ci: pin action versions, inline docker login, parallelize builds
Three reliability+speed changes to the reusable build-deploy-game workflow: - Pin actions/checkout, docker/setup-buildx-action, docker/build-push-action to immutable patch tags (v4.2.2, v3.10.0, v6.16.0). Moving major-version tags (`@v3`/`@v6`) gave the act-runner non-deterministic cache hashes; the remplir 1541 failure was act re-using a partial cache dir for `@v3` of docker/login-action with only `.gitignore` present and no `dist/index.js`. - Replace docker/login-action with an inline `docker login --password-stdin` shell step in both build jobs. One less remote-action download per job = one less surface for the act partial-cache failure mode that broke 1541. - Decouple build-web from deploy-api-core. Web build only needs the git checkout, not a running api-core (vite build is offline). deploy-web now gates on [build-web, deploy-api-core] so the runtime ordering is still api-core-before-web while the two image builds can run in parallel if the runner has any concurrency. Also: drop the shared played/bun-cache references (was causing thrashing between games writing to the same `:latest` tag) and flip per-game cache to mode=max so the expensive bun-install + turbo-build layers are actually reused on subsequent runs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -18,6 +18,14 @@ name: Build & Deploy played game (reusable)
|
|||||||
# - REGISTRY_USER / REGISTRY_TOKEN — Gitea container registry creds
|
# - REGISTRY_USER / REGISTRY_TOKEN — Gitea container registry creds
|
||||||
# - PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY — deploy target
|
# - PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY — deploy target
|
||||||
# - STEP_CA_PROVISIONER_PASSWORD — for the cert-init container
|
# - STEP_CA_PROVISIONER_PASSWORD — for the cert-init container
|
||||||
|
#
|
||||||
|
# Notes on reliability:
|
||||||
|
# - All remote actions are pinned to immutable patch tags so the act-runner
|
||||||
|
# action cache hash is stable run-to-run. The cluster of "Cannot find
|
||||||
|
# module .../dist/index.js" failures on home-runner-1 was act re-using a
|
||||||
|
# partial cache dir for a moving tag (`@v3`); pinning kills that mode.
|
||||||
|
# - Registry login is an inline shell step instead of docker/login-action.
|
||||||
|
# One fewer remote-action download = one fewer failure point per job.
|
||||||
|
|
||||||
on:
|
on:
|
||||||
workflow_call:
|
workflow_call:
|
||||||
@@ -31,10 +39,10 @@ jobs:
|
|||||||
build-api-core:
|
build-api-core:
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4.2.2
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3.10.0
|
||||||
with:
|
with:
|
||||||
config-inline: |
|
config-inline: |
|
||||||
[registry."docker.io"]
|
[registry."docker.io"]
|
||||||
@@ -44,11 +52,11 @@ jobs:
|
|||||||
insecure = true
|
insecure = true
|
||||||
|
|
||||||
- name: Log in to Gitea registry
|
- name: Log in to Gitea registry
|
||||||
uses: docker/login-action@v3
|
env:
|
||||||
with:
|
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
|
||||||
registry: git.unom.io
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
username: ${{ secrets.REGISTRY_USER }}
|
run: |
|
||||||
password: ${{ secrets.REGISTRY_TOKEN }}
|
printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin
|
||||||
|
|
||||||
- name: Write secrets to files
|
- name: Write secrets to files
|
||||||
env:
|
env:
|
||||||
@@ -59,7 +67,7 @@ jobs:
|
|||||||
printenv NPMRC > /tmp/.npmrc
|
printenv NPMRC > /tmp/.npmrc
|
||||||
|
|
||||||
- name: Build & push api-core
|
- name: Build & push api-core
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v6.16.0
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
file: ./api/core/Dockerfile
|
file: ./api/core/Dockerfile
|
||||||
@@ -72,10 +80,8 @@ jobs:
|
|||||||
npmrc=/tmp/.npmrc
|
npmrc=/tmp/.npmrc
|
||||||
cache-from: |
|
cache-from: |
|
||||||
type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache
|
type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache
|
||||||
type=registry,ref=git.unom.io/played/bun-cache:latest
|
|
||||||
cache-to: |
|
cache-to: |
|
||||||
type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache,mode=min
|
type=registry,ref=git.unom.io/${{ gitea.repository }}/api-core:cache,mode=max
|
||||||
type=registry,ref=git.unom.io/played/bun-cache:latest,mode=max
|
|
||||||
|
|
||||||
deploy-api-core:
|
deploy-api-core:
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
@@ -144,12 +150,15 @@ jobs:
|
|||||||
|
|
||||||
build-web:
|
build-web:
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
needs: deploy-api-core
|
# No `needs:` — web build is independent of the api-core build/deploy.
|
||||||
|
# If the runner can run jobs concurrently, this lets it run in parallel
|
||||||
|
# with build-api-core + deploy-api-core. deploy-web below still gates on
|
||||||
|
# deploy-api-core so the runtime sequence is preserved.
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4.2.2
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v3
|
uses: docker/setup-buildx-action@v3.10.0
|
||||||
with:
|
with:
|
||||||
config-inline: |
|
config-inline: |
|
||||||
[registry."docker.io"]
|
[registry."docker.io"]
|
||||||
@@ -159,11 +168,11 @@ jobs:
|
|||||||
insecure = true
|
insecure = true
|
||||||
|
|
||||||
- name: Log in to Gitea registry
|
- name: Log in to Gitea registry
|
||||||
uses: docker/login-action@v3
|
env:
|
||||||
with:
|
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
|
||||||
registry: git.unom.io
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
username: ${{ secrets.REGISTRY_USER }}
|
run: |
|
||||||
password: ${{ secrets.REGISTRY_TOKEN }}
|
printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin
|
||||||
|
|
||||||
- name: Write secrets to files
|
- name: Write secrets to files
|
||||||
env:
|
env:
|
||||||
@@ -174,7 +183,7 @@ jobs:
|
|||||||
printenv NPMRC > /tmp/.npmrc
|
printenv NPMRC > /tmp/.npmrc
|
||||||
|
|
||||||
- name: Build & push web
|
- name: Build & push web
|
||||||
uses: docker/build-push-action@v6
|
uses: docker/build-push-action@v6.16.0
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
file: ./apps/web/Dockerfile
|
file: ./apps/web/Dockerfile
|
||||||
@@ -187,14 +196,13 @@ jobs:
|
|||||||
npmrc=/tmp/.npmrc
|
npmrc=/tmp/.npmrc
|
||||||
cache-from: |
|
cache-from: |
|
||||||
type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache
|
type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache
|
||||||
type=registry,ref=git.unom.io/played/bun-cache:latest
|
|
||||||
cache-to: |
|
cache-to: |
|
||||||
type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache,mode=min
|
type=registry,ref=git.unom.io/${{ gitea.repository }}/web:cache,mode=max
|
||||||
type=registry,ref=git.unom.io/played/bun-cache:latest,mode=max
|
|
||||||
|
|
||||||
deploy-web:
|
deploy-web:
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
needs: build-web
|
# Both gates: image must be built AND api-core must be live before web flips.
|
||||||
|
needs: [build-web, deploy-api-core]
|
||||||
steps:
|
steps:
|
||||||
- name: Pull and start web
|
- name: Pull and start web
|
||||||
uses: appleboy/ssh-action@v1.2.5
|
uses: appleboy/ssh-action@v1.2.5
|
||||||
|
|||||||
Reference in New Issue
Block a user