fix: Update CI workflow to publish Docker image and document Coolify deployment process
CI / lint-test-build (push) Successful in 2m36s
CI / lint-test-build (push) Successful in 2m36s
This commit is contained in:
+14
-14
@@ -50,18 +50,18 @@ jobs:
|
|||||||
--thresholds ops/performance/latency_thresholds.json \
|
--thresholds ops/performance/latency_thresholds.json \
|
||||||
--iterations 600
|
--iterations 600
|
||||||
|
|
||||||
# - name: Login to Gitea registry
|
- name: Login to Gitea registry
|
||||||
# if: github.event_name != 'pull_request'
|
if: github.event_name != 'pull_request'
|
||||||
# uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
# with:
|
with:
|
||||||
# registry: git.allucanget.biz
|
registry: git.allucanget.biz
|
||||||
# username: ${{ secrets.REGISTRY_USERNAME }}
|
username: ${{ secrets.REGISTRY_USERNAME }}
|
||||||
# password: ${{ secrets.REGISTRY_TOKEN }}
|
password: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
|
|
||||||
# - name: Build and push image
|
- name: Build and push image
|
||||||
# if: github.event_name != 'pull_request'
|
if: github.event_name != 'pull_request'
|
||||||
# uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v6
|
||||||
# with:
|
with:
|
||||||
# context: .
|
context: .
|
||||||
# push: true
|
push: true
|
||||||
# tags: git.allucanget.biz/${{ secrets.REGISTRY_NAMESPACE }}/arbitrade:${{ github.sha }}
|
tags: git.allucanget.biz/allucanget/arbitrade:latest
|
||||||
|
|||||||
@@ -29,6 +29,7 @@
|
|||||||
- Optimized dashboard metrics aggregation to use DuckDB SQL aggregates/quantiles instead of Python row scans.
|
- Optimized dashboard metrics aggregation to use DuckDB SQL aggregates/quantiles instead of Python row scans.
|
||||||
- Added backtesting usage and replay format documentation to README.
|
- Added backtesting usage and replay format documentation to README.
|
||||||
- Dashboard controls now surface tradable pairs and strategy config snapshot values.
|
- Dashboard controls now surface tradable pairs and strategy config snapshot values.
|
||||||
|
- CI now publishes `git.allucanget.biz/allucanget/arbitrade:latest`, and README now documents Coolify image deployment with runtime environment variables managed in Coolify.
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
|
|||||||
@@ -265,24 +265,24 @@ Important:
|
|||||||
|
|
||||||
- [docker-compose.yml](docker-compose.yml) uses `git.allucanget.biz/allucanget/arbitrade:latest` as the default image reference.
|
- [docker-compose.yml](docker-compose.yml) uses `git.allucanget.biz/allucanget/arbitrade:latest` as the default image reference.
|
||||||
|
|
||||||
## Coolify Deployment (Nixpacks)
|
## Coolify Deployment (Prebuilt Image)
|
||||||
|
|
||||||
Use this when deploying directly from Git in Coolify without the Dockerfile path.
|
Use this when deploying from the image published by CI instead of building from Git inside Coolify.
|
||||||
|
|
||||||
### 1) Create application in Coolify
|
### 1) Create application in Coolify
|
||||||
|
|
||||||
- In Coolify, create a new `Application` from your Git repository.
|
- In Coolify, create a new `Application` using `Docker Image` / `Public Image` / `Private Registry Image`.
|
||||||
- Branch: `main` (or your release branch).
|
- Image: `git.allucanget.biz/allucanget/arbitrade:latest`
|
||||||
- Build Pack: `Nixpacks`.
|
- Registry: `git.allucanget.biz`
|
||||||
- Root Directory: `.`
|
- If registry auth is required, configure the same registry credentials in Coolify.
|
||||||
|
|
||||||
### 2) Configure build and start behavior
|
### 2) Configure build and start behavior
|
||||||
|
|
||||||
Set these in Coolify application settings:
|
Set these in Coolify application settings:
|
||||||
|
|
||||||
- Build Command: leave empty (let Nixpacks auto-detect Python).
|
- Build Command: leave empty.
|
||||||
- Install Command: leave empty (Nixpacks will install from `pyproject.toml`, which reads `requirements/latest-runtime.in`).
|
- Install Command: leave empty.
|
||||||
- Start Command: `python -m arbitrade.main`
|
- Start Command: leave empty unless you explicitly want to override the image default.
|
||||||
- Port: `8000`
|
- Port: `8000`
|
||||||
|
|
||||||
### 3) Configure health check and networking
|
### 3) Configure health check and networking
|
||||||
@@ -318,9 +318,11 @@ Recommended:
|
|||||||
- Configure `FERNET_KEY` in Coolify secrets (do not commit it).
|
- Configure `FERNET_KEY` in Coolify secrets (do not commit it).
|
||||||
- Keep all exchange keys/secrets in Coolify secret variables only.
|
- Keep all exchange keys/secrets in Coolify secret variables only.
|
||||||
|
|
||||||
|
Coolify should own runtime configuration through environment variables. CI only publishes the image.
|
||||||
|
|
||||||
### 6) Deploy and verify
|
### 6) Deploy and verify
|
||||||
|
|
||||||
- Trigger deploy in Coolify.
|
- Trigger deploy in Coolify after CI publishes `git.allucanget.biz/allucanget/arbitrade:latest`.
|
||||||
- Verify app boot logs show startup completed.
|
- Verify app boot logs show startup completed.
|
||||||
- Verify `GET /health` returns success on deployed URL.
|
- Verify `GET /health` returns success on deployed URL.
|
||||||
|
|
||||||
@@ -334,13 +336,6 @@ Required Gitea Actions secrets:
|
|||||||
|
|
||||||
- `REGISTRY_USERNAME`
|
- `REGISTRY_USERNAME`
|
||||||
- `REGISTRY_TOKEN`
|
- `REGISTRY_TOKEN`
|
||||||
- `REGISTRY_NAMESPACE`
|
|
||||||
|
|
||||||
Expected namespace now likely:
|
|
||||||
|
|
||||||
```text
|
|
||||||
allucanget
|
|
||||||
```
|
|
||||||
|
|
||||||
Example registry login:
|
Example registry login:
|
||||||
|
|
||||||
@@ -351,7 +346,7 @@ docker login git.allucanget.biz
|
|||||||
Example pushed image tag shape:
|
Example pushed image tag shape:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
git.allucanget.biz/allucanget/arbitrade:<tag>
|
git.allucanget.biz/allucanget/arbitrade:latest
|
||||||
```
|
```
|
||||||
|
|
||||||
## Project Layout
|
## Project Layout
|
||||||
@@ -416,7 +411,7 @@ Hardening checklist:
|
|||||||
- Use least-privilege Kraken API keys: query + trade only; never enable withdrawal.
|
- Use least-privilege Kraken API keys: query + trade only; never enable withdrawal.
|
||||||
- Rotate API keys immediately if secret scan flags a potential exposure.
|
- Rotate API keys immediately if secret scan flags a potential exposure.
|
||||||
- Keep dashboard auth enabled in non-local environments and avoid default/shared credentials.
|
- Keep dashboard auth enabled in non-local environments and avoid default/shared credentials.
|
||||||
- Run `pip-audit --skip-editable` in CI; treat vulnerability findings as release blockers.
|
- Run `pip-audit -r requirements/latest-runtime.in` in CI; treat vulnerability findings as release blockers.
|
||||||
- Run `python scripts/security_scan.py` before release and after major merges.
|
- Run `python scripts/security_scan.py` before release and after major merges.
|
||||||
- Store secrets in environment/secret manager; never commit `.env` or key material.
|
- Store secrets in environment/secret manager; never commit `.env` or key material.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user