rinoa-docker/.gitea/workflows/renovate-pr-deploy.yml

name: Renovate PR Deployment

on:
  workflow_dispatch:
  pull_request:
    types: [closed]
    branches:
      - main
    paths:
      - "**/docker-compose.yml"

env:
  HC_VAULT_VERSION: "1.18.0"
  VAULT_ADDR: ${{ secrets.TREZ_VAULT_ADDR }}
  VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}

jobs:
  deploy:
    if: |
      github.event.pull_request.merged == true &&
      github.event.pull_request.user.login == 'renovate-bot'
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

      - name: Install Vault
        uses: cpanato/vault-installer@main
        with:
          version: ${{ env.HC_VAULT_VERSION }}

      - name: Detect Renovate update type
        id: detect-update
        env:
          PR_BODY: ${{ github.event.pull_request.body }}
        run: |
          echo "PR body: $PR_BODY"

          if echo "$PR_BODY" | grep -qE 'Update Type: (patch|minor|major|digest)'; then
            echo "update=true" >> $GITHUB_OUTPUT
          else
            echo "update=false" >> $GITHUB_OUTPUT
          fi

      - name: Stop if update not patch/minor/major/digest
        if: steps.detect-update.outputs.update != 'true'
        run: |
          echo "::warning::This PR does not involve patch/minor/major/digest update. Skipping deployment."
          exit 0

      - name: Get changed services from docker-compose.yml
        id: services
        run: |
          git fetch origin ${{ github.event.pull_request.base.ref }}

          # Extract service=image pairs from HEAD (PR merge result)
          yq -r '.services | to_entries[] | "\(.key)=\(.value.image // "")"' docker-compose.yml \
            | sort > services_head.txt

          # Extract service=image pairs from BASE (main branch)
          git show origin/${{ github.event.pull_request.base.ref }}:docker-compose.yml \
            | yq -r '.services | to_entries[] | "\(.key)=\(.value.image // "")"' \
            | sort > services_main.txt || true

          echo "Comparing images between base and head..."
          : > service_changes.txt

          while IFS== read -r svc img; do
            base_img=$(grep "^$svc=" services_main.txt | cut -d= -f2- || true)
            if [ "$img" != "$base_img" ]; then
              echo "$svc" >> service_changes.txt
            fi
          done < services_head.txt

          echo "Detected service changes:"
          cat service_changes.txt || true

          mod_svcs=$(sort -u service_changes.txt | xargs)
          if [ -z "$mod_svcs" ]; then
            echo "docker_svc_list=" >> "$GITHUB_OUTPUT"
          else
            echo "docker_svc_list=$mod_svcs" >> "$GITHUB_OUTPUT"
          fi

      - name: List of Services for (Re)Deployment
        run: |
          echo -e "${{ steps.services.outputs.docker_svc_list }}"

      - name: Generate .env file for Docker Compose
        run: |
          vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env

      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: "${{ secrets.RUNNER_GOTIFY_URL }}"
          gotify_app_token: "${{ secrets.RUNNER_GOTIFY_TOKEN }}"
          notification_title: "GITEA: [RENOVATE] Docker Compose Deployment @ Rinoa"
          notification_message: "Starting Docker Compose run..."

      - name: Login to Docker Hub
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ secrets.GHCR_USER }}
          password: ${{ secrets.GHCR_LOGIN_TOKEN }}

      - name: Login to Private Gitea Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: git.trez.wtf
          username: ${{ secrets.BOT_GITEA_USER }}
          password: ${{ secrets.BOT_GITEA_PASSWORD }}

      - name: Docker Compose Deployment
        uses: hoverkraft-tech/compose-action@40041ff1b97dbf152cd2361138c2b03fa29139df # v2.3.0
        env:
          DOCKER_HOST: tcp://dockerproxy:2375
        with:
          services: |
            ${{ steps.services.outputs.docker_svc_list }}
          up-flags: -d --remove-orphans --pull always
          compose-flags: --profile rinoa-apps

      - name: Docker Compose Healthcheck
        id: health
        uses: jaracogmbh/docker-compose-health-check-action@973fbdccf7c8e396b652d3501984c8e530a9fa80 # v1.0.0
        with:
          max-retries: 30
          retry-interval: 10
          compose-file: "docker-compose.yml"
          skip-exited: "true"
          skip-no-healthcheck: "true"

      - name: Gotify Notification
        uses: eikendev/gotify-action@master
        with:
          gotify_api_base: "${{ secrets.RUNNER_GOTIFY_URL }}"
          gotify_app_token: "${{ secrets.RUNNER_GOTIFY_TOKEN }}"
          notification_title: "GITEA: [RENOVATE] Docker Compose Deployment @ Rinoa"
          notification_message: "Deployment completed successfully."