chore(deploy): streamline Fly.io pipeline and harden container build

JmPotato · JmPotato · commit f328856e2d33 · 2026-02-11T23:44:41.000+08:00
Signed-off-by: JmPotato &lt;github@ipotato.me&gt;
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,5 @@
+target/
+.git/
+.github/
+.gitignore
+*.md
diff --git a/.github/workflows/fly-deploy.yml b/.github/workflows/fly-deploy.yml
@@ -1,22 +1,32 @@
 # See https://fly.io/docs/app-guides/continuous-deployment-with-github-actions/
 
-name: Fly.io Demo Deploy
+name: Deploy to Fly.io
 on:
   push:
     branches:
       - main
+
+concurrency:
+  group: deploy
+  cancel-in-progress: true
+
 jobs:
   deploy:
     name: Deploy app
     runs-on: ubuntu-latest
-    concurrency: deploy-group # optional: ensure only one action runs at a time
     steps:
-      - uses: actions/checkout@v4
-      - uses: superfly/flyctl-actions/setup-flyctl@master
-      - env:
+      - uses: actions/checkout@v6
+      - name: Install fly
+        run: |
+          curl -L https://fly.io/install.sh | sh
+          echo "$HOME/.fly/bin" >> "$GITHUB_PATH"
+      - name: Set secrets
+        run: fly secrets set --stage MYSQL_CONNECTION_URL="${MYSQL_CONNECTION_URL}" UMAMI_ID="${UMAMI_ID}"
+        env:
           FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
           MYSQL_CONNECTION_URL: ${{ secrets.MYSQL_CONNECTION_URL }}
           UMAMI_ID: ${{ secrets.UMAMI_ID }}
-        run: |
-          flyctl secrets set --stage MYSQL_CONNECTION_URL=${MYSQL_CONNECTION_URL} UMAMI_ID=${UMAMI_ID}
-          flyctl deploy --remote-only
+      - name: Deploy
+        run: fly deploy --remote-only
+        env:
+          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,41 +1,35 @@
 # syntax=docker/dockerfile:1
 
-################################################################################
-# Create a stage for building the application.
-
-ARG RUST_VERSION=latest
+ARG RUST_VERSION=1.84
 ARG APP_NAME=rsomhap
 
+################################################################################
+# Build stage
+
 FROM rust:${RUST_VERSION} AS builder
 ARG APP_NAME
-
 WORKDIR /usr/src/app
 
-# Build the application.
-# Leverage a cache mount to /usr/local/cargo/registry/
-# for downloaded dependencies and a cache mount to /app/target/ for 
-# compiled dependencies which will speed up subsequent builds.
-# Once built, copy the executable to an output directory before
-# the cache mounted /app/target is unmounted.
-COPY Cargo.toml ./
+COPY Cargo.toml Cargo.lock ./
 COPY src ./src
+
 RUN --mount=type=cache,target=/usr/src/app/target \
     --mount=type=cache,target=/usr/local/cargo/registry \
-    cargo build --release --bin ${APP_NAME} && cp ./target/release/${APP_NAME} ./${APP_NAME}
+    cargo build --release --locked --bin ${APP_NAME} \
+    && cp ./target/release/${APP_NAME} ./${APP_NAME}
 
 ################################################################################
-# Create a new stage for running the application that contains the minimal
-# runtime dependencies for the application. This often uses a different base
-# image from the build stage where the necessary files are copied from the build
-# stage.
+# Runtime stage
 
 FROM debian:bookworm-slim AS final
 ARG APP_NAME
 
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates curl \
+    && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /usr/src/app
 
-# Create a non-privileged user that the app will run under.
-# See https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
 ARG UID=10001
 RUN adduser \
     --disabled-password \
@@ -45,18 +39,17 @@ RUN adduser \
     --no-create-home \
     --uid "${UID}" \
     appuser
-USER appuser
 
-# Copy the executable from the "build" stage.
-COPY --from=builder /usr/src/app/${APP_NAME} .
+# Copy the executable from the build stage.
+COPY --from=builder --chown=appuser:appuser /usr/src/app/${APP_NAME} .
 
 # Copy the necessary files.
-COPY templates ./templates
-COPY static ./static
-COPY config.toml ./
+COPY --chown=appuser:appuser templates ./templates
+COPY --chown=appuser:appuser static ./static
+COPY --chown=appuser:appuser config.toml ./
+
+USER appuser
 
-# Expose the port that the application listens on.
 EXPOSE 5299
 
-# What the container should run when it is started.
 CMD ["./rsomhap"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,9 +1,17 @@
-version: "3"
-
 services:
   rsomhap:
     build: .
     image: rsomhap:latest
     container_name: rsomhap
+    restart: unless-stopped
     ports:
       - "5299:5299"
+    environment:
+      - MYSQL_CONNECTION_URL
+      - UMAMI_ID
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:5299/ping || exit 1"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+      start_period: 5s

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +target/
 +.git/
 +.github/
 +.gitignore
 +*.md