1
Gitea Actions CICD
WMJ Ismail edited this page 2026-07-03 09:00:59 +02:00

Gitea Actions CI/CD

Full CI/CD pipeline documentation for the Hermes cPanel Agent.

Runner

A Gitea Actions runner is deployed as a Docker Swarm service on Contabo:

Detail Value
Name contabo-swarm-runner
Host Docker Swarm leader (vmi3361598)
Image gitea/act_runner:v0.6.1
Network gitea_gitea-net
Labels ubuntu-latest, self-hosted

Runner Setup

# Get registration token from Gitea CLI
docker exec -u git gitea_gitea.1.xxx gitea actions generate-runner-token

# Deploy as Swarm service
docker service create \
  --name gitea-runner \
  --network gitea_gitea-net \
  --restart-condition any \
  --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
  --env GITEA_INSTANCE_URL=https://git.falahos.my \
  --env GITEA_RUNNER_REGISTRATION_TOKEN=TOKEN \
  --env GITEA_RUNNER_NAME=contabo-swarm-runner \
  gitea/act_runner:latest

Workflows

1. CI (ci.yml)

Trigger: Push to main/develop, PRs

┌─────────────┐    ┌──────────────┐    ┌─────────────┐
│ PHP Syntax  │ →  │ Security     │ →  │ Schema      │
│ Check       │    │ Scan         │    │ Validation  │
└─────────────┘    └──────────────┘    └─────────────┘
  • php -l on all PHP files
  • Greps for banned functions (exec, shell_exec, system, eval)
  • Validates WordPress plugin headers
  • Verifies REST namespace declaration

2. Deploy (deploy.yml)

Trigger: Push to main

┌──────────┐   ┌─────────────────┐   ┌──────────────┐
│ CI Check │ → │ Git Push to     │ → │ WP REST API  │
│ (pass)   │   │ cPanel Remote   │   │ Fallback     │
└──────────┘   └─────────────────┘   └──────────────┘
                                               ↓
                                        ┌──────────────┐
                                        │ Verify       │
                                        │ Deployment   │
                                        └──────────────┘

Primary path: SSH into cPanel Git remote, force-push main branch. Fallback: Build plugin zip and upload via WP REST API /wp/v2/plugins. Verification: Check plugin is active + hermes/v1 namespace is registered.

3. Sync (sync.yml)

Trigger: Push to main + every 6 hours

  • Syncs code to cPanel git
  • Uploads plugin zip to Nextcloud artifacts folder

4. Health (health.yml)

Trigger: Every 30 minutes

  • Checks plugin is active on WordPress
  • Verifies REST API responds
  • Alerts on failure via Gitea notifications

Secrets

Set these in Settings → Actions → Secrets:

Secret Purpose Required
WP_URL WordPress site URL Set
WP_APP_USER WordPress username Set
WP_APP_PASSWORD Application Password Pending
CPANEL_SSH_KEY cPanel deploy SSH key Pending
CPANEL_GIT_REMOTE cPanel git remote URL Pending
CPANEL_HOST cPanel SSH hostname Pending
CPANEL_DEPLOY_HOOK_URL Optional deploy webhook Optional
NEXTCLOUD_HERMES_PASS Nextcloud sync password Pending

Setting Secrets via API

curl -X PUT -u "wmj:Abedib%4099" \
  -H "Content-Type: application/json" \
  -d '{"data":"BASE64_ENCODED_VALUE"}' \
  "https://git.falahos.my/api/v1/repos/wmj/hermes-cpanel-agent/actions/secrets/SECRET_NAME"

Architecture

Developer Push
     ↓
Gitea (git.falahos.my)
     ↓
Gitea Actions Runner (Docker Swarm on Contabo)
     ├── CI: lint, security, schema
     ├── Deploy: git push → cPanel OR WP REST API
     ├── Sync: cPanel sync + Nextcloud
     └── Health: every 30min
     ↓
cPanel Hosting (ummah.falahos.my)
     ├── cPanel Git Version Control (auto-pull)
     ├── WordPress + Hermes Plugin
     └── WP-Cron agent scheduler
     ↓
Agents Running:
     ├── Ody Clone: Content Generator (REST API)
     └── PI Clone: Auto-Reply (planned)

Adding a New Workflow

  1. Create .gitea/workflows/your-workflow.yml
  2. Use runs-on: ubuntu-latest (handled by our self-hosted runner)
  3. Any helper scripts go in .gitea/scripts/
  4. Push to main — runner picks it up automatically

Monitoring