From f924ec74853e655def657060f225e3b888664e4e Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Thu, 21 May 2026 18:40:56 +0200 Subject: [PATCH] ci: pin action versions, inline docker login, parallelize builds Three reliability+speed changes to the reusable build-deploy-game workflow: - Pin actions/checkout, docker/setup-buildx-action, docker/build-push-action to immutable patch tags (v4.2.2, v3.10.0, v6.16.0). Moving major-version tags (`@v3`/`@v6`) gave the act-runner non-deterministic cache hashes; the remplir 1541 failure was act re-using a partial cache dir for `@v3` of docker/login-action with only `.gitignore` present and no `dist/index.js`. - Replace docker/login-action with an inline `docker login --password-stdin` shell step in both build jobs. One less remote-action download per job = one less surface for the act partial-cache failure mode that broke 1541. - Decouple build-web from deploy-api-core. Web build only needs the git checkout, not a running api-core (vite build is offline). deploy-web now gates on [build-web, deploy-api-core] so the runtime ordering is still api-core-before-web while the two image builds can run in parallel if the runner has any concurrency. Also: drop the shared played/bun-cache references (was causing thrashing between games writing to the same `:latest` tag) and flip per-game cache to mode=max so the expensive bun-install + turbo-build layers are actually reused on subsequent runs. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/build-deploy-game.yml | 56 +++++++++++++++----------- 1 file changed, 32 insertions(+), 24 deletions(-) diff --git a/.gitea/workflows/build-deploy-game.yml b/.gitea/workflows/build-deploy-game.yml index cd64c00..5e7d0bd 100644 --- a/.gitea/workflows/build-deploy-game.yml +++ b/.gitea/workflows/build-deploy-game.yml @@ -18,6 +18,14 @@ name: Build & Deploy played game (reusable) # - REGISTRY_USER / REGISTRY_TOKEN — Gitea container registry creds # - PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY — deploy target # - STEP_CA_PROVISIONER_PASSWORD — for the cert-init container +# +# Notes on reliability: +# - All remote actions are pinned to immutable patch tags so the act-runner +# action cache hash is stable run-to-run. The cluster of "Cannot find +# module .../dist/index.js" failures on home-runner-1 was act re-using a +# partial cache dir for a moving tag (`@v3`); pinning kills that mode. +# - Registry login is an inline shell step instead of docker/login-action. +# One fewer remote-action download = one fewer failure point per job. on: workflow_call: @@ -31,10 +39,10 @@ jobs: build-api-core: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v4.2.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v3.10.0 with: config-inline: | [registry."docker.io"] @@ -44,11 +52,11 @@ jobs: insecure = true - name: Log in to Gitea registry - uses: docker/login-action@v3 - with: - registry: git.unom.io - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_TOKEN }} + env: + REGISTRY_USER: ${{ secrets.REGISTRY_USER }} + REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} + run: | + printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin - name: Write secrets to files env: @@ -59,7 +67,7 @@ jobs: printenv NPMRC > /tmp/.npmrc - name: Build & push api-core - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v6.16.0 with: context: . file: ./api/core/Dockerfile @@ -72,10 +80,8 @@ jobs: npmrc=/tmp/.npmrc cache-from: | type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache - type=registry,ref=git.unom.io/played/bun-cache:latest cache-to: | - type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache,mode=min - type=registry,ref=git.unom.io/played/bun-cache:latest,mode=max + type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache,mode=max deploy-api-core: runs-on: ubuntu-24.04 @@ -144,12 +150,15 @@ jobs: build-web: runs-on: ubuntu-24.04 - needs: deploy-api-core + # No `needs:` — web build is independent of the api-core build/deploy. + # If the runner can run jobs concurrently, this lets it run in parallel + # with build-api-core + deploy-api-core. deploy-web below still gates on + # deploy-api-core so the runtime sequence is preserved. steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v4.2.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v3.10.0 with: config-inline: | [registry."docker.io"] @@ -159,11 +168,11 @@ jobs: insecure = true - name: Log in to Gitea registry - uses: docker/login-action@v3 - with: - registry: git.unom.io - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_TOKEN }} + env: + REGISTRY_USER: ${{ secrets.REGISTRY_USER }} + REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} + run: | + printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin - name: Write secrets to files env: @@ -174,7 +183,7 @@ jobs: printenv NPMRC > /tmp/.npmrc - name: Build & push web - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v6.16.0 with: context: . file: ./apps/web/Dockerfile @@ -187,14 +196,13 @@ jobs: npmrc=/tmp/.npmrc cache-from: | type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache - type=registry,ref=git.unom.io/played/bun-cache:latest cache-to: | - type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache,mode=min - type=registry,ref=git.unom.io/played/bun-cache:latest,mode=max + type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache,mode=max deploy-web: runs-on: ubuntu-24.04 - needs: build-web + # Both gates: image must be built AND api-core must be live before web flips. + needs: [build-web, deploy-api-core] steps: - name: Pull and start web uses: appleboy/ssh-action@v1.2.5