played/workflows
4
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
11de3570746fb77d490330d446d1364737702db6
workflows/README.md
T
enricobuehler 11de357074 ci(renovate): silence github.com rate limit + skip internal workflow ref 
Wire an optional read-only GITHUB_COM_TOKEN so Renovate can reach
api.github.com (changelogs + actions/checkout-style updates) without
rate limiting, and disable management of the internal Gitea reusable
workflow `played/workflows` (it's a @main ref, not a github.com action).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 01:32:01 +02:00

3.3 KiB
Raw Blame History

played/workflows

Reusable Gitea Actions workflows for the played ecosystem.

build-deploy-game.yml

Drives the standard four-stage build-api-core → deploy-api-core → build-web → deploy-web pipeline for a played game.

Usage

Each game's .gitea/workflows/deploy.yml:

name: Build & Deploy <Game>
run-name: ${{ gitea.actor }} is deploying <game-id>

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-deploy:
    uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
    with:
      game-id: <game-id>
    secrets: inherit

Required caller secrets

secrets: inherit makes all the calling repo's secrets available. The workflow reads:

Secret Purpose
BUILD_ENV Full prod .env contents. Used as a Docker build secret (secret-files: env=...) AND written to ~/<game-id>-secrets/.env on the deploy VM.
NPMRC ~/.npmrc content with @played:registry=... + auth tokens.
REGISTRY_USER / REGISTRY_TOKEN Gitea container registry creds.
PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY Deploy target SSH.
STEP_CA_PROVISIONER_PASSWORD For the cert-init container in compose.production.yml.

Assumptions

  • The repo lives at git.unom.io/played/<game-id> (matches ${{ gitea.repository }}).
  • The VM working dir is ~/<game-id> (the deploy step cds there).
  • Secrets dir is ~/<game-id>-secrets/.
  • compose.production.yml defines api-core and web services, both with --env-file ~/<game-id>-secrets/.env.

renovate.yml + renovate-config.json

Self-hosted Renovate that keeps dependencies aligned across the game repos. renovate.yml is a scheduled bot (Mondays 06:00 UTC, plus manual workflow_dispatch); renovate-config.json is the shared preset every repo extends, so a bump lands the same way everywhere. Updates are grouped (@played/* together; third-party non-major batched) to keep PR noise down.

One-time setup

  1. Create a Gitea PAT — a dedicated renovate bot user is cleanest — with scopes read:user, write:repository, write:issue. Add it as the RENOVATE_TOKEN Actions secret (org-level, or on this repo).
  2. Make sure the existing NPMRC secret (registry + @played auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up @played/* versions.
    • Optional but recommended: add RENOVATE_GITHUB_COM_TOKEN — a read-only github.com PAT (no scopes). It stops api.github.com rate-limit warnings and enables changelogs + updates for the github.com actions in deploy.yml (actions/checkout, appleboy/ssh-action, …).
  3. Push, then run the workflow once (Run workflow). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does extends: ["local>played/workflows:renovate-config"]; merge them to go live.

Target repos

Listed in renovate.yml under RENOVATE_REPOSITORIES (the six games + plaza). Add the shared packages (app-ui, games-registry, api-core, …) to that list to manage them too, or switch to RENOVATE_AUTODISCOVER=true with RENOVATE_AUTODISCOVER_FILTER=played/*.

The bot only keeps versions current together (it opens PRs). For hard parity — failing CI when any repo drifts — pair it with a syncpack check.

Reference in New Issue View Git Blame Copy Permalink