commit 75bed2811e3c0681855f9f0f6e1ed30552ec87cd
Author: Samuel Enocsson <samuel.enocsson@consid.se>
Date:   Fri May 22 14:25:16 2026 +0200

    feat: initial composite action for package-updater /update

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..20d6a1c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,45 @@
+# package-updater-action
+
+Reusable Gitea composite action that notifies a running `package-updater` service
+to `docker compose pull` + `up -d` for the matching service(s) on its host.
+
+Companion to https://gitea.shcizo.se/shcizo/package-updater.
+
+## Usage
+
+In a consumer repo's `.gitea/workflows/deploy.yml`:
+
+```yaml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build-and-push]
+    steps:
+      - uses: shcizo/package-updater-action@v1
+        with:
+          endpoint: https://updater.example.com/update
+          image: gitea.shcizo.se/shcizo/${{ gitea.repository_owner }}/myapp
+          tag: ${{ gitea.sha }}
+          token: ${{ secrets.UPDATER_TOKEN }}
+```
+
+`UPDATER_TOKEN` should be an organisation-level secret in Gitea so all repos share it.
+
+## Inputs
+
+| Name | Required | Default | Description |
+|---|---|---|---|
+| `endpoint` | yes | — | Full URL to `package-updater`'s `/update` |
+| `image` | yes | — | Image reference without tag |
+| `tag` | no | `""` | Tag that was just pushed (logged for audit) |
+| `token` | yes | — | Bearer token configured in `package-updater` |
+
+## Failure modes
+
+The step exits non-zero if `package-updater` returns HTTP 4xx or 5xx. This is
+intentional — the workflow surfaces the deploy failure to whoever pushed.
+
+## Versioning
+
+Pin to a major version: `shcizo/package-updater-action@v1`. Breaking changes will
+bump major; new inputs and bug fixes will reuse `v1`.
diff --git a/action.yml b/action.yml
new file mode 100644
index 0000000..4b86f07
--- /dev/null
+++ b/action.yml
@@ -0,0 +1,36 @@
+name: "Deploy via package-updater"
+description: "Notifies package-updater to pull & restart a Docker Compose service"
+inputs:
+  endpoint:
+    description: "Full URL to /update (e.g. https://updater.example.com/update)"
+    required: true
+  image:
+    description: "Image reference without tag (e.g. registry.example.com/myapp)"
+    required: true
+  tag:
+    description: "Tag that was just pushed (for logging)"
+    required: false
+    default: ""
+  token:
+    description: "Bearer token for package-updater"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Trigger update
+      shell: bash
+      env:
+        TOKEN: ${{ inputs.token }}
+      run: |
+        response=$(curl -sS -w "\n%{http_code}" \
+          -X POST "${{ inputs.endpoint }}" \
+          -H "Authorization: Bearer $TOKEN" \
+          -H "Content-Type: application/json" \
+          -d "{\"image\":\"${{ inputs.image }}\",\"tag\":\"${{ inputs.tag }}\"}")
+        body=$(echo "$response" | head -n -1)
+        code=$(echo "$response" | tail -n 1)
+        echo "HTTP $code"
+        echo "$body" | jq .
+        if [ "$code" -ge 400 ]; then
+          exit 1
+        fi