From 5bdd6d10b9042850e9d1c17f037614dc80b035b7 Mon Sep 17 00:00:00 2001
From: Sagnik Ghosh <sagnik@desineuron.in>
Date: Fri, 1 May 2026 12:35:54 +0530
Subject: [PATCH] CI: Configure Gitea Actions deployment pipeline

---
 .gitea/workflows/deploy.yaml | 144 +++++++++++++++++++++++++++++++++++
 1 file changed, 144 insertions(+)
 create mode 100644 .gitea/workflows/deploy.yaml

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
new file mode 100644
index 0000000..b446377
--- /dev/null
+++ b/.gitea/workflows/deploy.yaml
@@ -0,0 +1,144 @@
+name: Velocity-OS Deployment Pipeline
+
+on:
+  push:
+    branches:
+      - master
+      - main
+
+env:
+  AWS_REGION: ap-south-1
+  DOCKER_BUILDKIT: 1
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20
+          cache: 'npm'
+          cache-dependency-path: 'webos/package-lock.json'
+
+      - name: Lint WebOS
+        working-directory: ./webos
+        run: |
+          npm ci
+          npm run type-check
+          npm run lint
+
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Lint Core
+        working-directory: ./core
+        run: |
+          pip install ruff mypy
+          ruff check .
+          mypy . --ignore-missing-imports
+
+  build-and-push:
+    needs: lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        service: [core, webos, media-engine, agents]
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Build and Push Docker Image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          SERVICE: ${{ matrix.service }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          # Build
+          docker build \
+            --cache-from $ECR_REGISTRY/velocity-os/$SERVICE:latest \
+            --build-arg BUILDKIT_INLINE_CACHE=1 \
+            --label git.sha=${{ github.sha }} \
+            --label git.ref=${{ github.ref_name }} \
+            -t $ECR_REGISTRY/velocity-os/$SERVICE:$IMAGE_TAG \
+            -t $ECR_REGISTRY/velocity-os/$SERVICE:latest \
+            ./$SERVICE
+          
+          # Push
+          docker push $ECR_REGISTRY/velocity-os/$SERVICE:$IMAGE_TAG
+          docker push $ECR_REGISTRY/velocity-os/$SERVICE:latest
+
+  sign-images:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        service: [core, webos, media-engine, agents]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+        with:
+          cosign-release: 'v2.4.0'
+
+      - name: Sign Image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          SERVICE: ${{ matrix.service }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          IMAGE="${ECR_REGISTRY}/velocity-os/${SERVICE}:${IMAGE_TAG}"
+          DIGEST=$(aws ecr describe-images \
+            --repository-name velocity-os/${SERVICE} \
+            --image-ids imageTag=${IMAGE_TAG} \
+            --region ${AWS_REGION} \
+            --query 'imageDetails[0].imageDigest' --output text)
+          
+          cosign sign --yes "${ECR_REGISTRY}/velocity-os/${SERVICE}@${DIGEST}"
+
+  notify-ingress:
+    needs: sign-images
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main'
+    steps:
+      - name: Install SSH Client
+        run: sudo apt-get update && sudo apt-get install -y openssh-client
+
+      - name: Notify Ingress Box
+        env:
+          INGRESS_SSH_KEY: ${{ secrets.INGRESS_SSH_KEY }}
+          INGRESS_BOX_IP: ${{ secrets.INGRESS_BOX_IP }}
+        run: |
+          echo "$INGRESS_SSH_KEY" > ingress_key.pem
+          chmod 600 ingress_key.pem
+          ssh -i ingress_key.pem -o StrictHostKeyChecking=no ubuntu@$INGRESS_BOX_IP "sudo systemctl start velocity-ingress-poll.service"
+          rm -f ingress_key.pem