From 09bdbdaf516694752f025511555334eafcde4f31 Mon Sep 17 00:00:00 2001
From: ash-bot <ash@ogle.fyi>
Date: Tue, 10 Mar 2026 20:53:54 -0700
Subject: [PATCH] Add CI workflow to build, push, and deploy Docker image

Follows heirloom pattern:
- Builds deb Dockerfile on push to master
- Pushes to registry.johnogle.info/protonmail-bridge
- Auto-updates k3s-cluster-config HelmRelease with new tag

Requires secrets: REGISTRY_USERNAME, REGISTRY_PASSWORD, CONFIG_REPO_TOKEN
---
 .gitea/workflows/build-and-push.yml | 76 +++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 .gitea/workflows/build-and-push.yml

diff --git a/.gitea/workflows/build-and-push.yml b/.gitea/workflows/build-and-push.yml
new file mode 100644
index 0000000..74668e4
--- /dev/null
+++ b/.gitea/workflows/build-and-push.yml
@@ -0,0 +1,76 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: write
+
+jobs:
+  build-and-push:
+    name: Build & Push Docker Image
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.meta.outputs.tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Generate image metadata
+        id: meta
+        run: |
+          VERSION=$(cat deb/PACKAGE | grep -oP '\d+\.\d+\.\d+' | head -1 || echo "unknown")
+          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+          echo "tag=${VERSION}-${SHORT_SHA}" >> $GITHUB_OUTPUT
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "Image will be tagged: ${VERSION}-${SHORT_SHA}"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to registry
+        run: |
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.johnogle.info -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin
+
+      - name: Build and push (deb)
+        uses: docker/build-push-action@v5
+        with:
+          context: ./deb
+          push: true
+          tags: |
+            registry.johnogle.info/protonmail-bridge:${{ steps.meta.outputs.tag }}
+            registry.johnogle.info/protonmail-bridge:latest
+          platforms: linux/amd64
+
+  deploy:
+    name: Deploy to Production
+    runs-on: ubuntu-latest
+    needs: build-and-push
+    if: github.ref == 'refs/heads/master' && github.event_name == 'push'
+    steps:
+      - name: Checkout k3s-cluster-config
+        uses: actions/checkout@v4
+        with:
+          repository: johno/k3s-cluster-config
+          token: ${{ secrets.CONFIG_REPO_TOKEN }}
+          path: k3s-cluster-config
+
+      - name: Update HelmRelease image tag
+        run: |
+          cd k3s-cluster-config
+          sed -i 's|repository: shenxn/protonmail-bridge|repository: registry.johnogle.info/protonmail-bridge|' \
+            clusters/oglenet/apps/infrastructure/protonmail-bridge.yaml
+          sed -i 's/tag: .*/tag: "${{ needs.build-and-push.outputs.image_tag }}"/' \
+            clusters/oglenet/apps/infrastructure/protonmail-bridge.yaml
+
+      - name: Commit and push
+        run: |
+          cd k3s-cluster-config
+          git config user.name "Gitea CI"
+          git config user.email "ci@johnogle.info"
+          git add clusters/oglenet/apps/infrastructure/protonmail-bridge.yaml
+          git diff --cached --quiet || git commit -m "Deploy protonmail-bridge:${{ needs.build-and-push.outputs.image_tag }}"
+          git push