2026-05-31 10:23:16 +00:00
5 changed files with 19 additions and 14 deletions
@@ -19,8 +19,10 @@ jobs:
        env:
          TOKEN: ${{ github.token }}
          REF: ${{ github.ref }}
+          GIT_SSL_NO_VERIFY: "true"
        run: |
          git init
+          git remote remove origin 2>/dev/null || true
          git remote add origin "${{ github.server_url }}/${{ github.repository }}.git"
          git config http.extraheader "Authorization: Bearer ${TOKEN}"
          git fetch --depth=1 origin "${REF}"
@@ -28,8 +30,10 @@ jobs:

      - name: Docker Build Test
        env:
+          NODE_IMAGE: mirror.soroushasadi.com/repository/docker-group/node:20-slim
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          docker build \
+            --build-arg NODE_IMAGE="$NODE_IMAGE" \
            --build-arg NPM_TOKEN="$NPM_TOKEN" \
            -t soroushasadi-site:test .
@@ -19,6 +19,7 @@ jobs:
        env:
          TOKEN: ${{ github.token }}
          REF: ${{ github.ref }}
+          GIT_SSL_NO_VERIFY: "true"
        run: |
          git init
          git remote remove origin 2>/dev/null || true
@@ -39,6 +40,8 @@ jobs:
          EOF

      - name: Build Container
+        env:
+          NODE_IMAGE: mirror.soroushasadi.com/repository/docker-group/node:20-slim
        run: |
          docker compose build

@@ -2,7 +2,7 @@
 # the registry.npmjs.org hosts found in package-lock.json to this mirror at
 # install time (default replace-registry-host=npmjs), so the committed lockfile
 # is reused as-is — no regeneration needed.
-registry=https://mirror.soroushasadi.com/repository/npm-group/
+registry=http://mirror.soroushasadi.com/repository/npm-group/

 # Auth is never committed. CI and the Docker build append an `_authToken` line
 # from the NPM_TOKEN secret at install time; for local installs put the token in
@@ -4,7 +4,7 @@
 # as mirror.soroushasadi.com/repository/docker-group/<image>.
 # Build directly against Docker Hub instead with:
 #   --build-arg NODE_IMAGE=node:20-slim
-ARG NODE_IMAGE=node:20-slim
+ARG NODE_IMAGE=mirror.soroushasadi.com/repository/docker-group/node:20-slim
 # ---------------------------------------------------------------------------
 # 1. Dependencies — installs node_modules and compiles the better-sqlite3
 #    native addon (needs python3 + a C++ toolchain).
@@ -15,9 +15,9 @@ RUN apt-get update \
  && apt-get install -y --no-install-recommends python3 make g++ ca-certificates \
  && rm -rf /var/lib/apt/lists/*
 # .npmrc points npm at the Nexus npm-group; NPM_TOKEN (optional) authenticates.
-# The token is written only into this build stage and never reaches the runner
-# image, which copies node_modules — not .npmrc.
-COPY package.json package-lock.json ./
+# The token is appended at build time only — never reaches the runner image.
+ARG NPM_TOKEN=""
+COPY package.json package-lock.json .npmrc ./
 RUN if [ -n "$NPM_TOKEN" ]; then \
      echo "//mirror.soroushasadi.com/repository/npm-group/:_authToken=${NPM_TOKEN}" >> .npmrc ; \
    fi \
@@ -1,13 +1,12 @@
+name: soroushasadi
+
 services:
  web:
    build:
      context: .
      dockerfile: Dockerfile
      args:
-        # Pull the base image through the Nexus docker-group proxy. Override per
-        # environment, e.g. NODE_IMAGE=node:20-slim docker compose build.
-        NODE_IMAGE: node:20-slim
-        # Optional Nexus npm-group token, consumed only by the deps stage.
+        NODE_IMAGE: ${NODE_IMAGE:-mirror.soroushasadi.com/repository/docker-group/node:20-slim}
        NPM_TOKEN: ${NPM_TOKEN:-}
    image: soroushasadi-site:latest
    container_name: soroushasadi-site
@@ -17,21 +16,20 @@ services:
    environment:
      NODE_ENV: production
      DATA_DIR: /data
-      # Set these in a sibling .env file (NOT committed) or your host env.
      ADMIN_PASSWORD: ${ADMIN_PASSWORD:?set ADMIN_PASSWORD}
      ADMIN_SESSION_SECRET: ${ADMIN_SESSION_SECRET:?set ADMIN_SESSION_SECRET}
      RESEND_API_KEY: ${RESEND_API_KEY:-}
      CONTACT_INBOX: ${CONTACT_INBOX:-}
      CONTACT_FROM: ${CONTACT_FROM:-}
    volumes:
-      # SQLite content DB + uploaded media persist across rebuilds.
      - cms-data:/data
    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:3000"]
+      test: ["CMD", "node", "-e",
+        "fetch('http://127.0.0.1:3000/').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"]
      interval: 30s
-      timeout: 5s
+      timeout: 10s
      retries: 3
-      start_period: 20s
+      start_period: 30s

 volumes:
  cms-data: