deploy: wire processgit-updater sidecar into docker-compose#130
Conversation
Updates `deploy/docker-compose.yml` and adds `deploy/.env.example` to
support the in-product self-update story.
Three changes to the compose file:
1. The processgit / processgit-init-perms / processgit-bootstrap
services now use `image: ghcr.io/algomation-ai/processgit:${PROCESSGIT_VERSION:-latest}`
instead of the hard-coded local `processgit:0.1` tag. `build:` is
preserved, so `docker compose up --build` still works for source
builds; production deployments use `docker compose pull` + up.
2. Adds the `processgit-updater` service (image
ghcr.io/algomation-ai/processgit-updater:${PROCESSGIT_VERSION:-latest}),
with /var/run/docker.sock bind-mounted plus a state volume for the
job log. Bind-mounts the deploy/ directory RW so the updater can
drive `docker compose up --no-deps processgit` and persist the new
PROCESSGIT_VERSION value in .env after a successful update.
3. PROCESSGIT_UPDATER_TOKEN is now a required interpolation
variable on both processgit and processgit-updater services
(`${PROCESSGIT_UPDATER_TOKEN:?...}`). Compose will fail fast at
`up` time if it's unset.
`deploy/.env.example` is the new template documenting:
- PROCESSGIT_UPDATER_TOKEN (required; generate with `openssl rand -hex 32`)
- PROCESSGIT_VERSION (defaults to "latest"; the updater rewrites this
on commit so the new version persists across host restarts)
- PROCESSGIT_UPDATER_REPO (optional; defaults to Algomation-AI/ProcessGit)
- PROCESSGIT_UPDATER_STUB (Slice 3A default = "true" until 3B real
docker calls ship; this PR's docker-compose threads the value through
so operators can flip without redeploying)
The new env file convention:
- deploy/.env is created by the operator (copied from .env.example)
and managed by the updater. Contains PROCESSGIT_UPDATER_TOKEN and
PROCESSGIT_VERSION.
- ../.env (project root) is the operator's app-config file (existing
env_file mount), unchanged.
Co-authored-by: Claude <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: daa711f9dd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| processgit-updater: | ||
| container_name: processgit-updater | ||
| restart: unless-stopped | ||
| image: ghcr.io/algomation-ai/processgit-updater:${PROCESSGIT_VERSION:-latest} |
There was a problem hiding this comment.
This service is image-only, so docker compose up --build cannot build it from source. Docker’s Compose docs state that automatic builds apply to services that define a build section; services without build are still pulled by image tag. That makes the file header’s "build locally" path misleading for processgit-updater, and fresh deployments will fail whenever ghcr.io/algomation-ai/processgit-updater:${PROCESSGIT_VERSION} is missing or not yet published.
Useful? React with 👍 / 👎.
| @@ -0,0 +1,60 @@ | |||
| # ProcessGit deployment environment. | |||
| # | |||
| # Copy this file to ../.env (one level above deploy/) and fill in the values. | |||
There was a problem hiding this comment.
This template instructs operators to copy values into ../.env, but the updater is configured to persist version pins to /deploy/.env (PROCESSGIT_UPDATER_ENV_FILE). With the documented root-level invocation (docker compose -f deploy/docker-compose.yml ...), Compose resolves variables from a PWD .env first, so a root ../.env can override and effectively ignore updater-written deploy/.env values; the next restart may reuse a stale PROCESSGIT_VERSION instead of the committed update.
Useful? React with 👍 / 👎.
1 participant
deploy: wire the
processgit-updatersidecar into docker-composeAdds the deployment-side integration for the in-product self-update story. After this PR + PR #128 + the workflow extension,
docker compose up -dbrings up both the main app AND the updater sidecar.Changes to
deploy/docker-compose.ymlImage variable substitution. The three existing services (processgit, processgit-init-perms, processgit-bootstrap) now reference
ghcr.io/algomation-ai/processgit:${PROCESSGIT_VERSION:-latest}. Thebuild:directive is preserved, so source builds still work; production deployments usedocker compose pull && docker compose up -d.New
processgit-updaterservice. Imageghcr.io/algomation-ai/processgit-updater:${PROCESSGIT_VERSION:-latest}(built by the sibling workflow PR). Mounts/var/run/docker.sock, a state volume for the job log, and thedeploy/directory RW so the updater can:docker compose up --no-deps processgitto recreate the app containerdeploy/.envso it survives a host restartPROCESSGIT_UPDATER_TOKEN is now mandatory at compose-up time:
${PROCESSGIT_UPDATER_TOKEN:?...}. Compose fails fast if it's unset, with a message pointing todeploy/.env.example.New file:
deploy/.env.exampleThe template operators copy to
deploy/.env. Documents:PROCESSGIT_UPDATER_TOKENopenssl rand -hex 32PROCESSGIT_VERSIONlatestPROCESSGIT_UPDATER_REPOAlgomation-AI/ProcessGitPROCESSGIT_UPDATER_STUBtruefalseonce Slice 3B landsEnv file convention
The deployment now uses two .env files, with distinct purposes:
../.envenv_file:to the main container). Unchanged.deploy/.envPROCESSGIT_VERSIONpin. Compose interpolation reads it automatically (it lives next to docker-compose.yml).deploy/.envis what the updater writes to on commit, so the user's app-config../.envstays untouched by automated updates.First-deploy quickstart (post-merge)
Sequencing
This PR can land before or after the workflow PR (
ci: build & sign processgit-updater image …). Until the workflow PR lands and v0.1.1+ ships,docker compose pullforghcr.io/algomation-ai/processgit-updaterwill fail because no image exists yet. Operators can either:docker compose pull && up -ddocker compose up --build -dto build locally from source in the meantimeValidation
python3 -c 'yaml.safe_load')