# played/workflows

Reusable Gitea Actions workflows for the played ecosystem.

## `build-deploy-game.yml`

Drives the standard four-stage `build-api-core → deploy-api-core → build-web → deploy-web` pipeline for a played game.

### Usage

Each game's `.gitea/workflows/deploy.yml`:

```yaml
name: Build & Deploy <Game>
run-name: ${{ gitea.actor }} is deploying <game-id>

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-deploy:
    uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
    with:
      game-id: <game-id>
    secrets: inherit
```

### Required caller secrets

`secrets: inherit` makes all the calling repo's secrets available. The workflow reads:

| Secret | Purpose |
| ------ | ------- |
| `BUILD_ENV` | Full prod `.env` contents. Used as a Docker build secret (`secret-files: env=...`) AND written to `~/<game-id>-secrets/.env` on the deploy VM. |
| `NPMRC` | `~/.npmrc` content with `@played:registry=...` + auth tokens. |
| `REGISTRY_USER` / `REGISTRY_TOKEN` | Gitea container registry creds. |
| `PLAYED_HOST` / `PLAYED_USER` / `PLAYED_PORT` / `PLAYED_SSH_KEY` | Deploy target SSH. |
| `STEP_CA_PROVISIONER_PASSWORD` | For the `cert-init` container in `compose.production.yml`. |

### Assumptions

- The repo lives at `git.unom.io/played/<game-id>` (matches `${{ gitea.repository }}`).
- The VM working dir is `~/<game-id>` (the deploy step `cd`s there).
- Secrets dir is `~/<game-id>-secrets/`.
- `compose.production.yml` defines `api-core` and `web` services, both with `--env-file ~/<game-id>-secrets/.env`.