From 9ba3938f893e475d257beabcb734c21fc66f49b4 Mon Sep 17 00:00:00 2001
From: "MagicMock/mock.effective_git_name/134046652576640"
 <MagicMock/mock.git_email/134046652574960>
Date: Sun, 17 May 2026 11:04:42 +0000
Subject: [PATCH] feat(deploy): replace Watchtower with GH Actions pipeline
 deploy

Remove Watchtower auto-update container and its labels from traefik/clayde.
Add deploy job to CI that SCPs docker-compose.yml to the host and restarts
all services via SSH on every push to main.

Requires three GH secrets: DEPLOY_HOST, DEPLOY_USER, DEPLOY_SSH_KEY.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/build.yml | 20 ++++++++++++++++++++
 docker-compose.yml          | 10 ----------
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index daad601..d15b1c2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -48,3 +48,23 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: appleboy/scp-action@v0.1.7
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          username: ${{ secrets.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_SSH_KEY }}
+          source: docker-compose.yml
+          target: /home/ubuntu/clayde/
+      - uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          username: ${{ secrets.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_SSH_KEY }}
+          script: cd ~/clayde && docker compose pull && docker compose up -d
diff --git a/docker-compose.yml b/docker-compose.yml
index 536d973..f94d12f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -23,9 +23,6 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./data/letsencrypt:/letsencrypt
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
-
   clayde:
     image: ghcr.io/claydecode/me:main
     restart: unless-stopped
@@ -47,16 +44,9 @@ services:
       # handles cross-device sync; container performs no git on the KB.
       - ~/knowledge_base:/home/clayde/knowledge_base
     labels:
-      - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
       - "traefik.http.routers.clayde.rule=Host(`${CLAYDE_PEBBLE_HOST}`) && PathPrefix(`/webhook`)"
       - "traefik.http.routers.clayde.entrypoints=websecure"
       - "traefik.http.routers.clayde.tls.certresolver=le"
       - "traefik.http.services.clayde.loadbalancer.server.port=8080"
 
-  watchtower:
-    image: containrrr/watchtower
-    restart: unless-stopped
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    command: --interval 300 --cleanup --label-enable