Pipelines
This repository has three CI/CD pipelines:
- Build and Test — builds the solution and runs all tests on every push and pull request.
- Build & Push Docker — builds and pushes multi-arch Docker images for the API, Portal, Admin, and Status to the GitHub Container Registry (GHCR) on every push to
main. - SonarCloud — runs static code analysis and reports code quality, security hotspots, and coverage to SonarCloud on every push and pull request.
Required Repository Secrets
Go to Settings → Secrets and variables → Actions → New repository secret and add:
| Secret | Value |
|---|---|
GHCR_USERNAME |
Your GitHub username |
GHCR_TOKEN |
A Personal Access Token with write:packages scope (see below) |
SONAR_TOKEN |
A SonarCloud token for the MadWorldEU_Byakko project (see below) |
Generating a GHCR_TOKEN
- Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic)
- Click Generate new token (classic)
- Give it a descriptive name (e.g.
Byakko GHCR Push) - Set an expiration date
- Select the following scope:
write:packages— uploads packages to GitHub Package Registry (includesread:packages)
- Click Generate token
- Copy the token immediately — it won't be shown again
- Paste it as the value of the
GHCR_TOKENsecret in the repository settings
Generating a SONAR_TOKEN
- Go to sonarcloud.io and open the
MadWorldEU_Byakkoproject - Navigate to Administration → Analysis Method
- Turn off Automatic Analysis — this is required when using GitHub Actions, as both cannot run simultaneously
- Click With GitHub Actions to reveal the token
- Copy the token shown on that page
- Paste it as the value of the
SONAR_TOKENsecret in the repository settings
GitHub Environment: vps-production
The deployment pipeline uses a GitHub environment named vps-production to gate production deployments and store environment-specific secrets.
Create the environment
- Go to Settings → Environments → New environment
- Set the name to
vps-production - Optionally configure Protection rules (e.g. require a manual approval before deployment)
Add the environment secrets
Go to Settings → Environments → vps-production → Add secret and add the following secrets:
| Secret | Purpose |
|---|---|
KUBECONFIG |
kubeconfig file for the production cluster |
CLUSTER_ISSUER_EMAIL |
Email address for Let's Encrypt certificates |
SECURITY_TXT_CONTACT |
Contact URI for security.txt (e.g. mailto:security@example.com) |
POSTGRES_PASSWORD |
Application PostgreSQL password |
KEYCLOAK_ADMIN_PASSWORD |
Keycloak admin password |
KEYCLOAK_POSTGRES_PASSWORD |
Keycloak dedicated PostgreSQL password |
PGADMIN_PASSWORD |
pgAdmin password |
PGADMIN_KEYCLOAK_CLIENT_SECRET |
Keycloak OAuth client secret for pgAdmin (pgadmin-client) |
GRAFANA_ADMIN_PASSWORD |
Grafana admin password |
GRAFANA_KEYCLOAK_CLIENT_SECRET |
Keycloak OAuth client secret for Grafana (grafana-client) |
OVHCLOUD_ENDPOINT |
OVHCloud S3 endpoint URL |
OVHCLOUD_ACCESS_KEY |
OVHCloud S3 access key |
OVHCLOUD_SECRET_KEY |
OVHCloud S3 secret key |
OVHCLOUD_REGION |
OVHCloud region (e.g. de) |
ENCRYPTION_KEY |
Base64-encoded 32-byte AES-256 encryption key (generate with openssl rand -base64 32) |
MAIL_HOST |
SMTP server hostname (e.g. smtp.sendgrid.net) |
MAIL_USERNAME |
SMTP authentication username |
MAIL_TOKEN |
SMTP authentication token or password |
MAIL_ADMINISTRATOR_FROM_ADDRESS |
Sender email address for outgoing administrator emails (e.g. noreply@byakko.dev) |
MAIL_ADMINISTRATOR_TO_ADDRESS |
Recipient email address for administrator emails (e.g. admin@byakko.dev) |
KUBECONFIG
The KUBECONFIG secret holds the kubeconfig file used by kubectl and helm to authenticate against the production Kubernetes cluster. To get it from a MicroK8s cluster, run the following on the server and paste the output as the secret value:
microk8s config
💡 The kubeconfig should use the cluster's public IP or hostname as the server URL, not
127.0.0.1, so that GitHub Actions can reach it from outside the cluster.
First-time: Linking Images to the Repository
After the pipeline runs for the first time, each image is created as a private package under the MadWorldEU organisation. Do the following once per image to connect it to this repository:
- Go to github.com/orgs/MadWorldEU/packages (or your profile → Packages if using a personal account)
- Click the package (e.g.
byakko-api) - Click Package settings (bottom-right)
- Under Connect repository, search for and select
MadWorldEU/Byakko - Optionally change Package visibility to
Publicif the image should be publicly pullable - Repeat for
byakko-portal,byakko-admin, andbyakko-status
Once linked, the packages appear on the repository's main page under Packages.
Published Images
After a successful run the following images are available:
| Image | URL |
|---|---|
| API | ghcr.io/madworldeu/byakko-api:latest |
| Portal | ghcr.io/madworldeu/byakko-portal:latest |
| Admin | ghcr.io/madworldeu/byakko-admin:latest |
| Status | ghcr.io/madworldeu/byakko-status:latest |