+          cache-from: type=registry,ref=git.gugagr.xyz/admin/homelab_finance-api:buildcache
+          cache-to: type=registry,ref=git.gugagr.xyz/admin/homelab_finance-api:buildcache,mode=max
+
+      - name: Deploy to VPS
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.VPS_HOST }}
+          username: ${{ secrets.VPS_USER }}
+          key: ${{ secrets.VPS_SSH_KEY }}
+          script: |
+            kubectl set image deployment/api \
+              api=git.gugagr.xyz/admin/homelab_finance-api:${{ github.sha }} \
+              -n finance
+            kubectl rollout status deployment/api -n finance --timeout=120s
diff --git a/apps/finance/services/api/k8s/deployment.yaml b/apps/finance/services/api/k8s/deployment.yaml
index d2dda1d..aa95cd2 100644
--- a/apps/finance/services/api/k8s/deployment.yaml
+++ b/apps/finance/services/api/k8s/deployment.yaml
@@ -20,7 +20,7 @@ spec:
       containers:
         - name: api
           image: homelab/finance-api
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: Always
           ports:
             - name: http
               containerPort: 8080