Initial: build-deploy-game.yml reusable workflow

Drives the standard four-stage build-api-core → deploy-api-core → build-web → deploy-web pipeline for a played game. Game repos invoke via: jobs: deploy: uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main with: game-id: <slug> secrets: inherit The caller's BUILD_ENV / NPMRC / REGISTRY_* / PLAYED_* / STEP_CA_PROVISIONER_PASSWORD are inherited; `game-id` parameterizes the VM paths (~/<id>, ~/<id>-secrets) and the docker tag context. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-19 19:00:55 +02:00
commit a6e03d8886
3 changed files with 261 additions and 0 deletions
@@ -0,0 +1,213 @@
+name: Build & Deploy played game (reusable)
+
+# Invoked by each game's `.gitea/workflows/deploy.yml`:
+#
+#   jobs:
+#     deploy:
+#       uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
+#       with:
+#         game-id: relayer
+#       secrets: inherit
+#
+# The caller repo must expose these Gitea Actions secrets (via
+# `secrets: inherit` or per-secret pass-through):
+#   - BUILD_ENV                — the prod .env, written to /tmp/.env.prod for
+#                                Docker build secret mount AND to
+#                                ~/<game-id>-secrets/.env on the deploy VM
+#   - NPMRC                    — ~/.npmrc with @played registry auth token
+#   - REGISTRY_USER / REGISTRY_TOKEN — Gitea container registry creds
+#   - PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY — deploy target
+#   - STEP_CA_PROVISIONER_PASSWORD — for the cert-init container
+
+on:
+  workflow_call:
+    inputs:
+      game-id:
+        description: Game slug (must match @played/games-registry's GAMES, e.g. relayer)
+        type: string
+        required: true
+
+jobs:
+  build-api-core:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          config-inline: |
+            [registry."docker.io"]
+              mirrors = ["192.168.1.52:5000"]
+            [registry."192.168.1.52:5000"]
+              http = true
+              insecure = true
+
+      - name: Log in to Gitea registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.unom.io
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Write secrets to files
+        env:
+          BUILD_ENV: ${{ secrets.BUILD_ENV }}
+          NPMRC: ${{ secrets.NPMRC }}
+        run: |
+          printenv BUILD_ENV > /tmp/.env.prod
+          printenv NPMRC > /tmp/.npmrc
+
+      - name: Build & push api-core
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./api/core/Dockerfile
+          push: true
+          tags: |
+            git.unom.io/${{ gitea.repository }}/api-core:latest
+            git.unom.io/${{ gitea.repository }}/api-core:${{ gitea.sha }}
+          secret-files: |
+            env=/tmp/.env.prod
+            npmrc=/tmp/.npmrc
+          cache-from: |
+            type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache
+            type=registry,ref=git.unom.io/played/bun-cache:latest
+          cache-to: |
+            type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache,mode=min
+            type=registry,ref=git.unom.io/played/bun-cache:latest,mode=max
+
+  deploy-api-core:
+    runs-on: ubuntu-24.04
+    needs: build-api-core
+    steps:
+      - name: Write secrets to server
+        uses: appleboy/ssh-action@v1.2.5
+        with:
+          host: ${{ secrets.PLAYED_HOST }}
+          username: ${{ secrets.PLAYED_USER }}
+          port: ${{ secrets.PLAYED_PORT }}
+          key: ${{ secrets.PLAYED_SSH_KEY }}
+          envs: BUILD_ENV,STEP_CA_PROVISIONER_PASSWORD,GAME_ID
+          script: |
+            mkdir -p ~/${GAME_ID}-secrets
+            printf '%s' "$BUILD_ENV" > ~/${GAME_ID}-secrets/.env
+            printf '%s' "$STEP_CA_PROVISIONER_PASSWORD" > ~/${GAME_ID}-secrets/step-provisioner-password.txt
+            chmod 644 ~/${GAME_ID}-secrets/.env
+            chmod 600 ~/${GAME_ID}-secrets/step-provisioner-password.txt
+        env:
+          BUILD_ENV: ${{ secrets.BUILD_ENV }}
+          STEP_CA_PROVISIONER_PASSWORD: ${{ secrets.STEP_CA_PROVISIONER_PASSWORD }}
+          GAME_ID: ${{ inputs.game-id }}
+
+      - name: Pull and start api-core
+        uses: appleboy/ssh-action@v1.2.5
+        with:
+          host: ${{ secrets.PLAYED_HOST }}
+          username: ${{ secrets.PLAYED_USER }}
+          port: ${{ secrets.PLAYED_PORT }}
+          key: ${{ secrets.PLAYED_SSH_KEY }}
+          envs: GAME_ID
+          script: |
+            docker login git.unom.io -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }}
+            cd ~/${GAME_ID}
+            git fetch origin main
+            git reset --hard origin/main
+            docker compose -f compose.production.yml --env-file ~/${GAME_ID}-secrets/.env pull api-core
+            docker compose -f compose.production.yml --env-file ~/${GAME_ID}-secrets/.env up -d --no-build api-core
+        env:
+          GAME_ID: ${{ inputs.game-id }}
+
+      - name: Wait for api-core to be healthy
+        uses: appleboy/ssh-action@v1.2.5
+        with:
+          host: ${{ secrets.PLAYED_HOST }}
+          username: ${{ secrets.PLAYED_USER }}
+          port: ${{ secrets.PLAYED_PORT }}
+          key: ${{ secrets.PLAYED_SSH_KEY }}
+          envs: GAME_ID
+          script: |
+            cd ~/${GAME_ID}
+            echo "Waiting for api-core to be ready..."
+            for i in $(seq 1 30); do
+              if docker compose -f compose.production.yml --env-file ~/${GAME_ID}-secrets/.env ps api-core | grep -q "(healthy)"; then
+                echo "api-core is healthy"
+                exit 0
+              fi
+              echo "Attempt $i/30..."
+              sleep 5
+            done
+            echo "api-core did not become healthy in time"
+            exit 1
+        env:
+          GAME_ID: ${{ inputs.game-id }}
+
+  build-web:
+    runs-on: ubuntu-24.04
+    needs: deploy-api-core
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          config-inline: |
+            [registry."docker.io"]
+              mirrors = ["192.168.1.52:5000"]
+            [registry."192.168.1.52:5000"]
+              http = true
+              insecure = true
+
+      - name: Log in to Gitea registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.unom.io
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Write secrets to files
+        env:
+          BUILD_ENV: ${{ secrets.BUILD_ENV }}
+          NPMRC: ${{ secrets.NPMRC }}
+        run: |
+          printenv BUILD_ENV > /tmp/.env.prod
+          printenv NPMRC > /tmp/.npmrc
+
+      - name: Build & push web
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./apps/web/Dockerfile
+          push: true
+          tags: |
+            git.unom.io/${{ gitea.repository }}/web:latest
+            git.unom.io/${{ gitea.repository }}/web:${{ gitea.sha }}
+          secret-files: |
+            env=/tmp/.env.prod
+            npmrc=/tmp/.npmrc
+          cache-from: |
+            type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache
+            type=registry,ref=git.unom.io/played/bun-cache:latest
+          cache-to: |
+            type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache,mode=min
+            type=registry,ref=git.unom.io/played/bun-cache:latest,mode=max
+
+  deploy-web:
+    runs-on: ubuntu-24.04
+    needs: build-web
+    steps:
+      - name: Pull and start web
+        uses: appleboy/ssh-action@v1.2.5
+        with:
+          host: ${{ secrets.PLAYED_HOST }}
+          username: ${{ secrets.PLAYED_USER }}
+          port: ${{ secrets.PLAYED_PORT }}
+          key: ${{ secrets.PLAYED_SSH_KEY }}
+          envs: GAME_ID
+          script: |
+            docker login git.unom.io -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }}
+            cd ~/${GAME_ID}
+            docker compose -f compose.production.yml --env-file ~/${GAME_ID}-secrets/.env pull web
+            docker compose -f compose.production.yml --env-file ~/${GAME_ID}-secrets/.env up -d --no-build web
+        env:
+          GAME_ID: ${{ inputs.game-id }}
@@ -0,0 +1 @@
+.DS_Store
@@ -0,0 +1,47 @@
+# played/workflows
+
+Reusable Gitea Actions workflows for the played ecosystem.
+
+## `build-deploy-game.yml`
+
+Drives the standard four-stage `build-api-core → deploy-api-core → build-web → deploy-web` pipeline for a played game.
+
+### Usage
+
+Each game's `.gitea/workflows/deploy.yml`:
+
+```yaml
+name: Build & Deploy <Game>
+run-name: ${{ gitea.actor }} is deploying <game-id>
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build-deploy:
+    uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
+    with:
+      game-id: <game-id>
+    secrets: inherit
+```
+
+### Required caller secrets
+
+`secrets: inherit` makes all the calling repo's secrets available. The workflow reads:
+
+| Secret | Purpose |
+| ------ | ------- |
+| `BUILD_ENV` | Full prod `.env` contents. Used as a Docker build secret (`secret-files: env=...`) AND written to `~/<game-id>-secrets/.env` on the deploy VM. |
+| `NPMRC` | `~/.npmrc` content with `@played:registry=...` + auth tokens. |
+| `REGISTRY_USER` / `REGISTRY_TOKEN` | Gitea container registry creds. |
+| `PLAYED_HOST` / `PLAYED_USER` / `PLAYED_PORT` / `PLAYED_SSH_KEY` | Deploy target SSH. |
+| `STEP_CA_PROVISIONER_PASSWORD` | For the `cert-init` container in `compose.production.yml`. |
+
+### Assumptions
+
+- The repo lives at `git.unom.io/played/<game-id>` (matches `${{ gitea.repository }}`).
+- The VM working dir is `~/<game-id>` (the deploy step `cd`s there).
+- Secrets dir is `~/<game-id>-secrets/`.
+- `compose.production.yml` defines `api-core` and `web` services, both with `--env-file ~/<game-id>-secrets/.env`.