marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions 4 Packages Projects Releases Wiki Activity

ci: extract Reload Caddy step into a composite action #539

New Issue
Open
opened 2026-05-11 22:54:55 +02:00 by marcel · 0 comments
marcel commented 2026-05-11 22:54:55 +02:00
Owner
Copy Link

Context

The Reload Caddy step (privileged Alpine container + nsenter) is currently duplicated identically in nightly.yml and release.yml. Both workflows were updated in PR #537 to use a pinned Alpine digest and reload instead of restart.

Problem

Any future change — e.g. a Renovate bump to a newer Alpine digest, or a change to the nsenter flags — must be applied in two places. This is a maintenance risk.

Proposed solution

Extract the step into a local composite action at .gitea/actions/reload-caddy/action.yml:

name: Reload Caddy
description: Reload the host Caddy service via nsenter (DooD runner)
runs:
  using: composite
  steps:
    - name: Reload Caddy
      shell: bash
      run: |
        docker run --rm --privileged --pid=host \
          alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d \
          sh -c 'apk add --no-cache util-linux -q && nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy'

Then both workflows call it with:

- uses: ./.gitea/actions/reload-caddy

Acceptance criteria

  • Composite action created at .gitea/actions/reload-caddy/action.yml
  • nightly.yml Reload Caddy step replaced with uses: ./.gitea/actions/reload-caddy
  • release.yml Reload Caddy step replaced with uses: ./.gitea/actions/reload-caddy
  • Nightly CI run passes after the change
  • docs/infrastructure/ci-gitea.md updated to reference the composite action

Notes

  • Gitea supports local composite actions via uses: ./.gitea/actions/<name> (same as GitHub Actions for local actions)
  • The step comment explaining the DooD rationale can live in the composite action's description field and in the action.yml inline comments — it does not need to be repeated in each calling workflow
## Context The `Reload Caddy` step (privileged Alpine container + nsenter) is currently duplicated identically in `nightly.yml` and `release.yml`. Both workflows were updated in PR #537 to use a pinned Alpine digest and `reload` instead of `restart`. ## Problem Any future change — e.g. a Renovate bump to a newer Alpine digest, or a change to the nsenter flags — must be applied in two places. This is a maintenance risk. ## Proposed solution Extract the step into a **local composite action** at `.gitea/actions/reload-caddy/action.yml`: ```yaml name: Reload Caddy description: Reload the host Caddy service via nsenter (DooD runner) runs: using: composite steps: - name: Reload Caddy shell: bash run: | docker run --rm --privileged --pid=host \ alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d \ sh -c 'apk add --no-cache util-linux -q && nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy' ``` Then both workflows call it with: ```yaml - uses: ./.gitea/actions/reload-caddy ``` ## Acceptance criteria - [ ] Composite action created at `.gitea/actions/reload-caddy/action.yml` - [ ] `nightly.yml` Reload Caddy step replaced with `uses: ./.gitea/actions/reload-caddy` - [ ] `release.yml` Reload Caddy step replaced with `uses: ./.gitea/actions/reload-caddy` - [ ] Nightly CI run passes after the change - [ ] `docs/infrastructure/ci-gitea.md` updated to reference the composite action ## Notes - Gitea supports local composite actions via `uses: ./.gitea/actions/<name>` (same as GitHub Actions for local actions) - The step comment explaining the DooD rationale can live in the composite action's `description` field and in the `action.yml` inline comments — it does not need to be repeated in each calling workflow
marcel added the devops label 2026-05-11 22:55:00 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label devops
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#539
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?