ci: add GitHub Actions workflows and update image references to ghcr.io

Three path-filtered workflows (finance-api, auth-users, auth-gateway) each build, push to ghcr.io, and rollout to k3s on push to main. Deployment manifests updated from local image refs to ghcr.io with imagePullSecrets referencing a ghcr-credentials k8s secret. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-13 14:03:05 +01:00 · 2026-06-13 14:03:05 +01:00 · 94b23fc839
commit 94b23fc839
parent d3850eeca5
6 changed files with 184 additions and 6 deletions
--- a/.github/workflows/auth-gateway.yml
+++ b/.github/workflows/auth-gateway.yml
@ -0,0 +1,56 @@
+name: auth-gateway
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - apps/auth/services/gateway/**
+      - go.mod
+      - go.sum
+
+env:
+  IMAGE: ghcr.io/${{ github.repository_owner }}/homelab/auth-gateway
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/auth/services/gateway/Dockerfile
+          push: true
+          tags: |
+            ${{ env.IMAGE }}:${{ github.sha }}
+            ${{ env.IMAGE }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Deploy to k3s
+        env:
+          KUBECONFIG_DATA: ${{ secrets.KUBECONFIG }}
+        run: |
+          mkdir -p ~/.kube
+          echo "$KUBECONFIG_DATA" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+          kubectl set image deployment/gateway \
+            gateway=${{ env.IMAGE }}:${{ github.sha }} \
+            -n auth
+          kubectl rollout status deployment/gateway -n auth --timeout=120s
--- a/.github/workflows/auth-users.yml
+++ b/.github/workflows/auth-users.yml
@ -0,0 +1,56 @@
+name: auth-users
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - apps/auth/services/users/**
+      - go.mod
+      - go.sum
+
+env:
+  IMAGE: ghcr.io/${{ github.repository_owner }}/homelab/auth-users
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/auth/services/users/Dockerfile
+          push: true
+          tags: |
+            ${{ env.IMAGE }}:${{ github.sha }}
+            ${{ env.IMAGE }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Deploy to k3s
+        env:
+          KUBECONFIG_DATA: ${{ secrets.KUBECONFIG }}
+        run: |
+          mkdir -p ~/.kube
+          echo "$KUBECONFIG_DATA" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+          kubectl set image deployment/users \
+            users=${{ env.IMAGE }}:${{ github.sha }} \
+            -n auth
+          kubectl rollout status deployment/users -n auth --timeout=120s
--- a/.github/workflows/finance-api.yml
+++ b/.github/workflows/finance-api.yml
@ -0,0 +1,60 @@
+name: finance-api
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - apps/finance/**
+      - go.mod
+      - go.sum
+
+env:
+  IMAGE: ghcr.io/${{ github.repository_owner }}/homelab/finance-api
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/finance/services/api/Dockerfile
+          push: true
+          tags: |
+            ${{ env.IMAGE }}:${{ github.sha }}
+            ${{ env.IMAGE }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run tests
+        run: |
+          go test ./apps/finance/services/api/main/...
+
+      - name: Deploy to k3s
+        env:
+          KUBECONFIG_DATA: ${{ secrets.KUBECONFIG }}
+        run: |
+          mkdir -p ~/.kube
+          echo "$KUBECONFIG_DATA" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+          kubectl set image deployment/api \
+            api=${{ env.IMAGE }}:${{ github.sha }} \
+            -n finance
+          kubectl rollout status deployment/api -n finance --timeout=120s
--- a/apps/auth/services/gateway/k8s/deployment.yaml
+++ b/apps/auth/services/gateway/k8s/deployment.yaml
@ -15,10 +15,12 @@ spec:
      labels:
        app: gateway
    spec:
+      imagePullSecrets:
+        - name: ghcr-credentials
      containers:
        - name: gateway
-          image: homelab/gateway:latest
-          imagePullPolicy: IfNotPresent
+          image: ghcr.io/goncalorodri/homelab/auth-gateway:latest
+          imagePullPolicy: Always
          ports:
            - name: http
              containerPort: 8080
--- a/apps/auth/services/users/k8s/deployment.yaml
+++ b/apps/auth/services/users/k8s/deployment.yaml
@ -15,10 +15,12 @@ spec:
      labels:
        app: users
    spec:
+      imagePullSecrets:
+        - name: ghcr-credentials
      containers:
        - name: users
-          image: homelab/users:latest
-          imagePullPolicy: IfNotPresent
+          image: ghcr.io/goncalorodri/homelab/auth-users:latest
+          imagePullPolicy: Always
          ports:
            - name: http
              containerPort: 8080
--- a/apps/finance/services/api/k8s/deployment.yaml
+++ b/apps/finance/services/api/k8s/deployment.yaml
@ -15,10 +15,12 @@ spec:
      labels:
        app: api
    spec:
+      imagePullSecrets:
+        - name: ghcr-credentials
      containers:
        - name: api
-          image: homelab/api:latest
-          imagePullPolicy: IfNotPresent
+          image: ghcr.io/goncalorodri/homelab/finance-api:latest
+          imagePullPolicy: Always
          ports:
            - name: http
              containerPort: 8080