ci: trigger vega source-server upgrade from Forgejo

.forgejo/workflows/self-deploy.yml

@@ -21,6 +21,8 @@ env:
   SF_PROD_NAMESPACE: ${{ vars.SF_PROD_NAMESPACE }}
   SF_TEST_DEPLOYMENT: ${{ vars.SF_TEST_DEPLOYMENT }}
   SF_PROD_DEPLOYMENT: ${{ vars.SF_PROD_DEPLOYMENT }}
+  SF_VEGA_UPGRADE_URL: ${{ vars.SF_VEGA_UPGRADE_URL }}
+  SF_VEGA_UPGRADE_TOKEN: ${{ secrets.SF_VEGA_UPGRADE_TOKEN }}
 
 jobs:
   build:
@@ -89,6 +91,63 @@ jobs:
         if: env.SF_PUSH_IMAGE != '0'
         run: docker push "${{ steps.image.outputs.image }}"
 
+  deploy-vega-source:
+    name: upgrade vega source server
+    needs: build
+    runs-on: docker
+    if: vars.SF_VEGA_UPGRADE_URL != ''
+    steps:
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Trigger source-mounted server upgrade
+        shell: bash
+        run: |
+          set -euo pipefail
+          base="${SF_VEGA_UPGRADE_URL%/}"
+          auth_args=()
+          if [ -n "${SF_VEGA_UPGRADE_TOKEN:-}" ]; then
+            auth_args=(-H "Authorization: Bearer ${SF_VEGA_UPGRADE_TOKEN}")
+          fi
+          response="$(curl --fail --silent --show-error \
+            -X POST \
+            "${auth_args[@]}" \
+            "$base/api/server-upgrade")"
+          printf '%s\n' "$response"
+
+      - name: Wait for vega source server revision
+        shell: bash
+        run: |
+          set -euo pipefail
+          base="${SF_VEGA_UPGRADE_URL%/}"
+          expected="${GITHUB_SHA:-$(git rev-parse HEAD)}"
+          auth_args=()
+          if [ -n "${SF_VEGA_UPGRADE_TOKEN:-}" ]; then
+            auth_args=(-H "Authorization: Bearer ${SF_VEGA_UPGRADE_TOKEN}")
+          fi
+          deadline=$((SECONDS + 900))
+          last=""
+          while [ "$SECONDS" -lt "$deadline" ]; do
+            payload="$(curl --fail --silent --show-error \
+              "${auth_args[@]}" \
+              "$base/api/ready" || true)"
+            if [ -n "$payload" ]; then
+              last="$payload"
+              actual="$(node -e 'const fs=require("node:fs"); const j=JSON.parse(fs.readFileSync(0,"utf8")); process.stdout.write(String(j.gitSha || ""));' <<<"$payload")"
+              ready="$(node -e 'const fs=require("node:fs"); const j=JSON.parse(fs.readFileSync(0,"utf8")); process.stdout.write(String(j.ready === true));' <<<"$payload")"
+              if [ "$ready" = "true" ] && [ "$actual" = "$expected" ]; then
+                printf 'vega source server upgraded to %s\n' "$actual"
+                exit 0
+              fi
+              printf 'waiting for vega source server: ready=%s sha=%s expected=%s\n' "$ready" "$actual" "$expected"
+            fi
+            sleep 5
+          done
+          printf 'Timed out waiting for vega source server to advertise %s. Last payload:\n%s\n' "$expected" "$last" >&2
+          exit 1
+
   deploy-test:
     name: deploy test and probe
     needs: build

docs/specs/sf-self-deploy.md

@@ -85,6 +85,13 @@ candidate. Replacement drains the old container with
 fallback. The default leaves a 10 second margin over the RPC child's
 `SF_RPC_SHUTDOWN_GRACE_MS=600000` queue-drain handler.
 
+Forgejo can trigger this source-mounted path automatically after the build job.
+Set repository variable `SF_VEGA_UPGRADE_URL` to the private server base URL
+such as `http://vega.ts.hugo.dk:4000`. If the web server has auth enabled, set
+secret `SF_VEGA_UPGRADE_TOKEN`; the workflow sends it as a bearer token. The
+job posts `/api/server-upgrade`, then polls `/api/ready` until the live server
+reports the pushed `GITHUB_SHA`.
+
 ## Promotion
 
 Test must roll before prod: