played/workflows
4
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
11de3570746fb77d490330d446d1364737702db6
workflows/README.md
T
enricobuehler 11de357074 ci(renovate): silence github.com rate limit + skip internal workflow ref 
Wire an optional read-only GITHUB_COM_TOKEN so Renovate can reach
api.github.com (changelogs + actions/checkout-style updates) without
rate limiting, and disable management of the internal Gitea reusable
workflow `played/workflows` (it's a @main ref, not a github.com action).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 01:32:01 +02:00

65 lines
3.3 KiB
Markdown
Raw Blame History

# played/workflows
Reusable Gitea Actions workflows for the played ecosystem.
## `build-deploy-game.yml`
Drives the standard four-stage `build-api-core → deploy-api-core → build-web → deploy-web` pipeline for a played game.
### Usage
Each game's `.gitea/workflows/deploy.yml`:
```yaml
name: Build & Deploy <Game>
run-name: ${{ gitea.actor }} is deploying <game-id>
on:
push:
branches: [main]
workflow_dispatch:
jobs:
build-deploy:
uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
with:
game-id: <game-id>
secrets: inherit
```
### Required caller secrets
`secrets: inherit` makes all the calling repo's secrets available. The workflow reads:
| Secret | Purpose |
| ------ | ------- |
| `BUILD_ENV` | Full prod `.env` contents. Used as a Docker build secret (`secret-files: env=...`) AND written to `~/<game-id>-secrets/.env` on the deploy VM. |
| `NPMRC` | `~/.npmrc` content with `@played:registry=...` + auth tokens. |
| `REGISTRY_USER` / `REGISTRY_TOKEN` | Gitea container registry creds. |
| `PLAYED_HOST` / `PLAYED_USER` / `PLAYED_PORT` / `PLAYED_SSH_KEY` | Deploy target SSH. |
| `STEP_CA_PROVISIONER_PASSWORD` | For the `cert-init` container in `compose.production.yml`. |
### Assumptions
- The repo lives at `git.unom.io/played/<game-id>` (matches `${{ gitea.repository }}`).
- The VM working dir is `~/<game-id>` (the deploy step `cd`s there).
- Secrets dir is `~/<game-id>-secrets/`.
- `compose.production.yml` defines `api-core` and `web` services, both with `--env-file ~/<game-id>-secrets/.env`.
## `renovate.yml` + `renovate-config.json`
Self-hosted [Renovate](https://docs.renovatebot.com) that keeps dependencies aligned across the game repos. `renovate.yml` is a scheduled bot (Mondays 06:00 UTC, plus manual `workflow_dispatch`); `renovate-config.json` is the shared preset every repo extends, so a bump lands the same way everywhere. Updates are grouped (`@played/*` together; third-party non-major batched) to keep PR noise down.
### One-time setup
1. Create a Gitea PAT — a dedicated `renovate` bot user is cleanest — with scopes `read:user`, `write:repository`, `write:issue`. Add it as the `RENOVATE_TOKEN` Actions secret (org-level, or on this repo).
2. Make sure the existing `NPMRC` secret (registry + `@played` auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up `@played/*` versions.
- *Optional but recommended:* add `RENOVATE_GITHUB_COM_TOKEN` — a **read-only** github.com PAT (no scopes). It stops `api.github.com` rate-limit warnings and enables changelogs + updates for the github.com actions in `deploy.yml` (`actions/checkout`, `appleboy/ssh-action`, …).
3. Push, then run the workflow once (**Run workflow**). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does `extends: ["local>played/workflows:renovate-config"]`; merge them to go live.
### Target repos
Listed in `renovate.yml` under `RENOVATE_REPOSITORIES` (the six games + `plaza`). Add the shared packages (`app-ui`, `games-registry`, `api-core`, …) to that list to manage them too, or switch to `RENOVATE_AUTODISCOVER=true` with `RENOVATE_AUTODISCOVER_FILTER=played/*`.
> The bot only keeps versions *current* together (it opens PRs). For hard parity — failing CI when any repo drifts — pair it with a [`syncpack`](https://github.com/JamieMason/syncpack) check.
Reference in New Issue View Git Blame Copy Permalink