# Forgejo Actions for NextJS Slack Clone

This directory contains Forgejo action workflow configurations to build, push, and deploy our NextJS Slack Clone application using a secure service account approach.

## Workflows

### build-and-deploy.yaml

This workflow handles:
1. Building the Docker image
2. Pushing the image to the private registry (registrar.mattiaswiberg.com)
3. Deploying the application using Helm to the Kubernetes cluster with service account authentication

## Required Secrets

The following secrets need to be configured in your Forgejo repository settings:

1. `REGISTRY_USERNAME`: Username for the private Docker registry
2. `REGISTRY_PASSWORD`: Password for the private Docker registry
3. `K8S_SERVER_URL`: The Kubernetes API server URL (e.g., https://kubernetes.default.svc or your cluster endpoint)
4. `K8S_CA_CERT`: Base64-encoded certificate authority data for your Kubernetes cluster
5. `K8S_SA_TOKEN`: The service account token with permissions to deploy your application
6. `NEXT_PUBLIC_SUPABASE_URL`: Supabase URL for your project
7. `NEXT_PUBLIC_SUPABASE_ANON_KEY`: Supabase anonymous key for your project

## Setting Up Service Account Authentication

For secure Kubernetes authentication, we use a dedicated service account rather than a full kubeconfig. This follows security best practices by providing only the necessary permissions for CI/CD deployments.

To set up the required secrets:

1. Deploy the application once manually to create the service account and role
2. Get the service account token and cluster details:

```bash
# Get the service account token
SECRET_NAME=$(kubectl get serviceaccount nextjs-slack-clone -n default -o jsonpath='{.secrets[0].name}')
TOKEN=$(kubectl get secret $SECRET_NAME -n default -o jsonpath='{.data.token}' | base64 --decode)
echo $TOKEN  # This is your K8S_SA_TOKEN

# Get the cluster CA certificate
CA_CERT=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}')
echo $CA_CERT  # This is your K8S_CA_CERT

# Get the server URL
SERVER_URL=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')
echo $SERVER_URL  # This is your K8S_SERVER_URL
```

3. Go to your repository settings
4. Navigate to "Actions" and then "Secrets"
5. Add each of the required secrets listed above

## Manual Trigger

You can also manually trigger the workflow using the "Actions" tab in your repository and selecting the "build-and-deploy" workflow.

## Monitoring Deployments

After deployment, you can check the status of your application using:

```bash
kubectl get pods -l app=nextjs-slack-clone
```

Or visit the application at https://chat.mattiaswiberg.com