From a5f7060fb1adf6d130aef13727c312b87bef6331 Mon Sep 17 00:00:00 2001
From: nurdotnet <278048682+nurdotnet@users.noreply.github.com>
Date: Thu, 23 Apr 2026 09:11:19 +0500
Subject: [PATCH] deploy: local docker registry at 127.0.0.1:5001 (primary),
 ghcr as backup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Stage's external pulls from ghcr.io flap on KZ network — the self-hosted
runner pushes images into a local registry:2 (systemd-managed,
/opt/food-market-data/docker-registry) and docker-compose now pulls from
localhost:5001 via \$REGISTRY. ghcr.io is still tagged and pushed as
off-site backup, but ghcr push failure no longer fails the build.

Setup done on the host (not in workflow):
- systemd unit food-market-registry.service (enabled, restart on failure)
- /etc/docker/daemon.json: \"insecure-registries\": [\"127.0.0.1:5001\"]

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy-stage.yml |  1 +
 .github/workflows/docker.yml       | 35 +++++++++++++++++++++++++-----
 deploy/docker-compose.yml          |  4 ++--
 3 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/deploy-stage.yml b/.github/workflows/deploy-stage.yml
index ab1b1e5..3a53456 100644
--- a/.github/workflows/deploy-stage.yml
+++ b/.github/workflows/deploy-stage.yml
@@ -39,6 +39,7 @@ jobs:
           SSH="ssh -p ${{ secrets.STAGE_SSH_PORT }} ${{ secrets.STAGE_SSH_USER }}@${{ secrets.STAGE_SSH_HOST }}"
           SHA="${{ github.event.workflow_run.head_sha || github.sha }}"
           $SSH "cat > ~/food-market-stage/deploy/.env" <<ENV
+          REGISTRY=127.0.0.1:5001
           API_TAG=$SHA
           WEB_TAG=$SHA
           POSTGRES_PASSWORD=${{ secrets.STAGE_POSTGRES_PASSWORD }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6b8dec2..998c15c 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -18,6 +18,9 @@ permissions:
   contents: read
   packages: write
 
+env:
+  LOCAL_REGISTRY: 127.0.0.1:5001
+
 jobs:
   api:
     name: API image
@@ -44,13 +47,24 @@ jobs:
           OWNER: ${{ github.repository_owner }}
           SHA: ${{ github.sha }}
         run: |
-          docker build -f deploy/Dockerfile.api -t ghcr.io/$OWNER/food-market-api:$SHA -t ghcr.io/$OWNER/food-market-api:latest .
+          docker build -f deploy/Dockerfile.api \
+            -t $LOCAL_REGISTRY/food-market-api:$SHA \
+            -t $LOCAL_REGISTRY/food-market-api:latest \
+            -t ghcr.io/$OWNER/food-market-api:$SHA \
+            -t ghcr.io/$OWNER/food-market-api:latest .
+
+          # Push to LOCAL registry first (deploy depends on it) — it's on localhost, reliable.
+          for tag in $SHA latest; do
+            docker push $LOCAL_REGISTRY/food-market-api:$tag || { echo "local push $tag failed"; exit 1; }
+          done
+
+          # Push to ghcr.io as off-site backup. Flaky on KZ network — retry, but don't fail the job.
           for tag in $SHA latest; do
             for i in 1 2 3 4 5; do
               if docker push ghcr.io/$OWNER/food-market-api:$tag; then break; fi
-              echo "push $tag attempt $i failed, retrying in 15s"
+              echo "ghcr push $tag attempt $i failed, retrying in 15s"
               sleep 15
-              [ $i -eq 5 ] && exit 1
+              [ $i -eq 5 ] && echo "::warning::ghcr push $tag failed after 5 attempts — local registry still has the image"
             done
           done
 
@@ -79,12 +93,21 @@ jobs:
           OWNER: ${{ github.repository_owner }}
           SHA: ${{ github.sha }}
         run: |
-          docker build -f deploy/Dockerfile.web -t ghcr.io/$OWNER/food-market-web:$SHA -t ghcr.io/$OWNER/food-market-web:latest .
+          docker build -f deploy/Dockerfile.web \
+            -t $LOCAL_REGISTRY/food-market-web:$SHA \
+            -t $LOCAL_REGISTRY/food-market-web:latest \
+            -t ghcr.io/$OWNER/food-market-web:$SHA \
+            -t ghcr.io/$OWNER/food-market-web:latest .
+
+          for tag in $SHA latest; do
+            docker push $LOCAL_REGISTRY/food-market-web:$tag || { echo "local push $tag failed"; exit 1; }
+          done
+
           for tag in $SHA latest; do
             for i in 1 2 3 4 5; do
               if docker push ghcr.io/$OWNER/food-market-web:$tag; then break; fi
-              echo "push $tag attempt $i failed, retrying in 15s"
+              echo "ghcr push $tag attempt $i failed, retrying in 15s"
               sleep 15
-              [ $i -eq 5 ] && exit 1
+              [ $i -eq 5 ] && echo "::warning::ghcr push $tag failed after 5 attempts — local registry still has the image"
             done
           done
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 1273ee4..586c8d3 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -20,7 +20,7 @@ services:
       retries: 5
 
   api:
-    image: ghcr.io/nurdotnet/food-market-api:${API_TAG:-latest}
+    image: ${REGISTRY:-127.0.0.1:5001}/food-market-api:${API_TAG:-latest}
     container_name: food-market-api
     restart: unless-stopped
     depends_on:
@@ -39,7 +39,7 @@ services:
       - api-logs:/app/logs
 
   web:
-    image: ghcr.io/nurdotnet/food-market-web:${WEB_TAG:-latest}
+    image: ${REGISTRY:-127.0.0.1:5001}/food-market-web:${WEB_TAG:-latest}
     container_name: food-market-web
     restart: unless-stopped
     depends_on: