From 1ab4ced780d72c750134167e05189f46593aaa66 Mon Sep 17 00:00:00 2001 From: Wisward Date: Mon, 1 Jun 2026 13:11:12 -0400 Subject: [PATCH 1/2] chore: record CodeRabbit PR-review workflow in repo-memory Per user direction: all merges go through a PR validated by CodeRabbit; merge only when validation fully passes; resolve findings and re-review before merging. --- .claude/memory/MEMORY.md | 1 + .../memory/feedback-coderabbit-pr-workflow.md | 13 ++++++ .github/workflows/deployment_prod.yml | 45 ------------------- .github/workflows/deployment_refresh_prod.yml | 33 -------------- .github/workflows/shutdown.yml | 17 ------- 5 files changed, 14 insertions(+), 95 deletions(-) create mode 100644 .claude/memory/feedback-coderabbit-pr-workflow.md delete mode 100644 .github/workflows/deployment_prod.yml delete mode 100644 .github/workflows/deployment_refresh_prod.yml delete mode 100644 .github/workflows/shutdown.yml diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index f3eb364..b84a5fd 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -2,3 +2,4 @@ - [No co-authors in commits](feedback-no-coauthors.md) — never add Co-Authored-By trailers to commit messages - [agent-cloud deployment](project-agent-cloud-deployment.md) — WisBot deploys via agent-cloud as a pulled image; secrets in OpenBao, site values in site-config +- [CodeRabbit PR workflow](feedback-coderabbit-pr-workflow.md) — all merges go through a PR; merge only when CodeRabbit fully passes; resolve findings + re-review first diff --git a/.claude/memory/feedback-coderabbit-pr-workflow.md b/.claude/memory/feedback-coderabbit-pr-workflow.md new file mode 100644 index 0000000..2cc29ec --- /dev/null +++ b/.claude/memory/feedback-coderabbit-pr-workflow.md @@ -0,0 +1,13 @@ +--- +name: feedback-coderabbit-pr-workflow +description: All code merges go through a PR validated by CodeRabbit before merge +metadata: + node_type: memory + type: feedback +--- + +Never merge code straight to `main`. Every change ships via a **pull request** so **CodeRabbit** can review it. Merge **only when validation fully passes**. If CodeRabbit raises an issue, **resolve it and let CodeRabbit re-review** (push the fix, wait for the new review) **before merging** — don't merge over unresolved findings. + +**Why:** CodeRabbit review on PRs is the team's validation gate; merging without it (or over open findings) skips the safety check the user relies on. + +**How to apply:** branch from `main` → implement → push → open PR (`gh pr create`) → wait for **all** checks (CodeRabbit + CI) → if findings, fix + push + wait for re-review → only merge once approved/green. Squash-merge + delete branch is the user's chosen merge style. Phased work = one branch/PR per phase. Related: [[feedback-no-coauthors]], [[project-agent-cloud-deployment]]. diff --git a/.github/workflows/deployment_prod.yml b/.github/workflows/deployment_prod.yml deleted file mode 100644 index dad01c4..0000000 --- a/.github/workflows/deployment_prod.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Deployment Script - -on: - # push: - # branches: - # - main - workflow_dispatch: - -jobs: - deployment: - runs-on: self-hosted # This specifies that the job should run on your self-hosted runner - - steps: - - name: Clear Checkout Code Repository before new Checkout - run: echo ${{ secrets.UHSTRAY_SUDO }} | sudo -S rm -rf /home/uhstray/actions-runner/_work/WisBot/WisBot/prometheus - - # - name: Re-create WisBot Directory - # run: echo ${{ secrets.UHSTRAY_SUDO }} | sudo -S mkdir -p /home/uhstray/actions-runner/_work/WisBot/WisBot - - - name: Checkout code - uses: actions/checkout@v4 - with: - clean: 'true' - repository: uhstray-io/WisBot - - - name: Change to WisBot Directory - run: cd $GITHUB_WORKSPACE - - - name: Docker Down - run: docker compose down - - - name: Append Secret to .env file - run: printf "\nDISCORD_TOKEN_WISBOT=${{ secrets.DISCORD_TOKEN_WISBOT }}" >> .env - - - name: Print the contents of the .env file - run: cat .env - - - name: Docker Build - env: - DISCORD_TOKEN_WISBOT: ${{ secrets.DISCORD_TOKEN_WISBOT }} - run: docker build -t wisbot . - - - name: Docker Up - run: docker compose up -d - diff --git a/.github/workflows/deployment_refresh_prod.yml b/.github/workflows/deployment_refresh_prod.yml deleted file mode 100644 index afb41d1..0000000 --- a/.github/workflows/deployment_refresh_prod.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Refresh Deployment Script - -# Manual trigger -on: - workflow_dispatch: - - - -jobs: - deployment: - runs-on: self-hosted # This specifies that the job should run on your self-hosted runner - - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: Append Secret to .env file - run: printf "\nDISCORD_TOKEN_WISBOT=${{ secrets.DISCORD_TOKEN_WISBOT }}" >> .env - - - name: Print the contents of the .env file - run: cat .env - - - name: Docker Down - run: docker compose down --rmi="all" -v - - - name: Docker Build - env: - DISCORD_TOKEN_WISBOT: ${{ secrets.DISCORD_TOKEN_WISBOT }} - run: docker build -t wisbot . - - - name: Docker Up - run: docker compose up -d diff --git a/.github/workflows/shutdown.yml b/.github/workflows/shutdown.yml deleted file mode 100644 index 941cc61..0000000 --- a/.github/workflows/shutdown.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Shutdown Script - -# Manual trigger -on: - workflow_dispatch: - -jobs: - deployment: - runs-on: self-hosted # This specifies that the job should run on your self-hosted runner - - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: Docker Down - run: docker compose down From afb596eb14f52e1adb6673c181e35ff362de9b10 Mon Sep 17 00:00:00 2001 From: Wisward Date: Mon, 1 Jun 2026 13:11:12 -0400 Subject: [PATCH 2/2] ci: publish image to GHCR; retire legacy self-hosted deploy workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase 4 of agent-cloud deployment alignment. - Add build-and-publish.yml: build + push to ghcr.io/uhstray-io/wisbot on merge to main and on v* tags (metadata-action tags: latest, short-sha, semver). Minimal permissions (contents: read, packages: write), persist-credentials: false, all actions pinned to commit SHAs. - Remove legacy self-hosted-runner workflows: deployment_prod.yml, deployment_refresh_prod.yml, shutdown.yml (replaced by GHCR publish + agent-cloud/Semaphore deploy; they also leaked the token via 'cat .env'). - Keep deploy-o11y.yml (observability) — migration to agent-cloud's o11y is a tracked follow-up. - Update README + CLAUDE.md deployment sections. --- .github/workflows/build-and-publish.yml | 54 +++++++++++++++++++++++++ CLAUDE.md | 4 +- README.md | 6 ++- 3 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/build-and-publish.yml diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml new file mode 100644 index 0000000..7352532 --- /dev/null +++ b/.github/workflows/build-and-publish.yml @@ -0,0 +1,54 @@ +name: Build and Publish + +# Builds the Docker image and pushes it to GHCR on merge to main and on version +# tags. Deployment itself is handled by the agent-cloud platform (pulls this image). +on: + push: + branches: [main] + tags: ["v*"] + workflow_dispatch: + +env: + IMAGE: ghcr.io/uhstray-io/wisbot + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + + - name: Log in to GHCR + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Image metadata + id: meta + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 + with: + images: ${{ env.IMAGE }} + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=sha,format=short + type=semver,pattern={{version}} + + - name: Build and push + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/CLAUDE.md b/CLAUDE.md index b4a9af2..d8699ad 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -15,9 +15,9 @@ No test framework or linter is configured. ## Deployment -A multi-stage `Dockerfile` builds a Linux image (`dotnet/runtime:10.0` base). Voice natives: `libsodium` + SQLite ship cross-platform via NuGet; `opus` is installed in the image via `apt` (`libopus0`, symlinked to the unversioned name `DllImport("opus")` probes). Config (token, guild ID, paths) is supplied at runtime via env / an env file — never baked into the image. `docker-build.yml` validates the image builds on every PR. +A multi-stage `Dockerfile` builds a Linux image (`dotnet/runtime:10.0` base). Voice natives: `libsodium` + SQLite ship cross-platform via NuGet; `opus` is installed in the image via `apt` (`libopus0`, symlinked to the unversioned name `DllImport("opus")` probes). Config (token, guild ID, paths) is supplied at runtime via env / an env file — never baked into the image. -Deployment is being migrated to the **agent-cloud** platform (pull image → Ansible-templated `.env` → Semaphore), replacing the legacy self-hosted-runner workflows. See `docs/plans/2026-06-01-agent-cloud-deployment-alignment.md`. +CI: `docker-build.yml` validates the image builds on every PR; `build-and-publish.yml` builds and pushes to `ghcr.io/uhstray-io/wisbot` on merge to `main` and on `v*` tags. The image is then deployed by the **agent-cloud** platform (pull image → Ansible-templated `.env` from OpenBao + site-config → Semaphore). The legacy self-hosted-runner deploy workflows have been removed; `deploy-o11y.yml` remains pending migration to agent-cloud's o11y service. See `docs/plans/2026-06-01-agent-cloud-deployment-alignment.md`. ## Architecture diff --git a/README.md b/README.md index c0ce9dc..8796ced 100644 --- a/README.md +++ b/README.md @@ -48,4 +48,8 @@ While the bot is running, type these in the console: ## Deployment -Production runs on a self-hosted runner via GitHub Actions. Trigger manually with `workflow_dispatch` in `.github/workflows/deployment_prod.yml`. The bot token is supplied via the `DISCORD_TOKEN_WISBOT` repository secret. +WisBot ships as a Docker image. On merge to `main` (and on `v*` tags), `.github/workflows/build-and-publish.yml` builds the image and publishes it to `ghcr.io/uhstray-io/wisbot`. `.github/workflows/docker-build.yml` validates the image builds on every PR. + +The image is deployed by the **agent-cloud** platform — it pulls the published image and supplies configuration (Discord token, guild ID, endpoints) via an Ansible-templated `.env` from OpenBao + site-config, orchestrated through Semaphore. Nothing site-specific is baked into the image. See `docs/plans/2026-06-01-agent-cloud-deployment-alignment.md`. + +> The legacy self-hosted-runner deploy workflows have been removed in favor of this model. (`deploy-o11y.yml` remains for now; migrating observability to agent-cloud's o11y service is a tracked follow-up.)