New CI workflow (.gitea/workflows/ci.yml) runs on every push to main:
- Backend: Maven compile + test + OWASP Dependency-Check (fails on CVSS>=7)
- Frontend: pnpm lint + type-check + pnpm audit (fails on High/Critical)
- Docker image scan: Trivy for both backend/frontend images (High/Critical)
- Secrets detection: Gitleaks full-repo scan
Deploy workflow remains independent (self-hosted runner limitation).
Both workflows run in parallel on push to main.
- Replace VPS SSH deploy workflow with a self-contained job that runs on the
TrueNAS act_runner (host docker socket mounted). Checks out the pushed commit,
builds, and rolls out the cannamanage compose stack in-place (project=cannamanage),
then health-checks backend :8081 + frontend :3000.
- Commit docker-compose.truenas.yml (port remap 8081 + AUTH_SECRET) into the repo;
it was previously host-only, so a fresh checkout could not reproduce the deploy.
Use the !override tag for the backend ports list.
Patrick Plate