eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/deployment/create-release-artifact-workflow.md
Erich Blume a87c997ee1
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m28s
Details
Expose Forgejo publicly at forge.eblu.me (#278) 
## Summary

Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.

- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)

## Deployment Order

1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync

## Verification Checklist

- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes

Reviewed-on: #278
2026-03-03 08:40:41 -08:00

2.5 KiB
Raw Permalink Blame History

title modified last-reviewed tags
Create Release Artifact Workflow 2026-02-15 2026-02-15
how-to
forgejo
ci

Create a Release Artifact Workflow

How to set up a Forgejo Actions workflow that builds an artifact and publishes it to Forgejo generic packages. Uses the CV repo (forge.ops.eblu.me/eblume/cv) workflow as the reference implementation.

Prerequisites

  • A Forgejo repo with a build pipeline (Dagger, script, etc.)
  • The FORGE_TOKEN secret provisioned via the forgejo_actions_secrets Ansible role

1. Add the repo to Ansible secrets

In ansible/roles/forgejo_actions_secrets/defaults/main.yml, add an entry under forgejo_actions_secrets_repos:

forgejo_actions_secrets_repos:
  - repo: my-repo
    secrets:
      - name: FORGE_TOKEN
        value_var: forgejo_api_token

Then provision: mise run provision-indri -- --tags forgejo_actions_secrets

This is required because Forgejo's built-in GITHUB_TOKEN does not have permissions for the packages API.

2. Create the workflow

Create .forgejo/workflows/<name>-release.yaml with workflow_dispatch and a version input. Use the semver bump pattern (see cv-release.yaml for the full upload flow, or build-blumeops.yaml for the version bump logic only — it uploads to Forgejo releases, not generic packages).

The upload step uses FORGE_TOKEN:

- name: Upload to Forgejo packages
  env:
    FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
  run: |
    curl -fsSL \
      -X PUT \
      -H "Authorization: token $FORGE_TOKEN" \
      --upload-file "./$TARBALL" \
      "https://forge.eblu.me/api/packages/eblume/generic/<package>/${VERSION}/${TARBALL}"

3. Link the package to the repo

After the first successful upload, the package appears under your user-level packages at https://forge.eblu.me/eblume/-/packages but is not yet linked to the repo.

To link it:

  1. Go to https://forge.eblu.me/eblume/-/packages
  2. Click the package name
  3. Click Settings
  4. Under Link this package to a repository, select the repo
  5. Click Save

Once linked, the package shows up in the repo's Packages tab and the repo links back to the package.

4. Create a deploy workflow (optional)

If the artifact is consumed by a k8s deployment, create a separate deploy workflow in blumeops (see cv-deploy.yaml). This keeps the build/release concern in the source repo and the deploy concern in blumeops.

Related