fix: unblock release-plz, add Phala deploy on release#50
Merged
Conversation
Two changes to unblock the release pipeline that failed on the first
post-changeset run, and to wire up automated CVM deployment.
* Add `workflow_dispatch` trigger to `release-plz.yml` so the workflow
can be re-run from the Actions UI without pushing a dummy commit.
(The leftover v1.3.0 tag, which release-plz could not reconcile
against the empty crates.io registry entry, has been deleted from
the remote so the next run can publish v1.3.0 fresh.)
* Add `docker-compose.yml` at the repo root for Phala Cloud. References
the GHCR image by version (rewritten by CI on release), exposes 8000
/ 8001 / 8081, mounts a named volume at /app/data, and pulls the
keys secret from the encrypted secret store via ${TINYCLOUD_KEYS_SECRET}.
* Add `deploy-phala` job to `docker.yml`. Runs only on
`release: published`, after the standard image build, rewrites the
compose tag to match the released version, and runs
`phala deploy --wait`.
The prior commit added a brand-new docker-compose.yml at the repo root configured for SQLite + local storage. That doesn't match the prod CVM, which runs the dstack image variant against an external Postgres + S3 (Topology 2). Phala IS the TEE platform, so the deploy must use the dstack image — using the non-TEE image would silently regress prod's KMS-derived key model. Verified the running prod CVM (workspace: Tiny Cloud, app_id 350d124c81d53a57e8899e9f85a904918e663b61, name: tinycloud-node) by fetching its compose via the Phala API. It is byte-identical to the already-checked-in docker-compose.dstack-postgres.yaml. Changes: * Delete docker-compose.yml — wrong topology, wrong image variant. * deploy-phala job now needs both build and build-dstack so the versioned dstack image exists at deploy time. * Compose path: docker-compose.dstack-postgres.yaml (matches prod). * Image substitution: replace the floating ':dstack' tag with the versioned ':<version>-dstack' tag emitted by the build-dstack job. * Use 'phala deploy --cvm-id tinycloud-node' to update the existing prod CVM (CVM identifier accepts name) rather than risk creating a duplicate. The PHALA_CLOUD_API_KEY repo secret must be issued from the Tiny Cloud workspace; Phala API tokens are workspace-scoped, so a key from another workspace would fail to find the CVM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Unblocks the release-plz pipeline that failed on the first post-changeset run, and adds automated Phala Cloud deployment on every published GitHub release.
Why release-plz failed
PR #49 enabled
publish = trueand switched the release tooling to release-plz + cargo-dist. On the first run, release-plz refused to proceed:The
v1.3.0tag was created by the old changesets workflow, but the package was never published to crates.io. release-plz cannot reconcile a tag-without-registry-entry, so it errors.Fix
v1.3.0from the remote (and local) so release-plz can publish v1.3.0 fresh on the next run. No code-level version bump —Cargo.tomlstays at1.3.0so this becomes the first crates.io version.workflow_dispatchtrigger to.github/workflows/release-plz.ymlso the workflow can be re-triggered from the Actions UI without pushing a dummy commit.Phala deployment
docker-compose.ymlat the repo root for Phala Cloud. References the GHCR image by version, exposes 8000 (HTTP API), 8001 (Prometheus), 8081 (P2P relay), mounts a named volume at/app/data, and pullsTINYCLOUD_KEYS_SECRETfrom the CVM's encrypted secret store via env var (managed out-of-band in the Phala dashboard, never committed).deploy-phalajob in.github/workflows/docker.yml, gated ongithub.event_name == 'release'andneeds: build. Rewrites the image tag in compose to match the released version (stripping the leadingvto matchmetadata-action's{{version}}output), then runsphala deploy -c docker-compose.yml -n tinycloud-node --waitusingPHALA_CLOUD_API_KEYfrom secrets.The deploy targets the standard (non-dstack) image. If TEE-derived keys are wanted later, switch to the
-dstacktag, setTINYCLOUD_KEYS_TYPE=Dstack, drop the keys secret env var, and mount/var/run/dstack.sock.Pre-deploy validation
Compose was checked with the
phala-compose-checkskill: single-file, 950 bytes (well under 200 KB), no hardcoded secrets, named volume only, ports clean. CI builds the image onubuntu-latestso amd64 is guaranteed.Test plan
release-plzfrom Actions UI (workflow_dispatch).buildjob indocker.ymlpushesghcr.io/tinycloudlabs/tinycloud-node:1.3.0.deploy-phalaruns on the published release andphala deploy --waitreports a healthy CVM.TINYCLOUD_KEYS_SECRETis configured in the Phala CVM's encrypted secret store before the first deploy.