fix(ci): quote description to satisfy yaml parser

.gitea/actions/compose-up/action.yml

@@ -0,0 +1,37 @@
+name: compose-up
+description: Run docker compose up using an explicit image (DOCKER_IMAGE) on Linux/Windows.
+
+inputs:
+  image:
+    description: Full image reference (registry/repo:tag or @sha256:...)
+    required: true
+  workdir:
+    description: Directory containing compose files on the runner
+    required: false
+    default: .
+  compose_args:
+    description: Arguments after `docker compose` (default runs up -d with pull)
+    required: false
+    default: up -d --pull always --remove-orphans
+
+runs:
+  using: composite
+  steps:
+    - name: Compose Up (Linux/macOS)
+      if: runner.os != 'Windows'
+      shell: bash
+      working-directory: ${{ inputs.workdir }}
+      env:
+        DOCKER_IMAGE: ${{ inputs.image }}
+      run: |
+        set -euo pipefail
+        docker compose ${{ inputs.compose_args }}
+
+    - name: Compose Up (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      working-directory: ${{ inputs.workdir }}
+      env:
+        DOCKER_IMAGE: ${{ inputs.image }}
+      run: |
+        docker compose ${{ inputs.compose_args }}

.gitea/workflows/deploy-template.yml

@@ -1,36 +0,0 @@
-name: Deploy Template
-
-on:
-  workflow_call:
-    inputs:
-      runner:
-        required: true
-        type: string
-      image:
-        required: true
-        type: string
-
-jobs:
-  deploy:
-    runs-on: ${{ inputs.runner }}
-
-    steps:
-      - name: Show target server
-        run: echo "Deploying on ${{ inputs.runner }}"
-
-      # Force compose to use the exact image tag we built/pushed, regardless of
-      # what the server's compose file has hard-coded.
-      - name: Compose Up (Linux)
-        if: runner.os != 'Windows'
-        env:
-          DOCKER_IMAGE: ${{ inputs.image }}
-        run: |
-          docker compose up -d --pull always --remove-orphans
-
-      - name: Compose Up (Windows)
-        if: runner.os == 'Windows'
-        env:
-          DOCKER_IMAGE: ${{ inputs.image }}
-        run: |
-          docker compose up -d --pull always --remove-orphans
-

.gitea/workflows/docker-build-deploy-fleet.yml

@@ -0,0 +1,268 @@
+name: Docker Build (Native Multi-Arch) + Deploy Fleet (Compose)
+
+on:
+  workflow_call:
+    inputs:
+      control_runner:
+        description: Runner label used for metadata + manifest jobs (must have docker/buildx).
+        type: string
+        default: devsg-atlantic
+
+      docker_registry:
+        description: Registry host (docker.io, ghcr.io, registry.example.com)
+        type: string
+        default: docker.io
+
+      docker_namespace:
+        description: Docker namespace / org / username
+        type: string
+        required: true
+
+      image_repo:
+        description: Docker repository name under namespace
+        type: string
+        required: true
+
+      context:
+        type: string
+        default: .
+
+      dockerfile:
+        type: string
+        default: Dockerfile
+
+      tag:
+        description: "Optional tag to publish (default: sha-<shortsha>)"
+        type: string
+        default: ""
+
+      build_matrix_json:
+        description: JSON array of { runner, platform } entries
+        type: string
+        required: true
+
+      deploy_runners_json:
+        description: JSON array of runner labels
+        type: string
+        required: true
+
+      compose_workdir:
+        type: string
+        default: .
+
+      compose_args:
+        type: string
+        default: up -d --pull always --remove-orphans
+
+    secrets:
+      DOCKER_HUB_USERNAME: { required: true }
+      DOCKER_HUB_ACCESS_TOKEN: { required: true }
+
+    outputs:
+      image_repo:
+        value: ${{ jobs.meta.outputs.image_repo }}
+      image_tag:
+        value: ${{ jobs.meta.outputs.image_tag }}
+      image_ref:
+        value: ${{ jobs.manifest.outputs.image_ref }}
+
+concurrency:
+  group: ${{ github.repository }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  meta:
+    name: Compute Image Metadata
+    runs-on: ${{ inputs.control_runner }}
+    outputs:
+      image_repo: ${{ steps.meta.outputs.image_repo }}
+      image_tag: ${{ steps.meta.outputs.image_tag }}
+      image: ${{ steps.meta.outputs.image }}
+      branch_tag: ${{ steps.meta.outputs.branch_tag }}
+    steps:
+      - name: Compute tags
+        id: meta
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          IMAGE="${{ inputs.docker_registry }}/${{ inputs.docker_namespace }}/${{ inputs.image_repo }}"
+          SHORT_SHA="$(echo "${{ github.sha }}" | cut -c1-12)"
+
+          TAG="${{ inputs.tag }}"
+          if [[ -z "${TAG}" ]]; then
+            TAG="sha-${SHORT_SHA}"
+          fi
+
+          # Branch names with '/' are not valid docker tags.
+          BRANCH_TAG="${{ github.ref_name }}"
+          BRANCH_TAG="${BRANCH_TAG//\//-}"
+
+          echo "image=${IMAGE}" >> "${GITHUB_OUTPUT}"
+          echo "image_repo=${IMAGE}" >> "${GITHUB_OUTPUT}"
+          echo "image_tag=${TAG}" >> "${GITHUB_OUTPUT}"
+          echo "branch_tag=${BRANCH_TAG}" >> "${GITHUB_OUTPUT}"
+
+  build:
+    name: Build + Push (${{ matrix.platform }})
+    needs: meta
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJSON(inputs.build_matrix_json) }}
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Login Registry (push)
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.docker_registry }}
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Compute arch tag + cache key
+        id: tags
+        shell: bash
+        run: |
+          set -euo pipefail
+          arch="${{ matrix.platform }}"
+          arch="${arch##*/}"
+          echo "arch=${arch}" >> "${GITHUB_OUTPUT}"
+          echo "arch_tag=${{ needs.meta.outputs.image_tag }}-${arch}" >> "${GITHUB_OUTPUT}"
+          echo "cache_tag=buildcache-${arch}" >> "${GITHUB_OUTPUT}"
+
+      - name: Build + Push (single platform)
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ inputs.context }}
+          file: ${{ inputs.dockerfile }}
+          platforms: ${{ matrix.platform }}
+          push: true
+          tags: |
+            ${{ needs.meta.outputs.image }}:${{ steps.tags.outputs.arch_tag }}
+          cache-from: type=registry,ref=${{ needs.meta.outputs.image }}:${{ steps.tags.outputs.cache_tag }}
+          cache-to: type=registry,ref=${{ needs.meta.outputs.image }}:${{ steps.tags.outputs.cache_tag }},mode=max
+
+  manifest:
+    name: Create Multi-Arch Manifest
+    needs: [meta, build]
+    runs-on: ${{ inputs.control_runner }}
+    outputs:
+      image_ref: ${{ steps.out.outputs.image_ref }}
+    steps:
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Login Registry (manifest)
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.docker_registry }}
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Create manifest tags (sha/branch/latest)
+        shell: bash
+        env:
+          BUILD_MATRIX_JSON: ${{ inputs.build_matrix_json }}
+        run: |
+          set -euo pipefail
+          IMAGE="${{ needs.meta.outputs.image }}"
+          SHA_TAG="${{ needs.meta.outputs.image_tag }}"
+          BRANCH_TAG="${{ needs.meta.outputs.branch_tag }}"
+
+          # Derive source tags from build_matrix_json using Node (available in Actions runners).
+          # Each source is "${IMAGE}:${SHA_TAG}-<arch>" where <arch> from platform suffix.
+          mapfile -t sources < <(IMAGE="${IMAGE}" SHA_TAG="${SHA_TAG}" node -e '
+            const m = JSON.parse(process.env.BUILD_MATRIX_JSON);
+            for (const it of m) {
+              const arch = String(it.platform || "").split("/").pop();
+              if (!arch) process.exit(2);
+              console.log(`${process.env.IMAGE}:${process.env.SHA_TAG}-${arch}`);
+            }
+          ')
+
+          if [[ "${#sources[@]}" -eq 0 ]]; then
+            echo "No build sources resolved from build_matrix_json" >&2
+            exit 1
+          fi
+
+          docker buildx imagetools create \
+            -t "${IMAGE}:${SHA_TAG}" \
+            -t "${IMAGE}:${BRANCH_TAG}" \
+            -t "${IMAGE}:latest" \
+            "${sources[@]}"
+
+      - name: Resolve immutable digest (image_ref)
+        id: out
+        shell: bash
+        run: |
+          set -euo pipefail
+          IMAGE="${{ needs.meta.outputs.image }}"
+          SHA_TAG="${{ needs.meta.outputs.image_tag }}"
+
+          DIGEST="$(
+            docker buildx imagetools inspect "${IMAGE}:${SHA_TAG}" \
+              | awk -F'Digest:[[:space:]]*' '/^Digest:/ { print $2; exit }' \
+              | tr -d '[:space:]'
+          )"
+          if [[ -z "${DIGEST}" ]]; then
+            echo "Failed to resolve digest for ${IMAGE}:${SHA_TAG}" >&2
+            docker buildx imagetools inspect "${IMAGE}:${SHA_TAG}" || true
+            exit 1
+          fi
+          echo "image_ref=${IMAGE}@${DIGEST}" >> "${GITHUB_OUTPUT}"
+
+  deploy:
+    name: Deploy Fleet
+    needs: manifest
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: ${{ fromJSON(inputs.deploy_runners_json) }}
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Login Registry (pull)
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.docker_registry }}
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Show deploy image
+        if: runner.os != 'Windows'
+        shell: bash
+        run: |
+          echo "Deploying: ${{ needs.manifest.outputs.image_ref }}"
+
+      - name: Show deploy image (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          Write-Output "Deploying: ${{ needs.manifest.outputs.image_ref }}"
+
+      - name: Compose Up (Unix)
+        if: runner.os != 'Windows'
+        shell: bash
+        working-directory: ${{ inputs.compose_workdir }}
+        env:
+          DOCKER_IMAGE: ${{ needs.manifest.outputs.image_ref }}
+        run: |
+          set -euo pipefail
+          docker compose ${{ inputs.compose_args }}
+
+      - name: Compose Up (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        working-directory: ${{ inputs.compose_workdir }}
+        env:
+          DOCKER_IMAGE: ${{ needs.manifest.outputs.image_ref }}
+        run: |
+          docker compose ${{ inputs.compose_args }}

.gitea/workflows/docker-build-push.yml

@@ -1,61 +0,0 @@
-name: Docker Build & Push (Template)
-
-on:
-  workflow_call:
-    inputs:
-      runner:
-        required: false
-        type: string
-        default: ubuntu-latest
-      image_name:
-        required: true
-        type: string
-      image_tag:
-        required: false
-        type: string
-        default: latest
-      dockerfile:
-        required: false
-        type: string
-        default: Dockerfile
-      context:
-        required: false
-        type: string
-        default: .
-    outputs:
-      image:
-        description: Fully-qualified image reference pushed to Docker Hub
-        value: ${{ jobs.build.outputs.image }}
-
-jobs:
-  build:
-    runs-on: ${{ inputs.runner }}
-    outputs:
-      image: ${{ steps.push.outputs.image }}
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Build Docker image
-        run: |
-          docker build \
-            -t "${{ inputs.image_name }}:${{ inputs.image_tag }}" \
-            -f "${{ inputs.dockerfile }}" \
-            "${{ inputs.context }}"
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ env.DOCKER_HUB_USERNAME }}
-          password: ${{ env.DOCKER_HUB_ACCESS_TOKEN }}
-
-      - name: Push Docker image to Docker Hub
-        id: push
-        shell: bash
-        run: |
-          set -euo pipefail
-          REMOTE_IMAGE="${{ env.DOCKER_HUB_USERNAME }}/${{ inputs.image_name }}:${{ inputs.image_tag }}"
-          docker tag "${{ inputs.image_name }}:${{ inputs.image_tag }}" "$REMOTE_IMAGE"
-          docker push "$REMOTE_IMAGE"
-          echo "image=$REMOTE_IMAGE" >> "$GITHUB_OUTPUT"
-

.gitea/workflows/harbor-build-deploy.yml

@@ -0,0 +1,154 @@
+name: Harbor Build Once → Deploy Many (Compose)
+
+"on":
+  workflow_call:
+    inputs:
+      harbor_registry:
+        type: string
+        default: harbor.hcmc.online
+      harbor_project:
+        type: string
+        default: ci
+      image_repo:
+        description: "Image repository name under harbor_project (example: myapp)"
+        type: string
+        required: true
+
+      context:
+        type: string
+        default: .
+      dockerfile:
+        type: string
+        default: Dockerfile
+      platforms:
+        type: string
+        default: linux/amd64,linux/arm64
+
+      deploy_runners_json:
+        description: "JSON array of runner labels (example: [\"prod-1\",\"prod-2\"])"
+        type: string
+        required: true
+
+      compose_workdir:
+        type: string
+        default: .
+      compose_args:
+        description: "Arguments after `docker compose`"
+        type: string
+        default: up -d --pull always --remove-orphans
+
+    secrets:
+      HARBOR_PUSH_USERNAME: { required: true }
+      HARBOR_PUSH_PASSWORD: { required: true }
+      HARBOR_PULL_USERNAME: { required: true }
+      HARBOR_PULL_PASSWORD: { required: true }
+
+    outputs:
+      image_repo:
+        description: "Image repository (no tag/digest), e.g. harbor.hcmc.online/ci/myapp"
+        value: ${{ jobs.build_and_push.outputs.image_repo }}
+      image_digest:
+        description: "Content digest, e.g. sha256:..."
+        value: ${{ jobs.build_and_push.outputs.image_digest }}
+      image_ref:
+        description: "Immutable image ref, e.g. harbor.hcmc.online/ci/myapp@sha256:..."
+        value: ${{ jobs.build_and_push.outputs.image_ref }}
+
+jobs:
+  build_and_push:
+    name: Build & Push Image
+    runs-on: devsg-atlantic
+
+    outputs:
+      image_repo: ${{ steps.meta.outputs.image_repo }}
+      image_digest: ${{ steps.build.outputs.digest }}
+      image_ref: ${{ steps.meta.outputs.image_repo }}@${{ steps.build.outputs.digest }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Compute image metadata
+        id: meta
+        shell: bash
+        run: |
+          set -euo pipefail
+          IMAGE="${{ inputs.harbor_registry }}/${{ inputs.harbor_project }}/${{ inputs.image_repo }}"
+          SHORT_SHA="$(echo "${{ github.sha }}" | cut -c1-12)"
+          RAW_BRANCH="${{ github.ref_name }}"
+          # Docker tags cannot contain slashes, spaces, etc.
+          BRANCH="$(echo "${RAW_BRANCH}" | tr "/\\" "-" | tr -c "A-Za-z0-9_.-" "-" | sed -E "s/^-+|-+$//g" | cut -c1-120)"
+          if [[ -z "${BRANCH}" ]]; then BRANCH="branch"; fi
+
+          {
+            echo "image_repo=$IMAGE"
+            echo "sha_tag=sha-$SHORT_SHA"
+            echo "branch_tag=$BRANCH"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Login Harbor (push)
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.harbor_registry }}
+          username: ${{ secrets.HARBOR_PUSH_USERNAME }}
+          password: ${{ secrets.HARBOR_PUSH_PASSWORD }}
+
+      - name: Build & Push Image
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ inputs.context }}
+          file: ${{ inputs.dockerfile }}
+          platforms: ${{ inputs.platforms }}
+          push: true
+          tags: |
+            ${{ steps.meta.outputs.image_repo }}:${{ steps.meta.outputs.sha_tag }}
+            ${{ steps.meta.outputs.image_repo }}:${{ steps.meta.outputs.branch_tag }}
+            ${{ steps.meta.outputs.image_repo }}:latest
+          cache-from: type=registry,ref=${{ steps.meta.outputs.image_repo }}:buildcache
+          cache-to: type=registry,ref=${{ steps.meta.outputs.image_repo }}:buildcache,mode=max
+
+  deploy:
+    name: Deploy to Fleet
+    needs: build_and_push
+
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: ${{ fromJSON(inputs.deploy_runners_json) }}
+
+    runs-on: ${{ matrix.runner }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login Harbor (pull)
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.harbor_registry }}
+          username: ${{ secrets.HARBOR_PULL_USERNAME }}
+          password: ${{ secrets.HARBOR_PULL_PASSWORD }}
+
+      - name: Show image
+        run: echo "Deploying ${{ needs.build_and_push.outputs.image_ref }}"
+
+      - name: Compose Up (Unix)
+        if: runner.os != 'Windows'
+        shell: bash
+        working-directory: ${{ inputs.compose_workdir }}
+        env:
+          DOCKER_IMAGE: ${{ needs.build_and_push.outputs.image_ref }}
+        run: |
+          set -euo pipefail
+          docker compose ${{ inputs.compose_args }}
+
+      - name: Compose Up (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        working-directory: ${{ inputs.compose_workdir }}
+        env:
+          DOCKER_IMAGE: ${{ needs.build_and_push.outputs.image_ref }}
+        run: |
+          docker compose ${{ inputs.compose_args }}