# played/workflows

Reusable Gitea Actions workflows for the played ecosystem.

## `build-deploy-game.yml`

Drives the standard four-stage `build-api-core → deploy-api-core → build-web → deploy-web` pipeline for a played game.

### Usage

Each game's `.gitea/workflows/deploy.yml`:

```yaml
name: Build & Deploy <Game>
run-name: ${{ gitea.actor }} is deploying <game-id>

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-deploy:
    uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
    with:
      game-id: <game-id>
    secrets: inherit
```

### Required caller secrets

`secrets: inherit` makes all the calling repo's secrets available. The workflow reads:

| Secret | Purpose |
| ------ | ------- |
| `BUILD_ENV` | Full prod `.env` contents. Used as a Docker build secret (`secret-files: env=...`) AND written to `~/<game-id>-secrets/.env` on the deploy VM. |
| `NPMRC` | `~/.npmrc` content with `@played:registry=...` + auth tokens. |
| `REGISTRY_USER` / `REGISTRY_TOKEN` | Gitea container registry creds. |
| `PLAYED_HOST` / `PLAYED_USER` / `PLAYED_PORT` / `PLAYED_SSH_KEY` | Deploy target SSH. |
| `STEP_CA_PROVISIONER_PASSWORD` | For the `cert-init` container in `compose.production.yml`. |

### Assumptions

- The repo lives at `git.unom.io/played/<game-id>` (matches `${{ gitea.repository }}`).
- The VM working dir is `~/<game-id>` (the deploy step `cd`s there).
- Secrets dir is `~/<game-id>-secrets/`.
- `compose.production.yml` defines `api-core` and `web` services, both with `--env-file ~/<game-id>-secrets/.env`.

## `renovate.yml` + `renovate-config.json`

Self-hosted [Renovate](https://docs.renovatebot.com) that keeps dependencies aligned across the game repos. `renovate.yml` is a scheduled bot (Mondays 06:00 UTC, plus manual `workflow_dispatch`); `renovate-config.json` is the shared preset every repo extends, so a bump lands the same way everywhere. Updates are grouped (`@played/*` together; third-party non-major batched) to keep PR noise down.

### One-time setup

1. Create a Gitea PAT — a dedicated `renovate` bot user is cleanest — with scopes `read:user`, `write:repository`, `write:issue`. Add it as the `RENOVATE_TOKEN` Actions secret (org-level, or on this repo).
2. Make sure the existing `NPMRC` secret (registry + `@played` auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up `@played/*` versions.
   - Add `RENOVATE_GITHUB_COM_TOKEN` — a **read-only** github.com PAT (no scopes). Required in practice: updating `bun.lock` installs `bun`, whose versions come from github.com releases, so without it lockfile artifacts fail with "No tool releases found". It also stops `api.github.com` rate-limit warnings and enables changelogs + `actions/checkout`/`appleboy/ssh-action` updates.
3. Push, then run the workflow once (**Run workflow**). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does `extends: ["local>played/workflows:renovate-config"]`; merge them to go live.

### Target repos

Listed in `renovate.yml` under `RENOVATE_REPOSITORIES` (the six games + `plaza`). Add the shared packages (`app-ui`, `games-registry`, `api-core`, …) to that list to manage them too, or switch to `RENOVATE_AUTODISCOVER=true` with `RENOVATE_AUTODISCOVER_FILTER=played/*`.

> The bot only keeps versions *current* together (it opens PRs). For hard parity — failing CI when any repo drifts — pair it with a [`syncpack`](https://github.com/JamieMason/syncpack) check.