Use Docker image for CLI instead of Gitea DEB download

Run sfp CLI directly from inside the pulled server image via docker run, removing the need for a separate GITEA_TOKEN and CLI download step. Default TLS mode changed to letsencrypt. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 11:20:31 +10:00
parent 718cb1c4e1
commit 44020ee09f
6 changed files with 127 additions and 252 deletions
@@ -11,9 +11,9 @@ on:
        description: 'TLS certificate mode'
        type: choice
        options:
-          - 'custom'
          - 'letsencrypt'
-        default: 'custom'
+          - 'custom'
+        default: 'letsencrypt'

 jobs:
  init:
@@ -31,6 +31,7 @@ jobs:
          [ -z "${{ vars.TENANT_NAME }}" ] && MISSING="$MISSING TENANT_NAME"
          [ -z "${{ vars.DOMAIN }}" ] && MISSING="$MISSING DOMAIN"
          [ -z "${{ vars.DOCKER_REGISTRY }}" ] && MISSING="$MISSING DOCKER_REGISTRY"
+          [ -z "${{ vars.IMAGE_FQDN }}" ] && MISSING="$MISSING IMAGE_FQDN"

          if [ -n "$MISSING" ]; then
            echo "Missing required GitHub Variables:$MISSING"
@@ -40,12 +41,15 @@ jobs:
          fi

      - name: Setup SFP CLI and SSH
+        id: setup
        uses: ./.github/actions/setup-sfp
        with:
-          gitea-token: ${{ secrets.GITEA_TOKEN }}
+          docker-registry: ${{ vars.DOCKER_REGISTRY }}
+          docker-registry-token: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
+          image-fqdn: ${{ vars.IMAGE_FQDN }}
+          image-tag: ${{ vars.IMAGE_TAG || 'latest' }}
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
          ssh-host: ${{ vars.SSH_HOST }}
-          cli-version: ${{ vars.SFP_CLI_VERSION || 'latest' }}

      - name: Initialize server
        env:
@@ -53,6 +57,7 @@ jobs:
          DOCKER_REGISTRY_TOKEN: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
          ORIGIN_CERT: ${{ secrets.ORIGIN_CERT }}
          ORIGIN_KEY: ${{ secrets.ORIGIN_KEY }}
+          SFP_IMAGE: ${{ steps.setup.outputs.sfp-image }}
        run: |
          TENANT="${{ vars.TENANT_NAME }}"
          DOMAIN="${{ vars.DOMAIN }}"
@@ -61,6 +66,8 @@ jobs:
          TLS_MODE="${{ inputs.tls_mode }}"
          WORKERS="${{ vars.WORKERS || '1' }}"
          BASE_DIR="${{ vars.BASE_DIR || './sfp-server' }}"
+          IMAGE_FQDN="${{ vars.IMAGE_FQDN }}"
+          IMAGE_TAG="${{ vars.IMAGE_TAG || 'latest' }}"

          echo "Initializing SFP Server"
          echo "  Tenant:   $TENANT"
@@ -68,7 +75,7 @@ jobs:
          echo "  Host:     $SSH_HOST"
          echo "  TLS Mode: $TLS_MODE"
          echo "  Workers:  $WORKERS"
-          echo "  Registry: $DOCKER_REGISTRY"
+          echo "  Image:    $SFP_IMAGE"

          # Build the init command
          INIT_CMD="sfp server init"
@@ -82,38 +89,30 @@ jobs:
          INIT_CMD="$INIT_CMD --secrets-provider custom"
          INIT_CMD="$INIT_CMD --no-interactive"
          INIT_CMD="$INIT_CMD --ssh-connection \"$SSH_USER@$SSH_HOST\""
-          INIT_CMD="$INIT_CMD --identity-file ~/.ssh/deploy_key"
+          INIT_CMD="$INIT_CMD --identity-file /root/.ssh/deploy_key"
+          INIT_CMD="$INIT_CMD --image \"${IMAGE_FQDN}:${IMAGE_TAG}\""

-          # Add image override if IMAGE_FQDN is configured
-          IMAGE_FQDN="${{ vars.IMAGE_FQDN }}"
-          IMAGE_TAG="${{ vars.IMAGE_TAG || 'latest' }}"
-          if [ -n "$IMAGE_FQDN" ]; then
-            INIT_CMD="$INIT_CMD --image \"${IMAGE_FQDN}:${IMAGE_TAG}\""
-          fi
-
-          # Add force flag if requested
          if [ "${{ inputs.force }}" = "true" ]; then
            INIT_CMD="$INIT_CMD --force"
          fi

-          eval "$INIT_CMD"
+          # Run sfp CLI from inside the Docker image
+          docker run --rm \
+            -v ~/.ssh/deploy_key:/root/.ssh/deploy_key:ro \
+            -v ~/.ssh/known_hosts:/root/.ssh/known_hosts:ro \
+            -e DOCKER_REGISTRY \
+            -e DOCKER_REGISTRY_TOKEN \
+            -e ORIGIN_CERT \
+            -e ORIGIN_KEY \
+            "$SFP_IMAGE" \
+            bash -c "$INIT_CMD"

      - name: Output init results
        if: always()
        run: |
          TENANT="${{ vars.TENANT_NAME }}"
-          RESULT_FILE="sfp-server-init-${TENANT}.json"

          echo "## SFP Server Initialization" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-
-          if [ -f "$RESULT_FILE" ]; then
-            echo "### Results" >> $GITHUB_STEP_SUMMARY
-            echo '```json' >> $GITHUB_STEP_SUMMARY
-            cat "$RESULT_FILE" | jq '.' >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-          fi
-
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Configuration" >> $GITHUB_STEP_SUMMARY
          echo "| Setting | Value |" >> $GITHUB_STEP_SUMMARY
@@ -122,8 +121,7 @@ jobs:
          echo "| Domain | ${{ vars.DOMAIN }} |" >> $GITHUB_STEP_SUMMARY
          echo "| Host | ${{ vars.SSH_HOST }} |" >> $GITHUB_STEP_SUMMARY
          echo "| TLS Mode | ${{ inputs.tls_mode }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Registry | ${{ vars.DOCKER_REGISTRY }} |" >> $GITHUB_STEP_SUMMARY
-
+          echo "| Image | ${{ steps.setup.outputs.sfp-image }} |" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Next Steps" >> $GITHUB_STEP_SUMMARY
          echo "1. Verify the server is accessible at \`https://${{ vars.DOMAIN }}\`" >> $GITHUB_STEP_SUMMARY