ci: build own Docker image from newsdiff app source

rmdes · rmdes · commit 41fb9c5dbb69 · 2026-03-29T16:49:11.000+02:00
- Clones rmdes/newsdiff, builds with the generic Dockerfile
- Pushes to ghcr.io/rmdes/newsdiff-deploy:main
- Weekly rebuild to pick up app updates
- docker-compose.yml references own image instead of newsdiff repo
- Keeps compose + nginx validation as pre-build step
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,73 @@
+name: Build and push Docker image
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  workflow_dispatch:
+  schedule:
+    # Rebuild weekly to pick up latest newsdiff app image layers
+    - cron: '0 6 * * 1'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ghcr.io/rmdes/newsdiff-deploy
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate docker-compose.yml
+        env:
+          ORIGIN: https://example.com
+          POSTGRES_PASSWORD: ci-test-password
+        run: docker compose config --quiet
+
+      - name: Check nginx config syntax
+        run: |
+          docker run --rm \
+            -v "$PWD/nginx.conf:/etc/nginx/nginx.conf:ro" \
+            --add-host app:127.0.0.1 \
+            --add-host bot:127.0.0.1 \
+            nginx:alpine nginx -t
+
+  build:
+    runs-on: ubuntu-latest
+    needs: validate
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      # Clone the app source to build from
+      - name: Clone newsdiff app
+        run: git clone --depth 1 https://github.com/rmdes/newsdiff.git app
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=sha
+
+      - uses: docker/build-push-action@v6
+        with:
+          context: ./app
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
   # Database migrations (runs once on startup, then exits)
   migrate:
-    image: ghcr.io/rmdes/newsdiff:main
+    image: ghcr.io/rmdes/newsdiff-deploy:main
     command: ["node", "--import", "tsx/esm", "src/lib/server/db/migrate.ts"]
     environment:
       DATABASE_URL: postgres://${POSTGRES_USER:-newsdiff}:${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-newsdiff}
@@ -12,7 +12,7 @@ services:
 
   # SvelteKit web app + feed poller + syndicator workers
   app:
-    image: ghcr.io/rmdes/newsdiff:main
+    image: ghcr.io/rmdes/newsdiff-deploy:main
     command: ["node", "build/index.js"]
     environment:
       DATABASE_URL: postgres://${POSTGRES_USER:-newsdiff}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-newsdiff}
@@ -44,7 +44,7 @@ services:
 
   # ActivityPub bot (handles incoming federation requests)
   bot:
-    image: ghcr.io/rmdes/newsdiff:main
+    image: ghcr.io/rmdes/newsdiff-deploy:main
     command: ["node", "--import", "tsx/esm", "src/bot/index.ts"]
     environment:
       REDIS_HOST: redis
