Reusable Gitea Actions
Shared automation consumed by every Charlie/<stack> repo. Full caller guide,
manual-fallback recipes, and host prerequisites: docs/automation.md.
Contracts
Reusable workflows
| Path | Purpose |
|---|---|
workflows/deploy-stack.yml |
git pull + (optional) SOPS decrypt + per-host compose resolution + docker compose up -d. Replaces the old per-repo deploy.sh. |
Composite actions
| Path | Purpose |
|---|---|
actions/sops-decrypt |
Decrypt one or more SOPS files using the host's age key at /etc/charlie/age.key. |
Caller skeleton
Drop this into Charlie/<stack>/.gitea/workflows/deploy.yaml:
name: Deploy
on:
push:
branches: [main]
workflow_dispatch:
jobs:
deploy:
uses: Charlie/project-charlie/.gitea/workflows/deploy-stack.yml@main
with:
host: morgott
decrypt: |
secrets/env.sops.yaml -> .env
For a multi-host stack, add a matrix:
jobs:
deploy:
strategy:
matrix:
host: [morgott, melina, mohg, miquella]
uses: Charlie/project-charlie/.gitea/workflows/deploy-stack.yml@main
with:
host: ${{ matrix.host }}
decrypt: |
secrets/${{ matrix.host }}.env.sops.yaml -> envs/${{ matrix.host }}.env
Versioning
Pin to @main for now. We'll cut tags (@v1, …) once the contract stops moving.
Breaking changes to inputs require a major bump.
See also
- docs/automation.md — full caller guide, manual-fallback recipes, host prerequisites.
- docs/vulnerability-scanning.md — daily CVE sweep (trivy-server + trivy-runner) feeding Grafana via the same otelcol pipeline.