From 547942268fd011f810e0ba58f9ef583076406432 Mon Sep 17 00:00:00 2001
From: Aleksandr Meshchriakov <avm@sh-inc.ru>
Date: Wed, 18 Feb 2026 16:53:15 +0100
Subject: [PATCH] =?UTF-8?q?CI:=20=D0=BE=D1=81=D1=82=D0=B0=D0=B2=D0=B8?=
 =?UTF-8?q?=D1=82=D1=8C=20=D1=82=D0=BE=D0=BB=D1=8C=D0=BA=D0=BE=20lint/test?=
 =?UTF-8?q?=20=D0=B8=20=D0=B1=D1=80=D0=B0=D1=82=D1=8C=20TG=20=D0=B8=D0=B7?=
 =?UTF-8?q?=20secrets?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitea/workflows/ci-cd.yml | 138 ++-----------------------------------
 1 file changed, 6 insertions(+), 132 deletions(-)

diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index 9b1c7ac..ec6ed57 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -13,15 +13,15 @@ on:
 
 env:
   PYTHON_VERSION: "3.11"
-  REGISTRY_HOST: "10.10.0.10:3000"
-  WEB_IMAGE: "mostovik-web"
-  CELERY_IMAGE: "mostovik-celery"
 
 jobs:
   lint:
     name: Code Quality Checks
     runs-on: ubuntu-latest
     if: ${{ !contains(github.event.head_commit.message, '#no_lint') }}
+    env:
+      TG_BOT_KEY: ${{ secrets.TG_BOT_KEY }}
+      TG_CHANNEL: ${{ secrets.TG_CHANNEL }}
 
     steps:
       - name: Checkout code
@@ -83,6 +83,9 @@ jobs:
     name: Run Tests
     runs-on: ubuntu-latest
     if: ${{ !contains(github.event.head_commit.message, '#no_test') }}
+    env:
+      TG_BOT_KEY: ${{ secrets.TG_BOT_KEY }}
+      TG_CHANNEL: ${{ secrets.TG_CHANNEL }}
 
     steps:
       - name: Checkout code
@@ -137,132 +140,3 @@ jobs:
           curl -fsS -X POST "https://api.telegram.org/bot${TG_BOT_KEY}/sendMessage" \
             -d "chat_id=${TG_CHANNEL}" \
             --data-urlencode "text=${MSG}"
-
-  build_push:
-    name: Build & Push Images
-    runs-on: ubuntu-latest
-    needs: [lint, test]
-    if: |
-      github.event_name == 'push' &&
-      (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') &&
-      (needs.lint.result == 'success' || needs.lint.result == 'skipped') &&
-      (needs.test.result == 'success' || needs.test.result == 'skipped')
-
-    steps:
-      - name: Checkout code
-        run: |
-          REPO_URL=$(echo "${GITHUB_SERVER_URL}" | sed "s|://|://oauth2:${{ gitea.token }}@|")
-          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
-          git clone --depth=1 --branch="${BRANCH}" "${REPO_URL}/${GITHUB_REPOSITORY}.git" .
-          git checkout "${GITHUB_SHA}"
-
-      - name: Build and push images
-        env:
-          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
-          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }}
-        run: |
-          set -euo pipefail
-          curl -sL https://github.com/google/go-containerregistry/releases/download/v0.19.0/go-containerregistry_Linux_x86_64.tar.gz | tar xz crane
-          chmod +x crane
-
-          BRANCH_TAG=$(echo "${GITHUB_REF_NAME}" | sed 's/\//-/g')
-          SHA_SHORT=$(echo "${GITHUB_SHA}" | cut -c1-7)
-          REPO_OWNER="${GITHUB_REPOSITORY%%/*}"
-          REGISTRY="${REGISTRY_HOST}/${REPO_OWNER}"
-          REGISTRY_IP="${REGISTRY_HOST%%:*}"
-          GITEA_HOST=$(echo "${GITHUB_SERVER_URL}" | sed -E 's#https?://([^/:]+).*#\1#')
-
-          echo "Registry: ${REGISTRY_HOST}"
-          echo "Registry IP: ${REGISTRY_IP}"
-          echo "Actor: ${GITHUB_ACTOR}"
-          echo "Gitea host: ${GITEA_HOST}"
-
-          # Ensure token endpoint host resolves to internal network IP from runner.
-          # Registry auth flow may redirect to ${GITEA_HOST} even when pushing to REGISTRY_HOST.
-          # Replace old mapping if present and pin host to internal IP.
-          grep -v "[[:space:]]${GITEA_HOST}$" /etc/hosts > /tmp/hosts.cleaned || true
-          cat /tmp/hosts.cleaned > /etc/hosts
-          echo "${REGISTRY_IP} ${GITEA_HOST}" >> /etc/hosts
-          getent hosts "${GITEA_HOST}" || true
-
-          # Some runners have outbound proxy env configured; force direct access
-          # to internal registry/gitea hosts for auth flow.
-          unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY all_proxy ALL_PROXY
-          export NO_PROXY="${NO_PROXY:-},${REGISTRY_IP},${GITEA_HOST}"
-          export no_proxy="${no_proxy:-},${REGISTRY_IP},${GITEA_HOST}"
-          # Force pure Go resolver for crane to honor /etc/hosts mapping first.
-          export GODEBUG=netdns=go
-
-          echo "${REGISTRY_PASSWORD}" | ./crane auth login --insecure "${REGISTRY_HOST}" -u "${REGISTRY_USER}" --password-stdin
-
-          docker build \
-            -f ./docker/Dockerfile \
-            --target runtime-web \
-            --build-arg INSTALL_DEV=false \
-            -t "${WEB_IMAGE}:local" .
-          docker save "${WEB_IMAGE}:local" -o /tmp/web.tar
-
-          ./crane push --insecure /tmp/web.tar "${REGISTRY}/${WEB_IMAGE}:${BRANCH_TAG}"
-          ./crane push --insecure /tmp/web.tar "${REGISTRY}/${WEB_IMAGE}:${BRANCH_TAG}-${SHA_SHORT}"
-          if [ "${GITHUB_REF_NAME}" = "main" ]; then
-            ./crane push --insecure /tmp/web.tar "${REGISTRY}/${WEB_IMAGE}:latest"
-          fi
-
-          docker build \
-            -f ./docker/Dockerfile \
-            --target runtime-celery \
-            --build-arg INSTALL_DEV=false \
-            -t "${CELERY_IMAGE}:local" .
-          docker save "${CELERY_IMAGE}:local" -o /tmp/celery.tar
-
-          ./crane push --insecure /tmp/celery.tar "${REGISTRY}/${CELERY_IMAGE}:${BRANCH_TAG}"
-          ./crane push --insecure /tmp/celery.tar "${REGISTRY}/${CELERY_IMAGE}:${BRANCH_TAG}-${SHA_SHORT}"
-          if [ "${GITHUB_REF_NAME}" = "main" ]; then
-            ./crane push --insecure /tmp/celery.tar "${REGISTRY}/${CELERY_IMAGE}:latest"
-          fi
-
-      - name: Image summary
-        run: |
-          REPO_OWNER="${GITHUB_REPOSITORY%%/*}"
-          echo "Images pushed to ${REGISTRY_HOST}/${REPO_OWNER}/"
-
-      - name: Telegram notify (build_push failed)
-        if: failure()
-        run: |
-          set -euo pipefail
-          if [ -z "${TG_BOT_KEY:-}" ] || [ -z "${TG_CHANNEL:-}" ]; then
-            echo "TG_BOT_KEY or TG_CHANNEL is not set; skip telegram notification"
-            exit 0
-          fi
-
-          MSG="❌ [mostovik-backend] build_push failed
-          branch=${GITHUB_REF_NAME}
-          sha=${GITHUB_SHA}
-          actor=${GITHUB_ACTOR}
-          registry=${REGISTRY_HOST}"
-
-          curl -fsS -X POST "https://api.telegram.org/bot${TG_BOT_KEY}/sendMessage" \
-            -d "chat_id=${TG_CHANNEL}" \
-            --data-urlencode "text=${MSG}"
-
-      - name: Telegram notify (build_push success)
-        if: success()
-        env:
-          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: |
-          set -euo pipefail
-          if [ -z "${TG_BOT_KEY:-}" ] || [ -z "${TG_CHANNEL:-}" ]; then
-            echo "TG_BOT_KEY or TG_CHANNEL is not set; skip telegram notification"
-            exit 0
-          fi
-
-          MSG="✅ [mostovik-backend] image build & push success
-          branch=${GITHUB_REF_NAME}
-          sha=${GITHUB_SHA}
-          actor=${GITHUB_ACTOR}
-          registry=${REGISTRY_HOST}
-          commit=${COMMIT_MESSAGE}"
-
-          curl -fsS -X POST "https://api.telegram.org/bot${TG_BOT_KEY}/sendMessage" \
-            -d "chat_id=${TG_CHANNEL}" \
-            --data-urlencode "text=${MSG}"