shadowdao
d9cc5311de
HTTP/3 is config-only — the Debian haproxy package is built +QUIC via the OpenSSL compat shim. Changes: - hap_header.tpl: `limited-quic` (required to enable QUIC binds under the compat layer) + self-healing `cluster-secret` for QUIC token derivation. - hap_listener.tpl: `bind quic4@:443 ... alpn h3` in the shared frontend (so real-IP/rate-limit/IP-block/Coraza rules apply to H3 too) + alt-svc header. - Dockerfile/README: publish/document 443/udp; stamp image.version from VERSION. - CI: tag :latest + :<VERSION> + :<sha> so there's a pinnable rollback target. No 0-RTT (compat-layer limitation). Validated end-to-end on a standalone edge: config parses, UDP/443 binds, alt-svc advertised, real curl --http3 -> HTTP/3. Container must run with `-p 443:443/udp` + host UDP/443 open. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
62 lines
2.3 KiB
YAML
62 lines
2.3 KiB
YAML
name: HAProxy Manager Build and Push
|
|
run-name: ${{ gitea.actor }} pushed a change to main
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
Build-and-Push:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: https://github.com/docker/setup-buildx-action@v3
|
|
|
|
- name: Login to Gitea
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: repo.anhonesthost.net
|
|
username: ${{ secrets.CI_USER }}
|
|
password: ${{ secrets.CI_TOKEN }}
|
|
|
|
# Second push target so the image is also available from GitHub Container
|
|
# Registry under the user's account. The PAT only needs write:packages
|
|
# (and read:packages if the package is private). Stored in Gitea as
|
|
# secrets.GHCR_TOKEN; username is the literal GitHub login.
|
|
- name: Login to GHCR
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: shadowdao
|
|
password: ${{ secrets.GHCR_TOKEN }}
|
|
|
|
# Read the human-readable release version from the VERSION file so every
|
|
# build is pinnable for rollback (alongside the immutable git SHA). Bump
|
|
# VERSION (YYYY.MM.N) in the same commit as a release-worthy change.
|
|
- name: Read version
|
|
id: ver
|
|
run: echo "version=$(cat VERSION)" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Build Image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
platforms: linux/amd64
|
|
push: true
|
|
build-args: |
|
|
VERSION=${{ steps.ver.outputs.version }}
|
|
# Three tags per registry: :latest (moving), :<version> (human-readable
|
|
# release), :<sha> (immutable, guaranteed-unique rollback target).
|
|
tags: |
|
|
repo.anhonesthost.net/cloud-hosting-platform/haproxy-manager-base:latest
|
|
repo.anhonesthost.net/cloud-hosting-platform/haproxy-manager-base:${{ steps.ver.outputs.version }}
|
|
repo.anhonesthost.net/cloud-hosting-platform/haproxy-manager-base:${{ gitea.sha }}
|
|
ghcr.io/shadowdao/haproxy-manager-base:latest
|
|
ghcr.io/shadowdao/haproxy-manager-base:${{ steps.ver.outputs.version }}
|
|
ghcr.io/shadowdao/haproxy-manager-base:${{ gitea.sha }}
|