feat: Watchtower pull-based deployment via GHCR

- deploy.yml: build production stage and push to ghcr.io/hive76/beebot only (remove SSH push)
- docker-compose.yml: update image refs to GHCR, add Watchtower service (polls every 5 min)
- Makefile: make deploy pulls from GHCR before recreating container

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: k1n6b0b

.github/workflows/deploy.yml

@@ -6,12 +6,9 @@ on:
   workflow_dispatch:   # allow manual trigger from GitHub UI
 
 jobs:
-  deploy:
-    name: Build, Push, Deploy
+  publish:
+    name: Build and Push Image
     runs-on: ubuntu-latest
-    # Only deploy after tests and secret scan pass
-    needs: []   # CI runs separately; deploy is triggered by push to main
-                # Enable branch protection to require CI to pass before merge
 
     permissions:
       contents: read
@@ -31,19 +28,8 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
+          target: production
           push: true
           tags: |
             ghcr.io/hive76/beebot:latest
             ghcr.io/hive76/beebot:${{ github.sha }}
-
-      - name: Deploy to frame.hive76.org
-        uses: appleboy/ssh-action@v1
-        with:
-          host: ${{ secrets.DEPLOY_HOST }}
-          username: ${{ secrets.DEPLOY_USER }}
-          key: ${{ secrets.DEPLOY_SSH_KEY }}
-          script: |
-            cd /opt/beebot
-            docker compose pull
-            docker compose up -d --remove-orphans
-            docker image prune -f

Makefile

@@ -6,8 +6,9 @@ VERSION := $(shell cat VERSION)
 build:
 	docker build --target production -t beebot:$(VERSION) -t beebot:latest .
 
-## Deploy (or redeploy) the bot container with the latest image
+## Pull latest image from GHCR and redeploy
 deploy:
+	docker compose pull beebot
 	docker compose up -d --force-recreate beebot
 
 ## Run a one-off knowledge base sync

docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   beebot:
-    image: beebot:latest
+    image: ghcr.io/hive76/beebot:latest
     container_name: beebot
     restart: unless-stopped
 
@@ -30,10 +30,10 @@ services:
       start_period: 15s
 
   # Separate sync container — runs once and exits
-  # Trigger manually in Portainer or via cron on host:
+  # Trigger manually or via cron on host:
   #   docker compose run --rm beebot-sync
   beebot-sync:
-    image: beebot:latest
+    image: ghcr.io/hive76/beebot:latest
     container_name: beebot-sync
     restart: "no"
     user: "0:0"   # sync writes to the shared volume; root avoids permission issues
@@ -50,6 +50,17 @@ services:
 
     command: ["python", "sync/sync_docs.py"]
 
+  # Watchtower — polls GHCR every 5 minutes, pulls new image, restarts beebot
+  # Requires: docker login ghcr.io on the host (PAT with read:packages scope)
+  watchtower:
+    image: containrrr/watchtower
+    container_name: watchtower
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /root/.docker/config.json:/config.json:ro
+    command: --interval 300 beebot
+
 volumes:
   beebot_data:
     driver: local