kamal/.gitea/workflows/deploy.yml

on:
  workflow_call:
    secrets:
      ssh-private-key:
        required: true
        type: string
      env:
        required: true
        type: string
    inputs:
      image:
        required: false
        type: string
        default: git.qlic.nl/qlic/kamal:latest
      environment:
        required: true
        type: string
      username:
        required: false
        type: string
        default: ${{ vars.REGISTRY_USERNAME }}
      password:
        required: false
        type: string
        default: ${{ vars.REGISTRY_PASSWORD }}
      warden-client-id:
        description: 'Bitwarden client id'
        required: true
      warden-client-secret:
        description: 'Bitwarden client secret'
        required: true
      warden-password:
        description: 'Bitwarden password'
        required: true
      warden-server:
        description: 'Bitwarden server'
        required: false
        default: ${{ vars.WARDEN_URL }}
      secrets:
        description: "One or more secret Ids to retrieve and the corresponding Gitea environment variable name to set"
        required: true

jobs: 
  deploy:
    runs-on: ubuntu-24.04
    container:
      image: ${{ inputs.image }}
      credentials:
        username: ${{ inputs.username }}
        password: ${{ inputs.password }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Setup SSH agent
        uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387
        with:
          ssh-private-key: ${{ secrets.ssh-private-key }}

      - name: Get bitwarden secrets
        uses: https://git.qlic.nl/actions/warden@b22ebd4ac777f8398bc3fe558e080d39c5209bd9
        with:
          client-id: ${{ inputs.warden-client-id }}
          client-secret: ${{ inputs.warden-client-secret }}
          password: ${{ inputs.warden-password }}
          server: ${{ inputs.warden-server }}
          secrets: ${{ inputs.secrets }}
      
      - name: Create .env file from secret
        run: echo "$ENV" > .kamal/secrets.${{ inputs.environment }}
      
      - name: Append kamal registry password
        run: echo "KAMAL_REGISTRY_PASSWORD=${{ inputs.password }}" >> .kamal/secrets.${{ inputs.environment }}
      
      - name: Boot accessories
        run: kamal accessory reboot all -d ${{ inputs.environment }}
      
      - name: Deploy
        run: kamal deploy -d ${{ inputs.environment }}